Resources

decorative arrow

Blog

decorative arrow

Does GCC High Guarantee NIST 800-171 Compliance?

Compliance

Compliance

Compliance

Does GCC High Guarantee NIST 800-171 Compliance?

11/2024

5  

min read

Introduction

When it comes to NIST 800-171 compliance, many aerospace and defense contractors mistakenly believe that migrating to Microsoft 365 Government Community Cloud (GCC) High ensures automatic compliance. However, GCC High requires a lot of customization, configuration, and management to meet these requirements.

The platform can help protect data stored in its system. However, it cannot ensure full compliance on its own. This is especially true when data is accessed or changed outside of GCC High. This blog will explore what controls GCC High can fulfill and the additional steps necessary for companies to achieve full NIST 800-171 compliance.  

What NIST 800-171 Controls Can GCC High fulfill?  

Microsoft 365 Government Community Cloud High requires a lot of customization and maintenance. A common misconception aerospace and defense contractors have is that moving to GCC High automatically gets them compliant with NIST SP 800-171 or DFARS 7012 cybersecurity requirements.  

Similar to a commercial Microsoft 365 license, Microsoft 365 Government Community Cloud High does not fulfill any NIST SP 800-171 requirement automatically. Instead, a company should look at GCC High as one of the inputs to its security and compliance program.  

When a company buys a Microsoft 365 Government Community Cloud High License from Microsoft, it won’t automatically be compliant just by migrating its data into the environment. Once a company buys GCC High, a significant amount of customization, configuration, and management must occur to implement and maintain NIST 800-171 controls.  

GCC High Can Only Make Data Stored in GCC High Compliant  

Additionally, while data stored in the Microsoft 365 environment might be able to be compliant with NIST 800-171 requirements once properly configured, GCC High is one part of many systems that a company needs to maintain.  

If a company has computers, operational technology, or any other information systems touching Controlled Unclassified Information, it will need to configure those systems using additional tools in order to comply with NIST 800-171 requirements.  

Here is a common scoping example:  

2 employees within a company are emailing CUI data back and forth on a properly configured and maintained GCC High environment. One of the employees downloads the file onto their computer to edit the CUI before sending it back via email. Because the data left the GCC High environment and was downloaded onto the company computer, in order to be NIST 800-171 compliant, the company needs to make sure the computers comply with NIST 800-171 requirements. GCC High alone would not make the company’s computers compliant with NIST 800-171.  

In this example, it is recommended that the company uses GCC High in conjunction with other services that make its computer compliant.  

Third-party assessors Atomus has worked with, including major prime contractors and provisional C3PAO firms, have been very skeptical of companies saying all their data is kept within GCC High.  

It is possible to do, but only if business processes don't require making derivative information or editing CUI. Very few companies in the Defense Industrial Base are able to do this and it requires consultation with a cybersecurity professional.  

What Percentage of Controls Can GCC High Fulfill?  

The real answer depends on what the company scopes as its CUI environment. If the company keep all its data in Microsoft 365 Government Community Cloud High and assuming GCC High is properly set up - it can fulfill roughly 80% of the NIST 800-171 cybersecurity requirements. This compliance is specific to the technical requirements if maintained and monitored properly. In order to be fully compliant, the company needs to couple the technical requirements implemented properly in GCC High with physical security and policies and procedures followed by company employees.  

However, this is not the case for the vast majority of companies in the defense industrial base as they require being able to download CUI data files onto computers in order to do their work.  

If you have any other questions about GCC High, feel free to schedule a time to talk with one of our experts today.  

Related Blogs

View all

decorative arrow

Compliance

Compliance

Compliance

What is a System Security Plan for NIST 800-171

10/2024

5 min read

If you do business with the federal government, then you know that you are required to comply with the National Institute of Standards and Technology (NIST) 800-171 standard. This standard outlines the minimum requirements for

Compliance

Compliance

Compliance

Why Should CMMC Compliance Be A Priority?

07/2024

5 min read

Navigating the complexities of the Cybersecurity Maturity Model Certification (CMMC) can be daunting for any organization doing business with the Department of Defense (DoD).

Compliance

Compliance

Compliance

What’s The Difference Between FAR and DFARS? 

07/2024

5 min read

To comply with the Cybersecurity Maturity Model Certification (CMMC), contractors must familiarize themselves with the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) terms and conditions

View all

decorative arrow
Logo image

Become Compliant with NIST 800-171, DFARS 7012, and CMMC Requirements

Talk to an Expert

Address:

550 California St, Suite 203, San Francisco, CA 94104

Contact:

415 231 1110
sales@atomuscyber.com

AboutBlogGuides
WebinarsCustomersPrivacy Policy
© 2024 Atomus Corporation. All rights reserved.