by Blake Cormier
Content Manager, E-N Computers
Microsoft 365 GCC High is an environment created by Microsoft to meet stringent government security requirements for the Department of Defense and defense contractors.
As the Cybersecurity Maturity Model Certification (CMMC) implementation date quickly approaches, DoD contractors and subcontractors might wonder if they can get by with their current Microsoft 365 environment or if they need Microsoft 365 GCC High.
At E-N Computers, we’re helping several of our clients get ready for CMMC through preliminary assessments and implementation of the 110 security controls (made up of more than 300 objectives) required for certification. Since many of our clients rely on Microsoft 365, we are helping them ensure that their cloud resources are secure and compliant. Two of our veteran engineers are Registered Practitioners with The Cyber AB, and ENC is a Registered Practitioner Organization, which validates our expertise as a CMMC consultants.
In this article, you’ll learn 1) what Microsoft 365 GCC High is, 2) how it’s different from other MS365 options, 3) whether GCC High is a requirement for CMMC certification, 4) what alternatives there are, and 5) how GCC High pricing compares with other MS365 versions.
GCC and GCC High are Microsoft 365 service offerings designed to meet various Federal data security regulations, including CMMC and DFARS 7012. GCC High includes additional controls that make it suitable for protecting export-controlled CUI at CMMC Level 2 or above.
What is Microsoft 365 GCC High?
Government Community Cloud (GCC) and GCC High are specific service offerings of Azure cloud services and the Microsoft 365 suite designed to ensure compliance with various federal government information and cybersecurity regulations. They are available to government agencies and private organizations that are required to comply with regulations such as CMMC, FedRAMP High, DFARS 7012, ITAR, or CJIS Policy.
How is MS365 Government different from MS365 Commercial?
The main difference between Microsoft 365 US Government and their commercial offerings is that data for MS365 Government is segregated from commercial MS365 data.
Data for GCC is located in a separate “enclave” of the Azure Commercial cloud. In contrast, the GCC High and DoD offerings are housed in a separate Azure Government environment called the “US Sovereign Cloud”. Data centers that serve GCC High and DoD tenants are located only within the US and are supported only by screened and background-checked US persons.
Most features and services available to commercial MS365 tenants are available to GCC and GCC High. However, there are exceptions to some application features that use internet-based services. Additionally, future features may be slower to roll out to Government tenants or unavailable due to compliance issues.
How is Microsoft 365 GCC different from GCC High?
While GCC and GCC High are part of MS365 US Government, they are designed to comply with different regulations. This is reflected in which data centers they use and which Microsoft personnel can provide support. GCC is built on top of Microsoft’s commercial data centers and global Azure services. While the Government “enclave” ensures that GCC data is stored within the continental United States (CONUS), some services available in GCC use data processing that occurs outside the US. Additionally, GCC uses the same global support model as Commercial, meaning that non-US persons will be involved in supporting GCC tenants and thus could have access to GCC data sometimes.
In contrast, GCC High was designed for Defense Industrial Base (DIB) needs. It uses dedicated data centers in the continental US and is supported solely by cleared US persons. Unlike GCC, GCC High includes a contractual guarantee that no data will leave the United States and that only US persons will ever have access to GCC High data.
Compliance. As of 2021, GCC includes support for DFARS 7012 and can meet the requirements for CMMC certification. However, suppose you are subject to ITAR or handle Covered Defense Information (CDI). In that case, you will need GCC High to ensure that your information remains in the US and is only accessible by US persons.
Interoperability. To maintain compliance, GCC High lacks some features and integrations available to commercial and GCC customers. The exact features that are available change often, so it’s best to use Microsoft’s official service descriptions. GCC High organizations can share data with other GCC High and DoD tenants but not with GCC or commercial ones.
Pricing. Microsoft 365 GCC pricing matches the pricing of the Commercial version. Compared to a GCC solution, GCC High can easily be 50% to 70% more expensive. As mentioned above, it runs on dedicated US infrastructure and support personnel, which are more costly to maintain. Additionally, organizations that move to GCC High often end up licensing more features, like eDiscovery and Enterprise Mobility and Security, to achieve the higher level of compliance they seek.
