GCC High Buyers Guide

If you are a Department of Defense contractor or aspire to become one, you have probably heard about GCC High. But what is it, exactly? How do you go about getting a license?

In this guide, we answer all these questions and more, from a detailed explanation of the basics of GCC High to the licensing strategies you need to be aware of.

What Is GCC High?

GCC High stands for Government Community Cloud High, a version of Microsoft Office 365 designed to meet the compliance and cybersecurity requirements of organizations supporting the U.S. Department of Defense.

At its core, GCC High features the same Office 365 services you’re already familiar with, including file sharing, email, and collaboration through Teams.

The key difference between GCC High and the commercial version of Office 365 is that the infrastructure underlying GCC High is located entirely within the United State and restricted to screened Microsoft personnel who are U.S. citizens. Additionally, GCC High content is logically segregated from customer content in the commercial Office 365 services from Microsoft.

Do I Need GCC High To Comply With CMMC?

For DoD contractors, complying with Cybersecurity Maturity Model Certification (CMMC) standards is crucial. So it comes as no surprise that this is one of the most common questions about GCC High.
The answer is that GCC High is not required to meet CMMC 2.0 at any level. However, the features listed below make GCC High one of the best alternatives for organizations that may hold Controlled Unclassified Information (CUI):

  • Most teams are already familiar with the Microsoft 365 suite, making the transition even easier.
  • Switching between cloud environments requires a full migration, so if you anticipate that you may hold CUI in the future, choosing GCC High can save you a lot of work and headaches
  • If you hold or expect to hold export-controlled data under ITAR or EAR, you should choose GCC High. The commercial and GCC (not High) versions of Office 365 cannot support export-controlled information;
  • GCC High provides peace of mind, as Microsoft is committed to meeting both the current and future regulatory requirements impacting the Defense Industrial Base as they relate to GCC High.

The table below summarizes the key differences between the commercial version of Microsoft Office 365, Microsoft Office 365 GCC, Microsoft Office 365 GCC High, and Microsoft Office 365 DoD:
Microsoft 365
“Commercial”
Microsoft 365 US
Government (GCC)
Microsoft 365
Government (GCC High)
Microsoft 365
Government (DoD)
Customer eligibility Any customer “Federal, SLG, Tribes,
Eligible Contractors
(DIB, FFRDC, UARC)”
“Federal,
Eligible Contractors
(DIB, FFRDC, UARC)”
DoD only
Data center locations US & OCONUS CONUS Only CONUS Only CONUS Only
FedRAMP 1 High High High High
DFARS 252.204-7012 No Yes Yes Yes
FCI+ CMMC L1 Yes Yes Yes Yes
CUI/CDI CMMC L2-3 No Yes^ Yes Yes
ITAR/EAR No No Yes Yes
DoD CC SRG Level 2 N/A IL2 IL4 IL5
NIST SP 800-53/171 3 Yes Yes Yes Yes
CJIS Agreement No State Federal No
NERC/FERC No Yes^ Yes Yes
Customer Support Worlwide/Commercial personnel U.S-based/Restricted personnel
Directory/Network Azure “Commercial” Azure Government
U.S. SOVEREIGN CLOUD

1 Equivalency Supports accreditation at noted impact level
2 Equivalency PA issued for DoD only
3 Organizational Defined Values (ODV’s) will vary
^ CUI Specified (e.g. ITAR Nuclear, etc.) not suitable REQS US Sovereignty

SOURCE: Understanding Compliance Between Commercial, Government and DoD Offerings – March 2022 Update

Click on one the buttons below to download a Microsoft government licensing comparison chart.

GCC High Licensing: Determining Your Needs

This section of our guide will help you determine your GCC High licensing needs by understanding which features are required to meet your organizational goals.

Keep in mind that only Enterprise licenses are available in GCC High. Business licenses are not available. This means that, for example, you can purchase Microsoft 365 E3 or E5 in GCC High, but not Microsoft 365 Business Premium. Also, note that Office 365 licenses are different from Microsoft 365 licenses.

We know that this may seem complex, but don’t worry. The following questions and the information in the sections below will make things a lot easier.

