Don't Believe the "HIGH"YPE
Microsoft GCC vs. GCC High
Regarding CTI and CUI Specified
It started with a question, “Is CTI always CUI Specified?”. We believed the answer is yes, and we worked to confirm it officially. If it is yes, and CTI is the vast majority of the CUI that a DIB contractor would be dealing with, then Microsoft GCC would in fact not be a viable or advisable option. Just like ITAR/Export Controlled cannot be in GCC, CUI Specified shouldn't be in GCC, and this is not well-known or understood.
The second question that arose is “Does all CUI Specified require US sovereignty?”. If not, then you can have CTI that is CUI Specified, but does not require US Sovereignty. What a CUI rabbit hole we have gone down.
What Microsoft says
Per Microsoft, CUI Specified requires US Sovereignty, which GCC alone does not provide. Only GCC High does.
“We recommend the US Sovereign Cloud with Azure Government and Microsoft 365 Government (GCC High) for data protection of CUI in alignment with CMMC 2.0 Levels 2-3.” Source: https://techcommunity.microsoft.com/t5/public-sector-blog/understanding-compliance-between-commercial-government-and-dod/ba-p/3258326
Microsoft article: "Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty"
CUI Effectively Requires Data Sovereignty
Microsoft has prescribed the US Sovereign Cloud with Azure Government and Microsoft 365 GCC High to protect CUI and CDI consistently. Our rationale is that CUI does include ITAR-regulated data, and the DoD requires DFARS 7012 to protect it. We only accommodate that contractually across Azure, Office 365, and Dynamics 365 in the US Sovereign Cloud. It’s that simple. It’s true that you may demonstrate compliance for CUI in our Commercial or GCC cloud offerings, but you will not get a contractual obligation from Microsoft to protect an aggregate of CUI anywhere else other than in the US Sovereign Cloud. It will be your sole responsibility to prove and maintain compliance for it in other clouds.
Is CTI always CUI Specified?
For CUI, NARA is the definitive source. If you scroll down on the CTI page, the table only shows a "Specified" line item. Whereas the other defense index categories, eg UCNI show both "Basic" and "Specified".
“If you hold or may hold other types of CUI Specified that require U.S. data sovereignty, you should choose GCC High. Commercial and GCC Moderate cannot support these information types;”
Per 32 CFR part 2002:
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.
Controlled Technical Information:
Per DFARS 204.7301 “Controlled technical information” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.”
Per DoDI 5200.48: During DoD’s initial phased implementation of the CUI Program, there is no required distinction that must be made between Basic and Specified CUI. All DoD information will be protected in accordance with the requirements under the Basic level of safeguards and dissemination unless specifically identified otherwise in a law, regulation, or government-wide policy. Forthcoming guidance will address the distinction between the two levels of CUI, including a list of which categories are Basic or Specified, what makes the category one or the other, and the unique requirements, to include markings, for each.
Although DoD Components are not required to use the terms “Basic” or “Specified” to characterize CUI at this time, DoD Components will apply:
(1) At least the minimum safeguards required to protect CUI.
(2) Terms and specific marking requirements will be promulgated by the USD(I&S) in future guidance.
CUI Specified Defined in Section 2002.4 of Title 32 CFR (DoD is not using this structure in its initial implementation phase.)
What does NARA Say?
We reached out to NARA and other sources to get clarification.
Charlene Wallace (NARA): You are correct (CTI is always CUI Specified), just remember it all boils down to the law, regulation, or government-wide policy (you can find at the bottom of the specific category).
What does Jacob Horne Say?
Jacob Horne (CUI Whisperer): Yes CTI is always CUI Specified. The reason is that CTI is information that meets the criteria in 252.204-7012. If similar information doesn’t meet the 7012 criteria, then it’s “technical” in nature, but not CTI by definition. If data is CTI then 252.204-7012 paragraphs c) – g) apply and that’s where the discussion around Commercial, GCC, and GCC-H comes in.
CUI Specified doesn’t always require data sovereignty because CUI Specified is just any set of requirements outside of NIST SP 800-171. The IRS has CUI Specified requirements, for example, that don’t require data sovereignty issues. Typically data sovereignty is a matter of export control. Export control is a lot of the data flowing around the DIB, but it’s one small set of CUI and CUI Specified.
So, CTI is always CUI Specified, but it really comes down to sovereignty. If there are no sovereignty requirements, then GCC is sufficient. The gamble is that you will not deal with export-controlled data or CUI with sovereignty requirements.
Alright, is that it, please, my brain hurts?
The next CUI Rabbit Hole: “Aggregation” of CUI
Per DoDI 5200.48 5.3.C “DoD contracts must require contractors to monitor CUI for aggregation and compilation based on the potential to generate classified information pursuant to security classification guidance addressing the accumulation of unclassified data or information. DoD contracts shall require contractors to report the potential classification of aggregated or compiled CUI to a DoD representative.”
So potentially using only Microsoft GCC, but accumulating some amount of CUI, could then lead to aggregation, which could then be considered classified. Confused yet?