Purchasing. While commercial and GCC MS365 licenses can be purchased from several vendors, GCC High must be purchased directly from just a few. Microsoft directly screens organizations for eligibility and requires it to be renewed yearly. Additionally, licenses must be paid for annually, not month-to-month. During this time, licenses can be added and reassigned but not removed.
Ultimately, you should be sure you are subject to the stringent security and compliance requirements around ITAR, CUI, and CDI before committing to GCC High.
What is Microsoft 365 DoD?
There is another Microsoft 365 Government tier called Microsoft 365 DoD. It is nearly identical to GCC High: they share a service description page and are usually mentioned together in the documentation. MS365 DoD is only available to the DoD itself, not to contractors. Because GCC High and DoD meet the same security standards, tenants can share data between the two environments, including via B2B federation.
Comparison between Microsoft 365 options for defense contractors
|MS365 Commercial||MS365 GCC||MS365 GCC High||MS365 DoD|
|Summary||MS365 Commercial is a standard offering for businesses||GCC is designed for government agencies that need to comply with specific federal regulations||GCC High is tailored to meet stringent security requirements for the Department of Defense and defense contractors||MS365 environment built exclusively for the DoD|
|Who it’s for||General businesses||Government agencies requiring federal compliance||Defense Industrial Base (DIB), DoD contractors, federal agencies||DoD only|
|How secure is it?||Suitable for general business use||Similar to Commercial but designed to meet federal regulations like FedRAMP||Sovereign (separate) cloud environment||Complies with DoD security standards|
|Cost||Standard commercial pricing||Similar to commercial pricing||50% to 70% more expensive than GCC||Exclusive to DoD; cost may vary based on DoD contracts|
|Regulations covered||NIST 800-171
CMMC Level 1 (and possibly Level 2 but not recommended by MS and not all CUI is supported)
DFARS 7012, DoD SRG Level 2, FBI CJIS, FedRAMP Moderate, possibly CMMC Level 2 (but not recommended and not all CUI is supported)
|NIST 800-171, ITAR, FedRAMP High; appropriate for CUI/CDI and CMMC Level 2 and 3||DoD SRG Levels 5 and 6|
|How to buy||Available through various vendors||Typically purchased through government contracts and a few authorized vendors||Verify eligibility with Microsoft and purchase through an AOS-G partner (E-N Computers works with one)||Exclusive to DoD, eligibility verification required with Microsoft|
Do I need Microsoft 365 GCC High for CMMC certification?
Not necessarily. Since 2021, Microsoft has agreed to include contractual guarantees for DFARS 7012 compliance for FCI and some categories of CUI for GCC tenants. This means that it generally meets the requirements of CMMC Level 1 and can be configured to meet CMMC Level 2 for the protection of CUI.
However, some services and features are included in GCC that do not comply with CMMC Level 2 for the protection of CUI. These must be identified, disabled, and monitored so that they stay disabled. Additionally, a feature or settings change in the future may introduce compliance issues. With GCC High, you can reasonably expect this won’t happen.
As mentioned, GCC High users can only share data and use B2B federation with other GCC High and DoD users and organizations. If you are a prime contractor or subcontractor with a prime on GCC High, it will significantly simplify data sharing if you are also on GCC High.
Finally, GCC High is the only environment with a guarantee that only U.S. citizens will ever have access to your data, and that your data will never leave the U.S. If any data you handle is subject to ITAR, GCC High is your only option. Even unintentional ITAR violations can and will cost your company fines and lost contracts.
What are the downsides to GCC High?
GCC High offers many advantages to companies seeking CMMC certification. But it does have downsides that you should carefully weigh out as you decide whether GCC High is right for your organization.
As mentioned, GCC High users can only share data and documents with other GCC High and DoD tenants. If your business has significant operations not involved with DoD contracting or CUI, this could be a problem if outside sharing or B2B federation is an essential part of your workflow.
