Hi r/CMMC ,
First post here, and I have a couple of noob questions...
I often see that the main justification for the high cost of "MSFT GCC" is that data is stored exclusively in US datacenters and operated by US citizens, with some additional requirements.
Looking into the details:
- the only mention of "Required storage of data within the United States or outlying areas" is from the DFARS PGI 239.7602-2, and ties into the definition of Cloud Computing Services:
“Cloud computing” means a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This includes other commercial terms, such as on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. It also includes commercial offerings for software-as-a-service, infrastructure-as-a-service, and platform-as-a-service.
- in regards to US citizens and background checks, it seems most people agree that's only a requirement that would apply to NOFORN. And importantly, in the case of non-NOFORN CUI:
b. CUI not controlled as NOFORN may be released or disclosed to non-U.S. citizens employed by the DoD if:
(1) Access to such information is within the scope of their assigned duties.
Questions:
- Is it incorrect to understand that if I have a physical server—excluded from the cloud computing definition (i.e., not shared infrastructure, not as-a-service)—running in, let’s say, Canada, I can store CUI data on it?
- Is it correct that MSFT GCC’s background checks exceed the requirements to protect CUI and be compliant with CMMC Level 2, and using Office 365 with data residency set to the USA is sufficient for compliance?
Looking forward to your pointers 🙏
[link] [comments]