What is Microsoft GCC High?
GCC High is the cloud platform developed by Microsoft for cleared personnel and organizations supporting the Department of Defense.
What Is Microsoft 365 GCC High?
"GCC High" stands for Microsoft 365 Government Community Cloud High - Microsoft 365 GCC High is the cloud platform developed by Microsoft for cleared personnel and organizations supporting the Department of Defense. GCC High is hosted in Microsoft servers across the United States in order to meet strict compliance requirements for small to medium-sized contractors as they control the flow of Controlled Unclassified Information (CUI).
GCC High is an offering in the Microsoft 365 suite and compliments Microsoft's Azure Government for building IT infrastructures. This page is an overview of various explanations about the platform, why it is heavily relied upon by contractors, its role in meeting security and compliance goals (CMMC 2.0/NIST/DFARS/FAR/ITAR), and how to obtain licensing.
Topics covered on this page:
- Do I Need GCC High For CMMC 2.0?
- Is GCC High ITAR compliant?
- M365 GCC versus GCC High
- B2B Capabilities of GCC High
- Where is GCC High located?
- What is available in GCC High?
- GCC High applications for DoD contractors
- How to obtain GCC High licenses
Who uses GCC High?
Contractors supporting the DoD, or Defense Industrial Base members use Microsoft 365 GCC High to secure critical data such as CUI, CTI, and ITAR.
Do You Need GCC High For CMMC 2.0?
The short answer: No
The long answer: You likely need to choose Microsoft 365 GCC High for your overall security and compliance strategy.
GCC High is not required to meet CMMC 2.0 at any Level. However, Microsoft's official recommendation is for organizations planning or required to meet CMMC 2.0 Level 2 and Level 3 should deploy to Microsoft 365 GCC High.
Though DFARS 7012 can sometimes take a backseat to CMMC 2.0 in the public discourse, it's important to take a full compliance vantage point and first consider your organization's DFARS compliance strategy. Also, Microsoft sheds additional light on DFARS compliance in their cloud offerings when they announced several changes to the accreditation boundaries surrounding Microsoft 365 GCC and Azure Commercial. Previously, Microsoft 365 GCC High was the only version of the Office 365 or Microsoft 365 platform that met the reporting requirements of DFARS 7012 found in paragraphs C-G.
Do you see your DoD contracts portfolio expanding or including ITAR data? Will you continue to support the DoD?
- Will you make the switch to GCC High in 1-2 years and possibly require a second migration, security implementation, and assessment? Are you budgeting for that?
- What is your probability of experiencing an incident or event?
Is GCC High ITAR Compliant?
Yes - we cover this topic in depth in this blog.
M365 GCC vs GCC High
GCC vs GCC High: Simply put, Microsoft GCC and GCC High both hold the ability to meet current compliance requirements such as DFARS 7012 and CMMC 2.0; however, organizations will likely need to choose GCC High for their overall licensing strategy.
Microsoft has three other environments for Microsoft 365. Although they share many characteristics and capabilities, they all meet compliance requirements differently. The two versions that most organizations lean on for meeting compliance requirements are GCC and GCC high.
Microsoft 365 Commercial
This environment is built to FedRAMP High standards and when leveraged properly it can help organizations to meet the requirements found in NIST SP 800-171. However, this offering will not currently meet DFARS 7012 or CMMC 2.0 L2. It leverages the Azure Commercial stack and is generally available through all licensing outlets.
Microsoft 365 GCC
The Microsoft 365 GCC environment is almost identical to the Microsoft 365 Commercial environment in capabilities. The major exception is that data stored in the GCC environment of the commercial cloud is segregated from the data used by organizations with Microsoft 365 commercial tenants. When appropriately leveraged it can help organizations satisfy DFARS 7012, NIST-800-171, and CMMC 2.0 requirements if the organization does not handle export-controlled data such as ITAR and EAR.
This free guide to GCC vs GCC High was created to help make informed decisions when choosing between the two platforms.
