KTL

Getting CMMC Level 2 Complaint With ITAR in Your Environment

Written by Alec Toloczko

As CMMC becomes more and more of a reality for DoD contracts, many organizations are struggling to quickly become complaint. This article will provide an overview of the steps that companies handling ITAR or EAR data will need to take in order to achieve CMMC level 2 compliance via the Microsoft tech stack.

Environment

If you have an On-Prem or commercial environment today and are handling ITAR or EAR data, you will need to be in a Microsoft GCC-H environment. There are two ways you can achieve this.

The first is to set up a “greenfield” environment where users would essentially start from scratch, with no prior email history or historical records.

The second option is to migrate your data from On-Prem or commercial to GCC-H. The second option is the more expensive of the two. However, the users would retain all their previous data they had on-premise or in their commercial tenant.

Licensing

Once you have decided on GCC-H, the next step is to find the correct licensing that, once fully configured, can comply with CMMC level 2. There are two options here as well.

The first is to get all users an M365 E5 license. This would satisfy all the technical controls of CMMC 2.0 and include features such as Defender for Office Plan 2, Entra ID Plan 2, Intune Plan 1, Defender for Endpoint Plan 2, DLP, and more.

The second option, and the one that KTL recommends to 95% of GCC-H clients, is M365 E3 with M365 E5 Security Add-on. Similar to the E5 license this model will satisfy the technical controls of CMMC 2.0 while not costing as much as the full E5 license.

So, what do you miss out on when you go with E3 & E5 Security? Power BI & Teams phone is the only notable difference. You would not miss out on any of the compliance requirements or technical controls.

SSP

A System Security Plan has been a NIST 800-171 requirement since 2016. It is also a requirement for DFARS clause 7012, DFARS 7019, and CMMC. So what is an SSP?

An SSP is a detailed description/overview of an organization’s cybersecurity plan. The SSP provides a clear picture of the security requirements and how an organization implements, reviews, and protects these controls.

To be in compliance, an SSP will need to be regularly reviewed by a cybersecurity team to ensure all policies & producers are up to date and all technical controls are being satisfied.

Did you know KTL Solutions offers a no-cost CMMC consultation? Click here to learn more.

KTL

Getting CMMC Level 2 Complaint With ITAR in Your Environment

Share this post

Tags

Recent Posts

Categories

Related Posts

Hosting Microsoft Dynamics GP on Azure: Is It Right for You?

Checking Your CMMC Progress

Dynamics 365 Customer Engagement or ExpandIT?

Sisterhood of the Traveling Microsoft Partners: My Story From CIC 2024

Closing the CMMC Knowledge Gap: Why IT Professionals Need Specialized Training

Navigating the Cosmos of Copilot

CUI-CON 2024: Navigating My First Tech Conference as a Security and Compliance Analyst

KTL 360: Managed Services for the Modern SME

Product Comparison: Dynamics 365 Business Central and Sage Intacct Licensing

To Infinity and Beyond: Microsoft’s Copilot Soars Among the Clouds

Fact or Fiction? CMMC Steps up to the Plate

Compliance Cotton-Headed Ninny Myths: Separating the Real from the Make-Believe

Multi-Platform Reporting Made Easy: Popdock by eOne Solutions

CMMC Proposed Rule: What’s New?

Women Belong in Tech: NC Women in Tech Conference

Getting CMMC Level 2 Compliant With ITAR in Your Environment

NIST SP 800-171 Rev 3 Final Public Draft: The New Requirements

Three Factors to Consider in Your ERP Hunt

Fathiya’s Top 3: Takeaways From My Start at KTL Solutions

National Cyber Summit: Our Takeaways From One of the Year’s Best Events

Quick Links

About

Newsletter