With over 350,000 companies needing to become compliant with the DoD's new CMMC requirements, many questions have been raised. What is it? Why do I need it? We've answered these more general questions in previous blogs. Here, we'll be tackling the question: Do I need GCC High to be CMMC compliant?
The short answer, no. While you don't technically need GCC High to become CMMC compliant, think of more as a shortcut. GCC high provides added security measures compared to the commercial and GCC cloud environments. However, GCC High is more restrictive than the CMMC mandate requires, which can limit functionality for many businesses not leveraging Microsoft 365 Commercial cloud.
GCC High was designed to meet the cybersecurity requirements of NIST 800-171, FedRAMP High, and ITAR, all of which handle the management of sensitive data. Therefore, GCC High sports attributes include being supported by background-checked U.S. citizens and ensuring that all data is stored within U.S. data centers. Because of the nature of these standards, GCC high does miss out on a few Microsoft apps and features found in the GCC and Commercial cloud. Then there's the extra per-month/per-user costs, which more than double (or triple) with GCC High compared to Microsoft 365 Commercial.
It's important to note that both GCC and Commercial environments can be configured to be CMMC compliant. This means your business gets access to the latest and greatest technology that Microsoft 365 offers, all while being compliant with CMMC requirements.
With that being said, opting for GCC High can save your organization time in the short term with getting CMMC compliant but limit you in the long term due to the unnecessary restrictions. It is important to speak to an experienced consultant so you can weigh all of your options. Bravo has a proven track record getting many organizations to the cloud and securing their environments against various compliance mandates.
Contact Us Today to Speak With a CMMC Expert