Microsoft 365 GCC High
Microsft 365 GCC High is built on Azure Government, within dedicated US data centers. GCC High is the only Microsoft offering - besides the DoD dedicated Microsoft 365 - that insures all data resides in U.S. data centers and is supported by background-checked U.S. persons. Those attributes make GCC High suitable for ITAR and EAR data. Additionally, Office 365 or Microsoft 365 GCC High is a suitable cloud platform to house CUI corporately and on behalf of the Government, which requires DISA IL 4 or greater. GCC High is rated at DISA IL 5 and is FedRAMP High equivalent.
Microsoft 365 DoD
The Microsoft 365 DoD environment is built on Azure Government, within dedicated government data centers. However, access to the DoD environment is limited to DoD organizations and cannot be purchased by private organizations.
B2B Collaboration Capabilities
Even though these cloud environments are physically and logically separated, Microsoft has enabled the ability of organizations to fulfill business needs through cross-cloud B2B collaboration. With B2B collaboration, organizations can securely share applications and services with external users, while maintaining control over their own corporate data. This capability allows organizations to work safely and securely with external partners, regardless of their size or the cloud environment in which they come from.
Where is GCC High Located?
Microsoft 365 GCC High is built on Microsoft Azure Government within 8 dedicated government data centers based throughout the United States. The entire suite of Microsoft 365 GCC High services has been awarded its FedRAMP High certification; meaning that all services found in Microsoft GCC High have implemented security measures designated for cloud computing environments and services that interact with the government's most sensitive, unclassified data.
For organizations that interact with export-controlled data such as International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR); Azure Government cloud instances are exponentially beneficial because:
- All personnel employed at these locations must be United States citizens and must successfully pass a background screening
- All data is stored in data centers on U.S. soil.
What is available in GCC High?
M365 GCC High includes many of the same feature sets and products as Microsoft 365 Commercial, such as SharePoint Online, Teams, Exchange Online, OneDrive for Business, etc. However, there are still a few products and features not available in GCC High that can be found in its commercial-based relative.
With the modernization of infrastructures and the increase of the “on-the-go" nature of today’s workforce, more organizations are looking to host voice/ telephony systems to meet their Private Branch Exchange (PBX) and Public Switched Telephone Network (PSTN) needs. For organizations using commercial Microsoft tenants, teams phone system and it’s calling plan bundles satisfies that need. For GCC High tenants, the Teams phone solution is not available. In order to satisfy the hosted voice/telephony needs of a GCC High tenant, the organization will need to take a different approach to satisfy their PBX and PTSN needs.
The following Licensing Guide gives a breakdown of security features and products available on the platform.
Thanks to the Microsoft AOS-G program, qualifying organizations of any size can leverage the Microsoft GCC High platform of services to virtualize their infrastructure and mobilize their workforce using tenants capable of:
- Meeting the requirements found in the NIST SP 800-171 and CMMC 2.0 cybersecurity frameworks.
- Supporting all requirements for DFARS 252.204-7012 as part of this environment.
- Restricting access to export-controlled data such as ITAR and EAR
Bottom line, IF you do have a DFARS 7012 clause, AND you also interact with export-controlled data; then a properly leveraged GCC High tenant should be in your organization's plan.
GCC High Service Descriptions
Microsoft's Enterprise Mobility + Security, or EMS, offerings for US GCC High and DOD customers are built on the Microsoft Azure Government cloud and are designed to inter-operate with the Microsoft 365 GCC High and DOD environments. The EMS E5 suite is available for both GCC High and DoD customers and includes the following FedRAMP High certified products and services:
- Azure Active Directory Plan 1 and Plan 2
- Azure Information Protection Plan 1 and Plan 2
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Identity
- Microsoft Intune
Organizations that use EMS for US Government GCC High and DOD offerings benefit from the following:
- Physical and logical separation of data at rest from Microsoft 365 Commercial and Microsoft 365 GCC data
- Data stored on U.S. Soil in one of 8 Azure Government data centers
- Access to your data by Microsoft is restricted to screened U.S. citizens only.
GCC High Applications for Contractors
Microsoft Purview Information Protection
Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP) helps organizations discover, classify, protect, and govern sensitive information wherever it lives or travels. Using the products and features of MPIP, aerospace and defense organizations can use sensitivity labels to apply classification to documents and emails. The assigned data classification is identifiable regardless of where the data is stored or with whom it’s shared. Rules and restrictions can then be placed on the data based on the assigned classification label using Microsoft Purview Data Loss Prevention (DLP), ultimately stopping sensitive data from leaving your GCC high environment without authorization.
