Microsoft GCC and GCC High are Microsoft cloud environments designed to meet the security and compliance needs of Government agencies, contractors, and suppliers. Contrary to popular belief, BOTH GCC and GCC High are compliant with DFARS 7012 and CMMC 2.0. This means that you will have to consider your overall security and compliance needs when deciding between these two options. To help you decide between these two environments, let’s take a look at the primary differences between these two platforms.
Microsoft 365 GCC
Of course, if you’re unfamiliar with Microsoft’s Government licenses, you may find yourself wondering what Microsoft Government Community Cloud is. Microsoft 365 GCC is actually very similar to the environment offered by their commercial products, as they provide many of the same capabilities.
The biggest difference between Microsoft’s commercial licenses and GCC is that GCC is specifically designed to meet the security needs of government agencies and their partners. For instance, data stored in a GCC environment is stored in a segregated cloud separate from Microsoft’s commercial tenants to enhance national security. Additionally, Microsoft 365 GCC also provides enhanced security and compliance features that, when leveraged properly, can help organizations satisfy DFARS 7012, CMMC 2.0, and NIST 800-171 requirements.
Microsoft 365 GCC High
For organizations that face even stricter compliance regulations, Microsoft 365 GCC High offers advanced security features designed to meet the needs of DoD contractors. In addition to providing more robust security measures, another significant difference between GCC and GCC High is that data stored in GCC High is isolated to U.S. data centers supported by background-checked U.S. citizens. This data sovereignty makes GCC High compliant with ITAR and EAR guidelines.
Do I Need GCC High for Compliance?
Ultimately, whether you need GCC High will depend on the specific compliance requirements outlined in your government contract. If your primary compliance concern is CMMC 2.0, then you may not need GCC High. In fact, if you only need CMMC L1, you may even be able to get away with maintaining Microsoft 365 Commercial if you have the right security measures in place. You may also be fine to stick with Microsoft GCC if you need to comply with DFARS since Microsoft GCC is DFARS 7012 compliant.
Of course, just because you can maintain CMMC 2.0 compliance in a Microsoft GCC environment, this doesn’t make it a good idea, particularly if you handle CUI. For defense contractors, migrating to Microsoft 365 GCC High can significantly improve your security posture as it offers a more robust set of security and compliance features to keep your CUI safe. In fact, while GCC is CMMC 2.0 compliant, even Microsoft recommends organizations choose GCC High to protect CUI per the requirements outlined in CMMC levels 2 and 3.
When is migrating to Microsoft 365 GCC High absolutely necessary? While most government contractors who handle CUI can benefit from the enhanced security provided by operating in a GCC High environment, you will need GCC High if you manage, create, or hold any of the following types of information:
- Export Controlled CUI
- International Traffic in Arms Regulations (ITAR)
- Export Administration Regulations (EAR)
- Criminal Justice Information Systems (Federal)
- Specified CUI that Requires US Sovereignty
- Controlled Defense Information
- Nuclear Information (FERC/NERC)
- NASA
- CUI Marked NOFORN
- Of course, it’s important to note that this is not an exhaustive list of the information types that require GCC High. Rather, these are merely the information types that will always require GCC High. This is because GCC High is the only Microsoft environment available to non-government organizations that meets the data sovereignty and US citizenship requirements organizations within the DIB must adhere to when storing and transmitting sensitive government data including CUI.