How GCC-High and a VDI Environment Can Help Clarify your Scope for Meeting CMMC Requirements

October 7, 2021 Redspin, Inc.

In this 2nd installment, we break down a lesson learned about scoping environments. When preparing for a CMMC assessment, whether it be Level 1 or Level 3, we at Redspin advise organizations seeking certification to:

Clearly define the boundaries dictating where CUI is stored, processed, and exchanged.

You can't adequately protect data without knowing where it lives and breathes and defining these boundaries that indicate where CUI is stored, processed, and exchanged will ease the assessment process as well as ensure your organization's CUI is protected. As an organization seeking a Level 3 assessment ourselves, Redspin designed its secure enclave using a zero-trust perspective to isolate CUI from the rest of the company. This was accomplished using Microsoft 365 Government (Microsoft GCC-High) and Microsoft Virtual Desktop Infrastructure (VDI) as the foundation for implementing a secure enclave that meets CMMC Level 3 requirements.

What is Microsoft GCC-High?

While GCC-High is not required for any CMMC maturity level, it is highly recommended that GCC-High be incorporated into the design of the CUI secure enclave for those organizations seeking CMMC certification for CMMC Level 3.

There are three versions of the Microsoft platform:

  1. Commercial
  2. GCC 
  3. GCC-High

All versions will meet CMMC and standard NIST SP 800-171 requirements. However, GCC-High is a requirement for those who must meet the ITAR regulation, and it ensures the support personnel are US-Based. Additionally, the use of GCC-High provides access to Azure Government rather than Azure Commercial, which provides added functionality which provides additional functionality to meet the strict CMMC requirements. And finally, when considering the longer term, there may be a time that GCC-High, as one solution, might be required.

Microsoft 365 Government (DoD)

Microsoft 365 Government (DoD)

*Equivalency, Supports accreditation at noted impact level
** Equivalency, PA issued for DoD only
*** Organizational Defined Values (ODV's) will vary ^ CUI Specified (e.g. ITAR, Nuclear, etc...) not suitable REQS US Sovereignty

What is VDI?

Virtual desktop infrastructure (VDI) is, as its name implies, a virtual desktop/computer environment that runs within a software environment called a hypervisor, on a central server. These virtual desktop environments can be accessed by users using a range of methods including web browsers, software-based VDI clients, or hardware-based VDI clients, depending on the specific requirements of the organization. Configured correctly, this will allow the user to see and manipulate data without the ability to locally store or print the information. Sensitive data is only stored within the central server(s) being connected to by the VDI through the VMs. For CMMC, this becomes key as remote users will still have access to view CUI data while not having CUI data on their devices which can expand an organization’s overall CMMC scope.

How did Redspin design and implement these solutions?

Redspin took a zero-trust approach when designing the environment. Utilizing a combination of technical and administrative controls, the environment was able to be “locked down” to only the access and communication required for operational necessity. Baselining the environment as much as possible on several DoD and DISA implementation requirements, coupled with the use of a FedRamp approved solution backup, allowed Redspin to benchmark against a number of more stringent control requirements.

What benefit will this have when undergoing the CMMC Level 3 assessment?

Through the utilization of the GCC-High and VDI, Redspin was able to create a self-contained enclave that limits access to only those with a valid need-to-know. In doing so, it provides an additional layer of protection and portability. Through protection, if a physical access device is lost, then the data is still protected as it is not able to be pulled directly from the enclave. Additionally, through this implementation, it allows for not only the physical device to be “bricked” if lost, but the specific VDI assigned to a particular user to be disabled. One of the concerns CMMC identifies is the protection of CUI data when utilizing mobile devices. Through the use of GCC-High and VDI, the ability to not only lock down what specific mobile apps are allowed access, but also the assurance that if a web browser is utilized on a mobile device to access the enclave, the same protection mechanisms are still enforced.

How Redspin Can Help >>

If you have questions on any related aspects of CMMC compliance or if you would like to have a more detailed conversation with a CMMC assessor on readiness, documentation, or training, click the button below to schedule a call.


Additional CMMC resources can be found on our website.

The Redspin Team

© Copyright 2021 Redspin - A Division of CynergisTek

About the Author

Redspin, Inc.

Redspin is a leading provider of risk assessments using various frameworks including NIST CSF, CMMC-AB, ISO 27001, PCI DSS, and healthcare cybersecurity consulting. We’ve helped many Fortune 500 and leading growth companies in highly regulated industries including government, financial, technology, and manufacturing improve their cyber readiness and resiliency through a strategic and proven approach to reduce cyber risks and safeguard sensitive information.

Follow on Twitter Follow on Linkedin Visit Website More Content by Redspin, Inc.
Previous Article
Cloud Service Providers & CMMC: Do they Mix?
Cloud Service Providers & CMMC: Do they Mix?

We break down CSPs, what they are and how they can help achieve your organization's goals. In this edition,...

Next Article
Our Thoughts on CMMC Level 3 Assessments
Our Thoughts on CMMC Level 3 Assessments

As a candidate C3PAO undergoing our own Level 3 assessment by the Defense Industrial Base Cybersecurity Ass...