by Blake Cormier
Content Manager, E-N Computers
Microsoft 365 is a great choice for a powerful, secure cloud collaboration solution that can empower your business to work from anywhere. But with the upcoming rollout of the Cybersecurity Maturity Model Certification (CMMC), which will introduce new compliance requirements for DoD contractors and subcontractors, you may be wondering whether it’s secure enough to pass muster for handling CUI. You may also have heard of another version of Office 365 that’s intended to meet stringent government security requirements, called GCC High.
At E-N Computers, we’re currently helping several of our clients to get ready for CMMC through preliminary assessments and implementation of the 130 practices required for certification. Since many of our clients rely on Microsoft 365, we are helping them to make sure that their cloud resources are secure and compliant as well.
In this article, you’ll learn what Office 365 GCC High is and how it’s different from other MS365 options. You’ll also learn whether GCC High is a requirement for CMMC certification and what alternatives there are. Finally we’ll discuss how GCC High pricing compares with other MS365 versions.
GCC and GCC High are Microsoft 365 service offerings designed to meet various Federal data security regulations, including CMMC and DFARS 7012. GCC High includes additional controls that make it suitable for protecting export-controlled CUI at CMMC Level 2 or above.
What Is Office 365 GCC High?
Government Community Cloud (GCC) and GCC High are specific service offerings of Azure cloud services and the Microsoft 365 and Office 365 suite designed to ensure compliance with various federal government information and cybersecurity regulations. They are available to government agencies and private organizations that are required to comply with regulations such as CMMC, FedRAMP High, DFARS 7012, ITAR, or CJIS Policy.
How is MS365 Government Different from MS365 Commercial?
The main difference between Office 365 US Government and their commercial offerings is that data for Office 365 Government is segregated from commercial Office 365 data.
Data for GCC is located in a separate “enclave” of the Azure Commercial cloud, while the GCC High and DoD offerings are housed in a completely separate Azure Government environment called the “US Sovereign Cloud”, which is 100% located within the US and is supported only by screened and background-checked US persons.
Most features and services available to commercial MS365 tenants are available to GCC and GCC High, however there are exceptions to some application features that use internet-based services. Additionally, future features may be slower to roll out to Government tenants or not available at all due to compliance issues.
How is Microsoft 365 GCC Different from GCC High?
While both GCC and GCC High are part of MS365 US Government, they are designed to comply with different sets of regulations. This is reflected in which datacenters they use and which Microsoft personnel can provide support. GCC is built on top of Microsoft’s commercial datacenters and global Azure services. While the Government “enclave” ensures that GCC data is stored within the continental United States (CONUS), some services available in GCC use data processing that occurs outside the US. Additionally, GCC uses the same global support model as Commercial, meaning that non-US persons will be involved in supporting GCC tenants, and thus could have access to GCC data at times.
In contrast, GCC High was designed for the needs of the Defense Industrial Base (DIB). It uses dedicated datacenters in the continental US and is supported solely by cleared US persons. Unlike GCC, GCC High includes a contractual guarantee that no data will leave the United States and that only US Persons will ever have access to GCC High data.
Compliance. As of 2021, GCC includes support for DFARS 7012, and can meet the requirements for CMMC certification. However, if you are subject to ITAR or handle controlled defense information (CDI), you will need GCC High to ensure that your information remains in the US and is only accessible by US persons.
Interoperability. In order to maintain compliance, GCC High lacks some of the features and integrations available to commercial and GCC customers. The exact features that are available change often, so it’s best to make use of Microsoft’s official service descriptions. GCC High organizations can share data with other GCC High and DoD tenants, but not with GCC or commercial ones.
Pricing. Microsoft 365 GCC pricing matches pricing of the Commercial version. Compared to a GCC solution, GCC High can easily be 50% more expensive. As mentioned above, it runs on dedicated US infrastructure and support personnel, both of which are more expensive to maintain. Additionally, organizations that move to GCC High often end up licensing more features, like eDiscovery and Enterprise Mobility and Security, to achieve the higher level of compliance they are seeking.
Purchasing. While commercial and GCC MS365 licenses can be purchased from a number of vendors, GCC High must be purchased directly from Microsoft or a limited number of channels. Organizations must go through a screening process to ensure eligibility, and this has to be renewed each year. Additionally, organizations must pay for a year of GCC High licenses up front — there is no month-to-month option available.
Ultimately, you should be absolutely sure that you need to meet the stringent security and compliance requirements around ITAR, CUI, and CDI before committing to GCC High.
What is Microsoft 365 DoD?
There is a third Microsoft 365 Government tier called . It is a nearly identical offering to GCC High – in fact they share a service description page and are usually mentioned together in documentation. MS365 DoD is only available to the DoD itself, not to contractors. But because GCC High and DoD meet the same security standards, data can be shared between tenants between the two environments, including via B2B federation.
Do I Need Office 365 GCC High for CMMC Certification?
The short answer is not necessarily. Since 2021, Microsoft has agreed to include contractual guarantees for DFARS 7012 compliance for FCI and some categories of CUI for GCC tenants. This means that it generally meets the requirements of CMMC Level 1, and it can be configured to meet CMMC Level 2 for protection of CUI.
