Understanding Cybersecurity Maturity Model Certification (CMMC)
[ZOOM EVENT] Wednesday, June 23, 2021 @ 11AM-12PM ET


By Ken Michael

In response to the need for small to medium businesses contracting with the United States government to achieve cybersecurity requirements, Microsoft has eased its application criteria for purchasing its Microsoft 365 GCC High platform in 2021.

Government regulations including the Cybersecurity Maturity Model Certification (CMMC), the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, and the National Institute of Standards and Technology (NIST) 800-171 require contractors and subcontractors to achieve a minimum level of cybersecurity as part of many contracts. These cybersecurity regulations include those with contracts with the U.S. Department of Defense (DoD) and the National Aeronautics and Space Administration (NASA). These requirements are meant to safeguard controlled unclassified information (CUI) and other proprietary data used or developed by suppliers in the Defense Industrial Base (DIB).

What Has Changed?

In the past, the only way businesses in the DIB as government contractors could access Microsoft GCC High was through submitting an approved government contract to the Microsoft Government Eligibility Team. That team would review the contract to see GCC High was required to meet the terms of the contract under regulations for the International Traffic in Arms Regulations (ITAR), CUI, CMMC, or other regulatory requirements. The supplier could also provide a letter from a federal customer validating the company’s contractual obligation and need for GCC High.

Beginning in early January 2021, Microsoft announced federal contract suppliers or businesses in the DIB could begin submitting requests to purchase GCC High in a simpler way. Now companies of all sizes can complete an eligibility application through Microsoft Azure to purchase GCC High before a government contract is even awarded and without having previous performance contracts. This change eliminates a major barrier for smaller businesses looking to bid for government contracts.

Once the applicant receives communication from Microsoft that their application has been processed, they can submit details about their business including the company’s Commercial and Government Entity (CAGE) Code, a five-character ID number used by the General Services Administration (GSA), or their Data Universal Numbering System (DUNS) number. The Microsoft team will then verify the applicant organization in the System for Award Management (SAM) before allowing them to purchase the GCC High program.

According to an online article by the Associated Press, Microsoft elected to add CAGE and DUNS as appropriate options for gaining access to GCC High because both are prerequisites for any business pursuing contracts with the DoD and NASA. Both of these credentials are issued to businesses through a federal vetting process about the same time a company incorporates and is issued it Tax Identification Number. In other words, a company already having a CAGE or DUNS number demonstrates that it has already been properly vetted by the federal government.

Microsoft also recognized that it needed to ease access for smaller government contractors due to the rollout of the CMMC acceleration program in later 2020. By making is simpler for smaller DIB businesses to access GCC High, they could achieve cloud security and compliance much easier to meet the requirements of CMMC.

Another important change has to do with the categories previously required for GCC High licensing. In the past, government contractors who applied for Microsoft 365 GCC High licensing would ultimately receive notice of their status as a Category 1, 2, or 3 entity. Licensing for GCC High was limited to Category 3 businesses only. Now, businesses in all categories may purchase licensing from an approved GCC High vendor such as Dox Electronics or through an enterprise agreement.

Getting Started with GCC High Licensing

There are a couple of things that have not changed when it comes to becoming eligible for GCC High licensing. Your company must submit an eligibility application to Microsoft Azure Government as a first step. Despite the Microsoft Azure Government name on the application, note that this is the correct application for achieving GCC High licensing eligibility.

You will receive an email within two business days regarding next steps for licensing. If you have further questions for the Microsoft Government Eligibility Team, there is a link on the application website so you can email them directly.

Second, you must share the aforementioned eligibility notice email from Microsoft with your elected GCC High vendor partner, such as Dox, before a formal licensing quote can be provided.

“Katie Arrington of the Office of the Undersecretary of Defense (OUSD) is often quoted stating CMMC is not a checklist or one-time exercise, and organizations must continually mature and adapt to new threats,” said Richard Wakeman, Senior Director of Aerospace & Defense for the Microsoft Azure Global Team, in the AP piece. “Microsoft holds a similar viewpoint in that we aim to regularly release new tools and capabilities to enable compliance and combat new threats. In addition to these tools, our team also strives to ensure Microsoft sovereign cloud offerings are accessible for DIB small businesses.”

Microsoft 365 GCC High & Microsoft Azure Government

Microsoft GCC High is built on Microsoft Azure Government within dedicated data centers within the United States. Azure Government and the GCC High suite are certified to FedRAMP High in addition to other federal cybersecurity regulations. Both platforms and all infrastructure are managed by Americans with completed background checks to further ensure tight security. These Microsoft platforms also meet DFARS and CMMC flow down clauses and reporting requirements. Because of these high standards and quality cybersecurity practices, many companies in the DIB turn to Microsoft GCC High as the best platform for their users and CUI.

Types of Microsoft 365 Licenses

There are four different types of Microsoft 365 licenses available. Each offers different capabilities and meets different cybersecurity compliance requirements. The licensing levels are as follows:
  • Enterprise Licensing
  • Mobility and Security Licensing
  • Operating System Licensing
  • CGG High Licensing
The cybersecurity professionals at Dox can speak with you about the functions of your business to both protect data and meet applicable government regulations. This will help you determine which licensing level best meets the needs of your company.

For more information about regulation compliance and compliance audits, Microsoft GCC High, or improving security for your business, contact Dox Electronics now at (585) 473-7766.
Share This Posting
Copyright ©   DoxWeb Design & SEO by Scriptable Solutions