  • Do you need GCC High for your entire organization or just for team members who interact with CUI? Understanding this will help determine your system boundary.
  • Will you use Microsoft Intune? This cloud-based endpoint management solution is included with Microsoft 365 E3 and E5 or as an Enterprise Mobility and Security add-on
  • Will you use Azure Virtual Desktop? This is a desktop and app virtualization service that runs on the cloud. Azure Virtual Desktop is included with Microsoft 365 E3 and E5 or as a Windows E3 or E5 add-on
  • Does your organization already have a FedRAMP-authorized endpoint protection solution, or do you intend to use Microsoft Defender? Organizations that don’t need Microsoft Defender can sometimes save on licensing costs by using Office 365 E3 as a base license with add-on licenses for the other features you need.

Microsoft GMMC High Licensing Tips

After getting a clear picture of your GMMC High licensing needs, the next step is to identify the license that works for your organization.

As a general rule, we recommend purchasing at least one Microsoft 365 E5 license. This will enable you to use Customer Lockbox and Microsoft Purview Compliance Manager. Customer Lockbox provides support for CMMC practices in the Access Control and Maintenance domains. Microsoft Purview Compliance Manager, for its part, includes access to CMMC assessment templates designed to track required customer actions as well as shared responsibilities.

Below are some common licensing profiles to use as a reference:

  • You need Azure Virtual Desktop (AVD) as well as Microsoft Defender for Endpoint and Microsoft Teams Phone: Microsoft 365 E5
  • You need AVD but not Microsoft Defender for Endpoint or Microsoft Teams Phone: Microsoft 365 E3, Azure Active Directory Premium P2, Microsoft Defender for Office 365 P1
  • You are a user with managed or unmanaged devices who needs Intune: Office 365 E3, Enterprise Mobility, Security E5, Microsoft Defender for Office 365 P1
  • You are looking for the minimum viable licensing package for using GCC High for general productivity, identity/access management, and email security: Office 365 E3, Azure Active, Directory Premium P1, Microsoft Defender for Office 365 P1
  • You primarily use Government Furnished Equipment (GFE) or only need access to email: Microsoft 365 F3 • Microsoft Defender for Office 365 P1

GCC High Eligibility

Before purchasing a GCC High license, users must go through an application process to demonstrate their eligibility. Two types of entities can purchase GCC licenses:

  • Category 2 entities with an active CAGE code or SAM registration
  • Category 3 entities, which are required to submit a signed contract that states their obligation to protect a regulated data type

Your GCC High eligibility is validated online by the Microsoft US Government Cloud Eligibility Team. If approved, at the end of the process, you will receive an email confirming your eligibility. You will need to show this email to an authorized GCC High reseller in order to purchase your license.

Here’s the GCC High online eligibility validation process step by step:

  • Visit https://azure.microsoft.com/en-us/global-infrastructure/government/request/
  • Fill out the required information
  • In the section “My Organization is,” select “Customers handling government-controlled data”
  • In the section “Are you a Private entity holding any of the following types of data subject to government regulation?” select all the options that apply
  • The Microsoft US Government Cloud Eligibility Team will respond within three to seven business days requesting supporting documents
  • Once your documentation has been sent, and if your application is approved, you will receive an email with your final approval from the Microsoft US Government Cloud Eligibility Team
  • When purchasing your GCC High license, be sure to bring the email with your final approval to an authorized reseller

Does GCC High Make Me Automatically CMMC Compliant?

No, it does not. While purchasing a GCC High license is an important step, you still have work to do toward achieving CMMC compliance.
GCC High is a platform built with CMMC compliance (and other types of compliance) in mind, but it doesn’t make your organization CMMC compliant all by itself. You still need to configure it, deploy it, and manage it according to the specific practices and controls your organization is required to meet.

The good news is that we offer a full range of GCC High services to help you achieve and maintain compliance, including:

  • Assistance with the GCC HIgh eligibility validation process
  • Migration consulting and planning
  • Managed cybersecurity services
  • Unlimited compliance support
  • Compliance management

Get in touch with our team of specialists to get answers to all your questions, and start building a GCC High licensing and implementation strategy today.

Questions about CMMC Compliance? Contact us Today