What is Microsoft Office 365 GCC High and Do I Need It?
by Blake Cormier Content Manager, E-N Computers
Microsoft 365 is a great choice for a powerful, secure cloud collaboration solution that can empower your business to work from anywhere. But with the upcoming rollout of the Cybersecurity Maturity Model Certification (CMMC), which will introduce new compliance requirements for DoD contractors and subcontractors, you may be wondering whether it’s secure enough to pass muster for handling CUI. You may also have heard of another version of Office 365 that’s intended to meet stringent government security requirements, called GCC High.
At E-N Computers, we’re currently helping several of our clients to get ready for CMMC through preliminary assessments and implementation of the 130 practices required for certification. Since many of our clients rely on Microsoft 365, we are helping them to make sure that their cloud resources are secure and compliant as well.
In this article, you’ll learn what Office 365 GCC High is and how it’s different from other MS365 options. You’ll also learn whether GCC High is a requirement for CMMC certification and what alternatives there are. Finally we’ll discuss how GCC High pricing compares with other MS365 versions.
What Is Office 365 GCC High?
Government Community Cloud (GCC) and GCC High are specific service offerings of Azure cloud services and the Microsoft 365 and Office 365 suite designed to ensure compliance with various federal information and cybersecurity regulations. They are available to government agencies and private organizations that are required to comply with regulations such as CMMC, FedRAMP High, DFARS 7012, ITAR, or CJIS Policy.
How is MS365 Government Different from MS365 Commercial?
The main difference between Microsoft 365 Government and their commercial offerings is that all data for MS365 Government is stored within the U.S. in dedicated Azure Government datacenters. Access to Azure Government data and datacenters is limited to screened and background-checked Microsoft employees, and these employees don’t have standing access to customer data – it must be requested each time.
Most features and services available to commercial MS365 tenants are available to GCC and GCC High, however there are exceptions to some application features that use internet-based services. Additionally, future features may be slower to roll out to Government tenants or not available at all due to compliance issues.
Finally, the purchasing process is different. While commercial MS365 licenses can be purchased from a number of vendors, MS365 Government must be purchased directly from Microsoft or a limited number of channels. Organizations must go through a screening process to ensure eligibility, and this has to be renewed each year.
How is Microsoft 365 GCC Different from GCC High?
While both GCC and GCC High are part of MS365 US Government, they are designed to comply with different sets of regulations. GCC is intended for criminal justice (FBI) and tax (IRS) data compliance standards, while GCC High is intended for DoD regulations. Microsoft will only agree to contractual language involving DFARS 7012 and ITAR compliance for GCC High customers.
There is a third Microsoft 365 Government tier called DoD. It is a nearly identical offering to GCC High – in fact they share a service description page and are usually mentioned together in documentation. MS365 DoD is only available to the DoD itself, not to contractors. But because GCC High and DoD meet the same security standards, data can be shared between tenants between the two environments, including via B2B federation.
Do I Need Office 365 GCC High for CMMC Certification?
The short answer is not necessarily. It’s certainly possible to configure a commercial or GCC MS365 tenant so that it complies with all NIST SP 800-171 controls and certain CMMC levels. Even so, there are several good reasons to consider a move to GCC High as part of your CMMC compliance strategy.
Simplified Management: There are a number of services and features included in commercial MS365 and GCC that do not comply with CMMC, NIST 800-171 or DFARS 7012. These must be identified and disabled – and monitored so that they stay disabled. And there is always the possibility that a feature or settings change introduced in the future could introduce compliance issues. With GCC High, you’ll have a reasonable expectation that this won’t happen.
Information Sharing: As mentioned, GCC High users can only share data and use B2B federation with other GCC High and DoD users and organizations. If you are a prime contractor, or you’re a subcontractor whose prime is on GCC High, it will greatly simplify data sharing if you are also on GCC High.
ITAR and NOFORN Compliance: GCC High is the only environment with a guarantee that only U.S. citizens will ever have access to your data. If any data you handle is subject to ITAR, GCC High is really your only option. Even unintentional ITAR violations can and will cost your company in fines and lost contracts.
Better Accountability: With GCC High, Microsoft is able to offer contractual guarantees that their infrastructure meets DoD regulatory requirements. Having this well-defined accountability is critical when dealing with complex requirements such as CMMC.
