GCC High Requirements, Benefits, Price & More

Today more so than ever, government contractors need a cloud solution that meets their growing security and compliance needs. With multiple types of clouds to choose from, however, how can you know which one is right for your business?

In this post, we’ll take a look at the Microsoft cloud solutions, how they’re different, and what’s your best bet when it comes to security and compliance.

What’s the GCC High and How Does It Differ from Other Solutions?

The most common cloud solutions include Microsoft 365 Commercial, Microsoft 365 Government Community Cloud (GCC), and Microsoft 365 GCC High; but how are they different and what does each offer? Let’s take a closer look at each.

Microsoft 365 Commercial 

First, let’s talk about Microsoft 365 Commercial, a solution that anyone can use with no validations required. While it can meet compliance and security needs (including those related to HIPAA, GDPR, CCPA, HITech, NIST 800-53, PCI-CSS, and—in some cases—even FedRAMP), it’s not ideal for defense or government compliance because it shares a global infrastructure and workforce.

Microsoft 365 Government Community Cloud (GCC)

While Microsoft 365 Government is basically a government-focused copy of Microsoft 365 Commercial—offering many of the same features—the main difference between the two is that the Government cloud has data centers located only in the continental United States, as mandated by FedRAMP Moderate. Compliance frameworks that can be met in GCC include FedRAMP High, DFARS 252.204-7012, FBI CJIS, and DoD SRG Level 2.

GCC High

GCC High is a copy of Microsoft 365 Department of Defense (DOD), which was built for the Department of Defense only and not for contractors or outside personnel. Because of this, GCC High was created for cleared personnel, agencies, and other DOD contractors. It was developed to ensure compliance with federal regulations and cybersecurity, including CMMC, FedRAMP High, CJIS Policy, ITAR, NIST 800-171, and DFARS 7012. 

Cloud Solutions and CMMC

How do all of these cloud solutions relate to CMMC? Microsoft 365 Commercial and Government (GCC) can be configured to meet the vast majority of CMMC’s requirements with native security products and capabilities. But while you may not need GCC High to meet CMMC requirements, you may need it to meet the requirements of your specific CUI and business scenarios. In other words, you may need to move from GCC to GCC High for your organization’s long-term compliance strategy.

Is GCC High needed for CMMC?

The short answer is, no.

You don’t necessarily need GCC High for CMMC certification. Since 2021, Microsoft has been offering contractual commitments within GCC to ensure DFARS 7012 compliance for FCI and certain types of CUI, which generally aligns with the requirements for CMMC Level 1 and can be adjusted to meet CMMC Level 2 for handling CUI.

That said, certain GCC features and services may not comply with CMMC Level 2 for CUI protection. These will need to be identified, turned off, and continuously monitored to ensure they remain inactive. Future changes or updates to these services could also introduce new compliance issues, but GCC High significantly reduces that risk.

Also, GCC High restricts data sharing and B2B connections to other GCC High or DoD organizations. If you’re a prime contractor or working with a prime using GCC High, this environment makes secure data sharing much easier.

Lastly, GCC High is the only platform that guarantees data access is limited exclusively to U.S. citizens, ensuring your data never leaves the U.S. If you handle ITAR-sensitive information, GCC High is your only viable option since even accidental ITAR breaches can lead to severe financial penalties and lost business opportunities.

Benefits of GCC High

Here are some of the greatest benefits of moving to GCC High:

• Compliance: GCC High is the only cloud solution that guarantees only US citizens will have access to your data; it’s also the only solution you can implement if your organization handles any data subject to ITAR.
• Guarantee: Microsoft offers a contractual guarantee that their infrastructure meets DoD regulatory requirements—something that’s especially important if you need to comply with CMMC.
• Sharing: GCC High makes sharing data with other DoD and GCC High users and organizations simple and secure.
• Management: Unlike GCC High, certain features of Microsoft 365 Commercial and Government (GCC) must be identified, disabled, and monitored so that they remain disabled in order to comply with DFARS 7012, NIST 800-171, and/or CMMC.

