What Is CMMC? 

The Cybersecurity Maturity Model Certification is a cybersecurity standard that will be on DoD contracts. CMMC 2.0 is broken down into 3 levels of certification ranging from basic (Level 1) to advanced (Level 2). Level 3 Assessments will be led by DIBCAC.

What if we Don’t Handle CUI? Do we Still Need to be Certified?

If you do not currently have CUI in your contracts, you may still be required by your prime contractor to have CMMC implemented. It is important to carefully read any contracts with the DoD or with any Prime Contractors for the Dod.

Who does CMMC Impact?

The CMMC level mandated will be stated in the contract information. The majority of contracts will require a Level 1 or Level 2 compliance.

Contracts with FCI exclusively: CMMC Level 1 compliance requirements.
Contracts with CUI: CMMC Level 2 will be required as a minimum.

Prime Contractors are allowed to set contract requirements with their vendors and may require subcontractors to obtain and maintain CMMC even if they are not immediately responsible for Storing, Receiving or Processing CUI.

What are the Costs Associated with CMMC? 

Costs vary widely depending on your infrastructure, internal capabilities and goals. To discuss your CMMC requirements and schedule a complimentary 30 min consultation, email us at cmmc@rolleit.com or call 321-872-7576.

How long does it take to become CMMC compliant?

The timeline depends on:

• Your current security posture
• The complexity of your environment
• Existing gaps in controls and documentation

Many organizations require several months to complete assessment, remediation, and validation phases.

Rolle IT accelerates this process by identifying gaps quickly and providing structured guidance.

How much internal effort is required for CMMC compliance?

CMMC compliance requires involvement from both IT and leadership.

Internal responsibilities often include:

• Policy development and enforcement
• User training and access management
• Coordination of documentation

Rolle IT reduces the operational burden by managing security operations and guiding compliance efforts, while working alongside your internal team.

What is a CMMC MSSP?

A CMMC MSSP provides managed security services aligned to Cybersecurity Maturity Model Certification requirements, including monitoring, incident response, and support for compliance with NIST 800-171.

Do I need GCC High for CMMC Level 2?

Organizations handling Controlled Unclassified Information (CUI) are typically required to operate in GCC High or equivalent environments, depending on contract requirements.

Does monitoring alone meet CMMC requirements?

No. Monitoring is only one part of compliance. Organizations must also demonstrate proper configuration, control implementation, and documented evidence.

---

How do I know if my organization will pass a CMMC assessment?

Most organizations are not fully prepared until they complete a structured gap assessment.

CMMC requires more than having tools in place. Organizations must demonstrate:

• Proper configuration of systems
• Implementation of required controls
• Consistent enforcement of policies
• Availability of audit-ready documentation

Rolle IT is able to evaluate your environment to identify gaps and validate readiness before an official assessment.

What are the most common reasons companies fail CMMC assessments?

Common causes include:

• Misconfigured security controls
• Incomplete logging and monitoring
• Gaps between policies and actual implementation
• Lack of documented evidence

Even organizations with strong security tools often fail due to configuration and documentation gaps.

How does Rolle IT support audit readiness?

Rolle IT combines managed services with validation to provide structured reporting and evidence aligned to CMMC assessment objectives.

How is Rolle IT different from other CMMC compliant MSSPs?

Most MSSPs focus on monitoring and threat detection.

Rolle IT combines managed services with validation using CARI and ARCH to:

• Correlate data across tools and systems
• Identify hidden gaps and misconfigurations
• Validate control implementation
• Provide audit-ready evidence

This ensures your environment is not just monitored—but proven to be compliant.

How does Rolle IT validate compliance beyond standard MSSP services?

Rolle IT uses its CARI platform and ARCH engine to analyze:

• System configurations
• Security telemetry
• Vulnerability data
• XDR and endpoint activity

This allows us to confirm whether controls are implemented correctly and aligned to CMMC requirements.

The result is a defensible, evidence-based view of your compliance posture.

What happens after we complete an assessment with Rolle IT?

After an assessment, your organization receives:

• A clear view of compliance gaps
• Prioritized remediation actions
• Guidance on aligning systems to CMMC requirements

With ongoing MSSP support and validation through CARI, your team can track progress and maintain compliance over time.

What does a CMMC MSSP not cover?

A CMMC MSSP supports monitoring, security operations, and compliance alignment.

However, compliance also depends on:

• Internal policies and procedures
• User behavior and training
• Organizational processes

Rolle IT works alongside your team to support these areas, but full compliance requires coordination across both technology and organizational controls.

GCC High Eligibility and Requirements

Who is eligible to use Microsoft GCC High?

Microsoft GCC High is available only to organizations that meet strict eligibility requirements tied to U.S. government work.

Eligible organizations typically include:

• U.S. federal, state, local, or tribal government entities
• Defense contractors and organizations in the Defense Industrial Base (DIB)
• Companies handling Controlled Unclassified Information (CUI) or other regulated government data

Organizations must demonstrate a valid government use case and a need for elevated compliance controls.

What data requirements qualify an organization for GCC High?

Organizations must be handling government-controlled or regulated data, such as:

• Controlled Unclassified Information (CUI)
• Federal Contract Information (FCI)
• Export-controlled data (ITAR / EAR)
• Covered Defense Information (CDI)

GCC High is specifically designed for environments where these data types require strict access, residency, and compliance controls

What documentation is required to qualify for GCC High?

To gain access to GCC High, Microsoft requires organizations to complete a validation process and provide supporting documentation, which may include:

• A signed government contract indicating handling of regulated data
• A sponsorship letter from a qualified government entity
• Proof of government affiliation or engagement
• Domain and tenant verification

Additional requirements may include a CAGE code or SAM.gov registration depending on the organization

What is the Microsoft GCC High validation process?

Before purchasing GCC High licenses, organizations must complete Microsoft’s validation process.

Rolle IT helps clients through this process. This process includes:

1. Submitting a validation request to Microsoft
2. Providing documentation to prove eligibility
3. Receiving approval for GCC High access
4. Working with an authorized provider to provision licenses

Microsoft uses this process to ensure only qualified organizations can access the government cloud environment.

Can any company purchase GCC High licenses?

No. GCC High is not available for general commercial use.

Organizations must first be validated by Microsoft and demonstrate:

• A legitimate government or defense-related use case
• Handling of regulated or controlled data
• Alignment with federal compliance requirements

Without validation, organizations cannot purchase or deploy GCC High services

Does having a government contract automatically qualify you for GCC High?

Not necessarily.

While a government contract is often required, Microsoft evaluates:

• The type of data being handled
• The regulatory requirements involved
• Whether GCC High is necessary to meet compliance obligations

Organizations must demonstrate both eligibility and need during validation.

How does Rolle IT help with GCC High eligibility and validation?

Rolle IT supports organizations through the GCC High validation process by:

• Guiding organizations through Microsoft’s approval process
• Preparing environments for CMMC compliance after approval

This ensures your organization can successfully access GCC High and use it correctly for compliance.