Read how organizations in the DIB are identifying CUI with Microsoft Purview here.
Microsoft Defender For US Government
Microsoft Defender in GCC High is a cloud-based email filtering service that helps protect your company against unknown viruses and malware by providing substantial zero-day protection and includes features to protect your company from harmful links in real time. These capabilities are critical to meeting the NIST 800-171 control family 3.14 - System and Information Integrity. Although it is important to understand, Defender for Office 365 cannot simply meet compliance requirements by 'turning it on'.
The Defender license has powerful reporting and URL trace capabilities that give administrators insight and clarity into the kind of attacks happening in your organization. The reporting capabilities, moreover, can cover the "actions of individual system users [to] be uniquely traced to those users so they can be held accountable for their actions" (NIST 800-171). Defender for Microsoft 365 covers most Exchange architectures – rather on premises, Exchange Online, or Hybrid if configured properly.
Microsoft SharePoint for US Government
SharePoint in Microsoft 365 helps organizations share and manage content, knowledge, and applications to empower teamwork, quickly find information, seamlessly collaborate across the organization. Here are the differences between the IT admin features for commercial customers and those for government cloud customers.
- Changing a site address is not available for GCC High customers
- Hybrid SharePoint Server is not available for all government cloud customers
- The SharePoint Migration Tool and Migration Manager require a configuration change. For info, see SPMT government cloud support
- Mover.io is not yet supported
- Multi-geo is not available for all government cloud customers
Microsoft OneDrive for US Government
OneDrive is an online storage space in the cloud that's provided for individually licensed users in an organization. Contractors can use it to help protect work files and access them across multiple devices. OneDrive lets you share files and collaborate on documents, and sync files to your computer.
For more on OneDrive in GCC High, you can read the Microsoft article here.
Microsoft Teams for US Government
Microsoft Teams is the hub for teamwork in Microsoft 365. The Teams service enables instant messaging, audio and video calling, rich online meetings, mobile experiences, and extensive web conferencing capabilities. In addition, Teams provides file and data collaboration and extensibility features and integrates with Microsoft 365 and other Microsoft and partner apps. You can find more about Teams in GCC High in this blog.
Microsoft Planner for US Government
Microsoft Planner comes with some versions of Microsoft 365 US Government. You can use Microsoft Planner to organize data for your environment or collaborate with teams for managing complex Project Management workloads. Find out what features are included in the government plans, and which aren't available in this blog.
Microsoft Forms for US Government
Microsoft Forms does not allow external sharing in GCC High and DoD environments. People only within your organization may do the following:
- Complete a form and submit responses
- Duplicate and share a form as a template
- Co-author or collaborate on a form
- Access form results
There are a few more limitations with Microsoft Forms in GCC High that can be found here.
How Much Does GCC High Cost?
Microsoft 365 GCC High pricing is higher than GCC and the Commercial version of M365 for several reasons:
- Stored in a government data center built specifically for Azure Government, M365 GCC High, and M365 DoD.
- GCC High runs on dedicated U.S. infrastructure and U.S. support personnel, which are more expensive to maintain.
- Export Controlled Data (ITAR Support)
- Meets DFARS 7012 C-G requirements
- Compliant with CMMC and NIST 800-171
How Do You Obtain Licenses?
Access to the Microsoft Government community is limited to organizations which meet one of the following eligibility criteria:
- A federal agency, defined as a bureau, office, agency, department, or other entity of the U.S. Government
- A U.S. state/local government entity
- Federally recognized tribal entities
- Any commercial private entity with data subject to government regulations
Once an organization determines it fits into one of the eligible categories, it will need to complete the eligibility validation application. After receiving validation, the organization will need to work with the Microsoft sales team directly or find a qualified partner who can distribute the required licensing. For organizations needing greater than 500 licenses, a licensing solution provider (LSP) will be required to obtain licensing in bulk quantities. In scenarios where less than 500 licenses are needed, AOS-G partners like Summit 7 can satisfy your licensing requirements.
To help organizations in their acquisition process, Summit 7 has produced a video with step-by-step guidance to acquiring Microsoft Government licensing.