Carefully examine the missing features from GCC High and consider the impact of not having them. This is especially important if you already have a commercial or GCC MS365 tenant. While it’s true that many of the missing features are incompatible with CMMC or DFARS 7012, this isn’t always the case. Again, the needs of the non-CUI parts of your business should be considered.
Because data sharing is limited from GCC High, many popular third-party MS365 tools won’t work. You should inventory existing integrations and plan to migrate away from them before moving to GCC High.
Will buying GCC High automatically make us ready for CMMC?
No. Like any tool, GCC High requires proper setup and ongoing management to ensure compliance with CMMC. Microsoft can only guarantee that its practices and infrastructure comply with regulations. While GCC High offers some guardrails, it’s not a turnkey solution for CMMC certification. You are still responsible for configuring and operating it in a compliant way.
Microsoft offers several cloud-based security products for GCC High customers that can help your organization comply with CMMC. These include Enterprise Mobility & Security (EMS), Azure Information Protection (AIP), Microsoft Cloud App Server, and Microsoft Defender. These products are also hosted in Azure Government data centers. With proper configuration, these tools can satisfy many CMMC and NIST 800-171 controls.
How much does Microsoft 365 GCC High cost?
GCC High is available as Microsoft 365 F3, E3, and E5 licenses, or Office 365 F3, E1, E3 and E5 licenses. As with MS365 Enterprise offerings, it includes additional security and device management features such as Advanced Threat Protection and a Windows 10 Enterprise license. At the same time, the “Office 365” version is limited to the Microsoft Office suite, Exchange Online, and collaboration features. The F1 and F3 licenses do not include the desktop version of Office programs.
As you might expect, GCC High costs significantly more than commercial versions of Microsoft 365. The price difference includes the additional overhead to ensure compliance with DFARS 7012 and ITAR and maintaining separation between Azure Government and commercial operations.
For Microsoft GCC High licenses, you can expect to pay an average of 50% more than the retail price of the equivalent Enterprise license. F1 and F3 licenses are less expensive at around 15% more than their commercial counterparts.
Is MS365 GCC High worth it?
This question must be considered in the broader context of your business and IT strategy. For many contractors, the increased cost and feature limitations will easily be justified by the compliance features and ability to share data with the DoD and other GCC High organizations. Other options may be more cost-effective overall for others, particularly those who do a lower volume of contract work and aren’t subject to ITAR.
How do I purchase Microsoft 365 GCC High?
Until 2018, GCC High was only available directly from Microsoft via an Enterprise Agreement with a minimum of 500 users. Given the tightening controls for contractors handling CUI at all levels of the supply chain, Microsoft began selling GCC High licenses to smaller customers through select partners. However, your eligibility for GCC High must be verified directly with Microsoft before a purchase can be made.
While E-N Computers isn’t a Microsoft AOS-G (Agreement for Online Services – Government) partner, we have established a relationship with one to help our clients procure GCC High licenses. We can help you to decide whether GCC High is right for you and plan your migration. Use the button below to set up your free CMMC consultation.
Next Steps: GCC High and CMMC certification
READ: What is ITAR Compliance?
READ: Understanding Compliance Between Commercial, Government and DoD Offerings from the M365 public sector blog.
If you’d like to learn more about the latest CMMC requirements, read our Ultimate Guide to CMMC. It includes an overview of what we know about CMMC and when it will be implemented. Click here to read it now.
Or, if you need to know how ITAR will affect your IT strategy, read What is ITAR Compliance? for an overview of the technology issues it creates and how you can solve them.
We have also hosted several webinars about CMMC and how your business can be prepared for its rollout. Click here to watch the latest one from December 2020 and view the others on our YouTube channel.
We also offer free CMMC strategy consultations to Virginia companies needing help with compliance and certification. Book your 30-minute, no-obligation strategy session today to learn about the next steps you need to take toward certification and how a partner like E-N Computers may be able to help. Click here to pick a date and time that works for you.