Skip to main content

Securing GCC High

A System Architect's Blueprint for CMMC Level 2 Compliance

Scoping
IdentityDevicesData
MonitoringAppendices

Phase 1: Scoping

Goal

Before configuration, you must understand where your Controlled Unclassified Information (CUI) lives, who interacts with it, and which third parties are responsible for its protection.

Chapter 1: CUI Data Flows & Business Applications

  • Mapping how CUI enters, moves through, and exits your business applications (Email, ERP, SAFE exchange).

Chapter 2: People, Technology, and Processes

  • Identifying CUI Assets, Security Protection Assets (SPA), and CRMA to define what the auditor will actually look at.

Chapter 3: External Service Provider (ESP) Management

  • Inventorying third parties (MSPs, SaaS tools) and validating FedRAMP Moderate Equivalency.

Chapter 4: Contractual Ingestion & LOB Strategy

  • Analyzing DoD contract flow-downs (DFARS 7012) and how lines of business identify CUI at the start of an award.

Phase 2: Identity

Goal

Secure the "Who" (Identity) before building the "What" (Infrastructure).

Chapter 5: Sovereign Cloud Considerations

  • Commercial vs. GCC High: The decision matrix (when to stay vs. when to migrate). GCC High as a de facto standard.
  • Constraints and Gotchas: AOS-G purchasing (why you can't use a credit card), feature parity, and timeline expectations.

Chapter 6: Identity Foundation

  • Cloud Strategy: Cloud-Only vs. Hybrid (less AD FS complexity ==> more security).
  • Access Governance: Privileged Identity Management and Entitlement Management for US-Person-only approval workflows.
  • Cross-Tenant Collaboration: Cross-tenant access notes and gotchas (e.g. cross-cloud B2B OFF by default, DNS records).

Chapter 7: Conditional Access

  • The "CMMC Baseline": Geo-blocking, MFA enforcement, and "Require Compliant Device."
  • Auditor’s View: Documenting "break-glass" accounts for the assessor.

Phase 3: Devices

Goal

Define "Where" CUI lives to minimize the audit scope.

Chapter 8: The Virtual Desktop Strategy (AVD)

  • Strategic Pivot: Using Azure Virtual Desktop to avoid managing physical endpoints.
  • Technical Deep Dive: "Screen Capture Protection" and Watermarking on Session Hosts.
  • GCC High Gap: Managing RDP Shortpath and multimedia redirection in Azure Gov regions.

Chapter 9: Endpoint Architecture & Onboarding

  • The "Build" Phase: Designing the boundary, identity trust, and enrolling devices.
  • Product Focus: Config Profiles for BitLocker (FIPS mode), Firewall, and EDR onboarding.

Chapter 10: Endpoint Operations & Compliance

  • The "Run" Phase: Patching, threat defense, and audit evidence.
  • GCC High Gap: Mobile Application Management (MAM) requires the specific "Government" variants of apps (e.g., Outlook for Government) to function correctly.

Phase 4: Data

Goal

Encrypt and tag CUI wherever it travels.

Chapter 11: Data Architecture

  • Taxonomy Design: Public vs. Internal vs. CUI-Basic vs. CUI-Specified.
  • GCC High Gap: The "Unified Labeling Client" is deprecated; you must use the built-in Office labeling client, which has different feature parity in Gov Cloud.

Chapter 12: Data Enforcement & Monitoring

  • Taxonomy Design: Public vs. Internal vs. CUI-Basic vs. CUI-Specified.
  • GCC High Gap: The "Unified Labeling Client" is deprecated; you must use the built-in Office labeling client, which has different feature parity in Gov Cloud.

Chapter 13: Threat Defense (Defender XDR)

  • Gap Filled: Defender for Cloud Apps (MDCA). Detecting "Shadow IT" (CUI -> Gmail).
  • Constraint: MDCA in GCC High has fewer 3rd-party API connectors than Commercial.

Chapter 14: Secure Collaboration (Teams & Exchange)

  • Architecture: Private Channels vs. Shared Channels for CUI segmentation.
  • Critical Constraint: Teams Voice. Microsoft Calling Plans are unavailable in GCC High.
  • You must implement "Direct Routing" or "Operator Connect for Gov" to get a dial tone.

Phase 5: Monitoring

Goal

Prove to auditors that you are watching.

Chapter 15: SIEM (Microsoft Sentinel)

  • Why: M365 logs are not enough for "Automated Analysis" (AU.L2-3.3.1).
  • GCC High Gap: Missing Data Connectors. How to route alerts when a native connector (like MDCA) is missing in Gov Cloud.

Chapter 16: Purview Audit and Data Lifecycle Management

  • Technical Deep Dive: "Audit (Premium)" to capture MailItemsAccessed (forensics).
  • Critical Gap: Default log retention is too short. Configuring Diagnostic Settings to stream logs to Azure Storage for the required 1-year retention.

Appendices

Goal

Mappings and worksheets to help you pass your CMMC audit.

Appendix A: CMMC Level 2 Technical Controls

  • Why: Maps CMMC technical controls to Microsoft tech and chapters in this book.
  • GCC High Gap: Purview provides a list, this book provides a roadmap.