President and CISO
KLC Consulting, Inc.
CISSP, CSSLP, CISA, CDPSE, CIPP/US, CIPP/G, ISO 27001 Lead Auditor
CMMC with Microsoft Azure discussion points:
I still receive questions about which versions of (Microsoft) Azure support CMMC, NIST 800-171, and DFARS 252.204-7012:
- Is Azure Commercial sufficient for FCI and CUI?
- Will we need Azure Commercial or GCC for CUI?
- Do we need Azure GCC High for CUI?
In short – it depends:
Federal Contract Information (FCI): Requires CMMC Level 1 – Azure Commercial meets compliance requirements.
Controlled Unclassified Information (CUI) without ITAR or Export Controlled Information: Requires CMMC Level 2 or 3 – Azure GCC meets compliance requirements.
CUI with ITAR or Export Controlled information: Requires CMMC Level 2 or 3 and compels Azure GCC High because of U.S. Sovereignty and U.S. person operations support requirements.