GCC High Eligibility & Requirements

How do you know if you need GCC High? While not an exhaustive list of information types that require GCC High, the following types of information—whether you create, manage or hold it—will always require it:

• Specified CUI that requires US Sovereignty (including CUI marked NOFORN, Controlled Defense Information, NASA, and Nuclear Information, FERC/NERC)
• Export Administration Regulations (EAR)
• Criminal Justice Information Systems (Federal)
• International Traffic in Arms Regulations (ITAR)
• Export Controlled CUI

Ultimately, if you’re subject to DFARS clause 7012, you’ll need GCC, and if you have US citizenship requirements, export control, or covered information with sovereignty, you’ll need GCC High. That’s why GCC High is reserved for Federal Agencies, the Defense Industrial Base (DIB), and DoD contractors.

However, if you wish to move to GCC High, you must first receive validation from Microsoft. This process includes a request for validation, providing the appropriate documentation, and the submission of a GCC High licensing request.

Compliance Standards that Can be Met with GCC High

How your tenant is configured is important but generally a GCC High environment can help you achieve the following standards:

• GCC
  • CMMC Levels 1-2
  • NIST 800-171
  • FedRAMP Moderate
  • FBI CJIS
• GCC High
  • CMMC Levels 1-3
  • NIST 800-171
  • FedRAMP Moderate
  • FedRAMP High
  • ITAR
  • FBI CJIS
  • DoD SRG Level 2-5

How Much Does GCC High Cost?

After completing Microsoft’s screening process to ensure eligibility, you can purchase a GCC High license through select partners, like R3.

Due to the increased security and compliance features—including ensured compliance with ITAR and DFARS 7012 and the separation between commercial operations and Azure Government—there is a premium for GCC High. Expect to pay, on average, 50% more than the retail price of the equivalent Enterprise license.

Are there pitfalls to working in a GCC High Environment?

GCC High offers enhanced security and compliance features, but it also comes with a few challenges or pitfalls that organizations need to consider:

1. Cost: GCC High is significantly more expensive than regular GCC or commercial Microsoft environments due to its specialized security and compliance features, which can be a barrier for smaller organizations or those with limited budgets.

2. Complexity of Setup: Configuring and managing GCC High requires a deeper understanding of security and compliance settings. The setup process can be complex, and improper configuration may lead to compliance issues, negating the benefits of using the environment.

3. Limited Integration: Unlike commercial environments, GCC High restricts data sharing and collaboration with non-GCC High users. This limitation can create friction when working with external partners, vendors, or clients who aren’t also using GCC High, impacting cross-organization collaboration. This is especially frustrating if your business does a significant amount of work outside of DoD contracting as it won’t be possible to do any outside sharing.

4. Restricted Access: GCC High enforces strict U.S. citizen-only access to ensure compliance with ITAR and other regulations. While this is an advantage for compliance, it limits the ability to hire non-U.S. personnel or use international contractors, which could pose staffing challenges.

5. Availability of Features: Not all Microsoft services and third-party applications are available or fully functional in GCC High. This could limit functionality or cause compatibility issues if your organization relies on specific tools not supported in this environment.

6. Migration Complexity: Moving to GCC High can be a lengthy and complex process, especially for organizations already established in other environments. The transition may require significant planning, adjustments to workflows, and careful coordination to maintain compliance.

7. Ongoing Maintenance: Staying compliant within GCC High requires ongoing monitoring and maintenance. Changes in features or settings, whether intentional or due to updates, could introduce compliance risks, so vigilant oversight is necessary. Typically, working directly with an MSP who is experienced in developing and managing a GCC or GCC High environment is recommended, if you don’t intend on hiring full-time staff to manage it. 

These challenges should be weighed against the need for GCC High’s enhanced security and regulatory assurances, particularly for organizations handling sensitive or regulated data.

Work with R3 to Obtain GCC High

After you’ve completed and submitted the form for GCC High and your organization’s eligibility has been validated, you can work with R3 to place an order. As a qualified Microsoft licensing solution provider (LSP), we can transact both GCC and GCC High through Enterprise Agreement (EA) to create the customer price sheet (CPS) for under 500 seats.

Ready to get started? Send us a message today to learn how we can provide the experienced, knowledgeable GCC High support you need.