However, there are a number of services and features included in GCC that do not comply with CMMC Level 2 for protection of CUI. These must be identified and disabled – and monitored so that they stay disabled. And there is always the possibility that a feature or settings change introduced in the future could introduce compliance issues. With GCC High, you’ll have a reasonable expectation that this won’t happen.
As mentioned, GCC High users can only share data and use B2B federation with other GCC High and DoD users and organizations. If you are a prime contractor, or you’re a subcontractor whose prime is on GCC High, it will greatly simplify data sharing if you are also on GCC High.
Finally, GCC High is the only environment with a guarantee that only U.S. citizens will ever have access to your data and that your data will never leave the US. If any data you handle is subject to ITAR, GCC High is really your only option. Even unintentional ITAR violations can and will cost your company in fines and lost contracts.
What Are the Downsides to GCC High?
GCC High offers many advantages to companies seeking CMMC certification. But it’s not without its challenges. These downsides will need to be weighed against the benefits as you decide whether GCC High is right for your organization.
As mentioned, GCC High users can only share data and documents with other GCC High and DoD tenants. If your business has significant operations that are not involved with DoD contracting or CUI, this could be a problem if outside sharing or B2B federation is an important part of your workflow.
Carefully examine the features that are missing from GCC High and consider the impact of not having them. This is especially important if you already have a commercial or GCC MS365 tenant. While it’s true that many of the missing features are incompatible with CMMC or DFARS 7012, this isn’t always the case. Again, the needs of the non-CUI parts of your business should be taken into account.
Because data sharing is limited from GCC High, many popular third-party Office 365 tools simply won’t work. You should inventory any integrations already in use and make plans to migrate away from them before moving to GCC High.
Will Buying GCC High Automatically Make Us Ready for CMMC?
Again, the short answer is no. Like any tool, GCC High requires proper setup and ongoing management to ensure compliance with CMMC. But Microsoft can only guarantee that their practices and infrastructure comply with regulations. While GCC High offers some guardrails, it’s not a turnkey solution for CMMC certification. You are still responsible for configuring and operating it in a compliant way.
Microsoft offers several cloud-based security products for GCC High customers that can help your organization comply with CMMC. These include Enterprise Mobility & Security (EMS), Azure Information Protection (AIP), Microsoft Cloud App Server, and Microsoft Defender. These products are also hosted in Azure Government datacenters. Again, with proper configuration, these tools can satisfy a number of CMMC and NIST 800-171 controls.
How Much Does Microsoft 365 GCC High Cost?
GCC High is available as Microsoft 365 F3, E3, and E5 licenses, or Office 365 F3, E1, E3 and E5 licenses. As with MS365 Enterprise offerings, the “Microsoft 365” flavor includes additional security and device management features such as Advanced Threat Protection, as well as a Windows 10 Enterprise license, while the “Office 365” version is limited to the Microsoft Office suite, Exchange Online, and collaboration features. The F1 and F3 licenses do not include the desktop version of Office programs.
As you would expect, there is a premium for GCC High over the commercial versions of Microsoft 365. The price difference includes the additional overhead involved with ensuring compliance with DFARS 7012 and ITAR and maintaining separation between Azure Government and commercial operations.
For Microsoft GCC High licenses, you can expect to pay an average of 50% more than the retail price of the equivalent Enterprise license. F1 and F3 licenses are somewhat less expensive at around 15% more than their commercial counterparts.
Is MS365 GCC High Worth It?
This question will need to be considered in the broader context of your business and IT strategy. For many contractors, the increased cost and feature limitations will easily be justified by the compliance features and ability to share data with the DoD and other GCC High organizations. For others, particularly those who do a lower volume of contract work and aren’t subject to ITAR, other options may be more cost-effective overall.
How Do I Purchase Office 365 GCC High?
Up until 2018, GCC High was only available directly from Microsoft via an Enterprise Agreement, which has a minimum of 500 users. In view of the tightening controls for contractors handling CUI at all levels of the supply chain, Microsoft began selling GCC High licenses to smaller customers through select partners. However, your eligibility for GCC High must be verified directly with Microsoft before a purchase can be made.
While E-N Computers isn’t a Microsoft AOS-G (Agreement for Online Services – Government) partner, we have established a relationship with one to help our clients procure GCC High licenses. We can help you to decide whether GCC High is right for you and plan your migration. Use the button below to set up your free CMMC consultation.
Next Steps: GCC High and CMMC Certification
READ: What is ITAR Compliance?
WATCH: CMMC December 2020 Update
If you’d like to learn more about the latest CMMC requirements, be sure to read our Ultimate Guide to CMMC. It includes an overview of what we know so far about CMMC and when it’s going to be implemented. Click here to read it now.
Or if you need to know how ITAR will affect your IT strategy, read What is ITAR Compliance? for an overview of the technology issues it creates and how you can solve them.
We have also hosted several webinars about CMMC and how your business can be prepared for its rollout. Click here to watch the latest one from December 2020 and view the others on our YouTube channel.
We are also offering free CMMC strategy consultations to Virginia companies that need help with compliance and certification. Book your 30-minute, no-obligation strategy session today to learn about the next steps you need to take toward certification, and how a partner like E-N Computers may be able to help. Click here to pick a date and time that works for you.