Why Does Microsoft 365 GCC High Cost More?

    2 Minutes Read

    Many business and IT leaders in the Defense Industrial Base (DIB) are exploring the benefits of migrating to Microsoft 365 GCC High (GCC High) - or Office 365 GCC High - and in the process have many questions about licensing. One of the most common questions arising in initial exploratory conversations is around price. GCC High is undoubtedly more expensive than other 'versions' of the platform, but there are common misconceptions around why.

    This blog and accompanying video explain the differences between the US-sovereign cloud version of the Microsoft 365 platform vs commercial and more.


    Reason 1 - Additional Security

    As you would suspect, it costs Microsoft more money to run data centers that have higher levels of security. Businesses opt for a cloud approach because resiliency measures for on premises systems can be costly. Microsoft takes the brunt of those costs for GCC High consumers (PaaS and SaaS) by addressing the light blue components shown in their shared responsibility model below.

    Shared Responsibility Model

    Microsoft's GCC High data centers meet DISA Impact Level 4 and FedRAMP High standards. This includes a high degree of physical security as well as increased access control measures (i.e. no standing access) and much more.

    Reason 2 - Additional Licensing

    Reason 2 is more of a fallacy than a reason. Often times organizations move to GCC High for security and compliance reasons - namely DFARS 7012, ITAR, and CMMC. These security and compliance goals also require additional products and features not included in less expensive license types. An Office 365 E1 license or Exchange Online Plan 1 will not meet the requirements of CMMC 2.0 Level 2 or DFARS 7012/NIST 800-171 for example.

    Therefore, part of the increased expense is coming from the need for additional features found in the Enterprise Mobility + Security (EM+S) suite and Microsoft Defender for Office 365 licenses. (The Microsoft Defender suite has underwent a name change. Read more here.) More capability often means more costs. To meet the security and compliance requirements, you simply need more of the native Microsoft security products (or some other third party tools you will need to integrate).

    Reason 3 - Additional Compliance

    To meet ITAR and other export controlled data requirements, Microsoft has invested heavily to ensure all aspects of GCC High is US based. All data residency is within the continental US, and all Microsoft personnel staffed for these data centers are US persons and pass rigorous background checks. Some of the expenses associated with standing up physically and logically segregated infrastructure (from other content in Microsoft's commercial Office 365 offerings) is likely associated with license costs. 

    CMMC also further establishes the need for cloud vendors to meet similar requirements as government contractors (GovCon) in contractual flowdown. Microsoft already meets requirements found in NIST 800-171 and 800-53  in how it handles customer data.

    Wrap Up

    Microsoft has become the tip of the spear in providing cloud offerings to meet the needs of the DoD and its supply chain. As such, the company continues to put forth great efforts to defend US data and keep the Warfighter secure.

    The reasons for the price difference mentioned above are not all-encompassing, but they are primary drivers. Be aware that if you are exploring SaaS or PaaS alternatives in the cloud space you will need to assess the offering based upon the aforementioned capabilities or characteristics. 

    One last thing that has been commonly misinterpreted: when receiving your initial GCC High quote, the pricing will reflect annual payments, unlike the monthly model you may be familiar with in Commercial Office 365/Microsoft 365. 

    Picture of Shawn Hays

    Shawn Hays

    Shawn is a communication and collaboration professional. Prior to Summit 7 Systems, Shawn excelled as a marketing and PR strategist – working within health care and public relations consulting. During his career, he has served as the sole business development manager of a small IT-centric government contracting business and as a publications lead within a large defense and aerospace company. He graduated from the University of Alabama in Huntsville with undergraduate degrees in Physics and Communications, and Tennessee Tech University's MBA program in 2017. It is this technical know-how and ability to convey various subject matters to, both, technical and non-technical audiences that brought him to Summit 7 Systems. In addition, Shawn is a super user of Microsoft SharePoint and Office 365, and possesses a high degree of ITIL process improvement experience.