What Are the Downsides to GCC High?
GCC High offers many advantages to companies seeking CMMC certification. But it’s not without its challenges. These downsides will need to be weighed against the benefits as you decide whether GCC High is right for your organization.
Information Sharing: As mentioned, GCC High users can only share data and documents with other GCC High and DoD tenants. If your business has significant operations that are not involved with DoD contracting or CUI, this could be a problem if outside sharing or B2B federation is an important part of your workflow.
Feature Limitations: Carefully examine the features that are missing from GCC High and consider the impact of not having them. This is especially important if you already have a commercial or GCC MS365 tenant. While it’s true that many of the missing features are incompatible with CMMC or DFARS 7012, this isn’t always the case. Again, the needs of the non-CUI parts of your business should be taken into account.
Limited Third-Party Integrations: Because data sharing is limited from GCC High, many popular third-party Office 365 tools simply won’t work. You should inventory any integrations already in use and make plans to migrate away from them before moving to GCC High.
Will Buying GCC High Automatically Make Us Ready for CMMC?
Again, the short answer is no. Like any tool, GCC High requires proper setup and ongoing management to ensure compliance with CMMC. But Microsoft is only able to guarantee that their practices and infrastructure are compliant with regulations. While GCC High offers some guardrails, it’s not a turnkey solution for CMMC certification. You are still responsible to configure and operate it in a compliant way.
Microsoft offers a number of cloud-based security products for GCC High customers that can help your organization comply with CMMC. These include Enterprise Mobility & Security (EMS), Azure Information Protection (AIP), Microsoft Cloud App Server, and Microsoft Defender. These products are also hosted in Azure Government datacenters. Again, with proper configuration, these tools can satisfy a number of CMMC and NIST 800-171 controls.
How Much Does Microsoft 365 GCC High Cost?
GCC High is available as Microsoft 365 F3, E3, and E5 licenses, or Office 365 F3, E1, E3 and E5 licenses. As with MS365 Enterprise offerings, the “Microsoft 365” flavor includes additional security and device management features, as well as a Windows 10 Enterprise license, while the “Office 365” version is limited to the Microsoft Office suite, Exchange, and collaboration features. The F1 and F3 licenses do not include the desktop version of Office programs.
As you would expect, there is a premium for GCC High over the commercial versions of Microsoft 365. The price difference includes the additional overhead involved with ensuring compliance with DFARS 7012 and ITAR and maintaining separation between Azure Government and commercial operations.
For Microsoft GCC High licenses, you can expect to pay an average of 50% more than the retail price of the equivalent Enterprise license. F1 and F3 licenses are somewhat less expensive at around 15% more than their commercial counterparts.
Is MS365 GCC High Worth It?
This question will need to be considered in the broader context of your business and IT strategy. For many contractors, the increased cost and feature limitations will easily be justified by the compliance features and ability to share data with the DoD and other GCC High organizations. For others, particularly those who do a lower volume of contract work or are only targeting a CMMC Level 1 certification, other options may be more cost-effective overall.
How Do I Purchase Office 365 GCC High?
Up until 2018, GCC High was only available directly from Microsoft via an Enterprise Agreement, which has a minimum of 500 users. In view of the tightening controls for contractors handling CUI at all levels of the supply chain, Microsoft began selling GCC High licenses to smaller customers through select partners. However, your eligibility for GCC High must be verified directly with Microsoft before a purchase can be made.
While E-N Computers isn’t a Microsoft AOS-G (Agreement for Online Services – Government) partner, we have established a relationship with one to help our clients procure GCC High licenses. We can help you to decide whether GCC High is right for you and plan your migration. Use the button below to set up your free CMMC consultation.
If you’d like to learn more about the latest CMMC requirements, be sure to read our Ultimate Guide to CMMC. It includes an overview of what we know so far about CMMC and when it’s going to be implemented. Click here to read it now.
Or if you need to know how ITAR will affect your IT strategy, read What is ITAR Compliance? for an overview of the technology issues it creates and how you can solve them.
We are also offering free CMMC strategy consultations to Virginia companies that need help with compliance and certification. Book your 30-minute, no-obligation strategy session today to learn about the next steps you need to take toward certification, and how a partner like E-N Computers may be able to help. Click here to pick a date and time that works for you.