img
Assurity

Is Microsoft Office 365 GCC High necessary for me?

img

Microsoft 365 is an excellent option for a strong, secure cloud collaboration solution that allows your company to operate from any location. However, with the forthcoming deployment of the Cybersecurity Maturity Model Certification (CMMC), which will impose additional compliance standards for DoD contractors and subcontractors, you might be asking if it is safe enough to handle CUI. You may also be familiar with GCC High, a version of Office 365 designed to meet strict government security requirements.

We assist our clients in preparing for CMMC certification by doing initial assessments and implementing the 130 practices required for certification. Because many of our clients use Microsoft 365, we assist them in ensuring that their cloud resources are also secure and compatible.

You will discover about Office 365 GCC High and how it differs from other MS365 alternatives in this article. You will also get to know if GCC High is required for CMMC certification and if there are any alternatives. Finally, we will compare the pricing of GCC High to that of other Microsoft 365 editions.

Industries served
  • US Goverment (including DoD)
  • US Gov Prime Contractors
  • US Gov Sub Contractors
Services offered
  • NIST/CUI, & CMMC Compliance
  • ITAR Compliance
  • DAFRS / FIPS 140-2 Compliance

What Does GCC High Mean in Office 365?

GCC and GCC High are Azure cloud service options and the Microsoft 365 and Office 365 suite, which are meant to assure compliance with different federal information and cybersecurity standards. They are offered to government and private sector organizations that must adhere to laws such as CMMC, DFARS 7012, FedRAMP High, CJIS Policy, or ITAR.

What is the difference between Ms365 Government & MS365 Commercial?

The key distinction between Microsoft 365 Government and their commercial services is that MS365 Government stores all data in specialized Azure Government datacenters in the United States. Only verified and background-checked Microsoft workers have access to Azure Government data and data centers. These employees do not have automatic access to customer data; they must request it each time.

GCC and GCC High have access to most of the features and services offered to commercial MS365 tenants, except for application functionality that relies on internet-based services. Future features may also take longer to reach Government renters or may not be provided due to compliance concerns.

Finally, there is a distinction in the purchase procedure. While commercial MS365 licenses are available from various suppliers, MS365 Government can only be acquired directly from Microsoft or through a few channels. To assure eligibility, organizations must go through a screening process, which must be updated every year.

WHAT IS THE DIFFERENCE BETWEEN 365 GCC AND GCC HIGH?

Microsoft will only agree to contractual language involving DFARS 7012 and ITAR compliance for GCC High customers. GCC is intended for criminal justice (FBI) and tax (IRS) data compliance standards, while GCC High is intended for DoD regulations. Both GCC and GCC High are part of MS365 US Government, they are designed to comply with different sets of regulations.

This means no anonymous/unauthenticated sharing and no B2B federation except with other GCC High organizations. One major difference is that GCC High users cannot share data with users outside of the GCC High and DoD environments. Several other features are either unavailable in GCC High or listed as “coming soon”.

WHAT ABOUT MICROSOFT 365 DOD?

A nearly identical offering to GCC High, Microsoft 365 Government tier called DoD is available. It even shares a service description page and are usually mentioned together in documentation. MS365 DoD is not available to contractors, only the DoD itself. GCC High and DoD do meet the same security standards so data can be shared between tenants of two environments.

Is Office 365 GCC High Required for CMMC Certification?

No, it’s possible to configure a commercial or GCC MS365 tenant that is compliant with all NIST SP 800-171 controls and certain CMMC levels. But, there are several factors to consider a move to GCC High as part of your CMMC compliance strategy.

  1. Data Sharing: GCC High users can only share data and use B2B federation with other GCC High and DoD users and organizations. If you are a prime contractor, or a subcontractor, it will simplify data sharing between your organizations.
  2. Ease of Management: Many services and features in commercial MS365 and GCC do not comply with CMMC, NIST 800-171 or DFARS 7012. Those features must be identified and disabled – and monitored so that they stay disabled. There is always the chance that a feature or settings change introduced in the future could introduce compliance issues.
  3. Increased Accountability: Microsoft is able to offer contractual guarantees with GCC High. Their infrastructure meets DoD regulatory requirements and this well-defined accountability is critical when dealing with the complex requirements of CMMC.
  4. Compliance with ITAR and NOFORN: GCC High is the only environment that guarantees only U.S. citizens will have access to your data for any reason. If data you handle is subject to ITAR, GCC High is really your only option. Unintentional ITAR violations can cost fines and lost contracts.

ARE THERE ANY DOWNSIDES TO GCC HIGH?

GCC High has many advantages when seeking CMMC certification. But There are downsides that need to be weighed against the benefits as you determine if GCC High is right for your organization.

  1. Third-Party Integrations: Data sharing is limited. In GCC High many popular third-party Office 365 tools simply won’t work. An inventory of any integrations already in use should be made and plan to migrate away before moving to GCC High.
  2. Sharing of Information: If outside sharing or B2B federation is an important part of your workflow or your business has significant non-DoD contracting, Information Sharing could be a problem.
  3. Limits of Features: Needs of the non-CUI parts of your business should be taken into account. GCC & GCC High lacks some features that are not compatible with CMMC.

DOES GCC HIGH AUTOMATICALLY MAKE US CMMC COMPILIANT?

No. GCC High requires configuration and ongoing management to meet compliance with CMMC. Microsoft only guarantees that their practices and infrastructure are compliant with regulations. GCC High is not a turnkey solution for CMMC certification. You are responsible to use it in a compliant way.

Microsoft offers cloud-based security products for GCC High customers that can help including Enterprise Mobility & Security (EMS), Azure Information Protection (AIP), Microsoft Cloud App Server, and Microsoft Defender. These products are hosted in Azure Government datacenters and, with proper configuration, these tools can help you implement CMMC and NIST 800-171 controls.

What are the costs of Microsoft 365 GCC & GCC High?

There is a premium for GCC High over the commercial versions of Microsoft 365. The difference covers the additional overhead involved with ensuring compliance with DFARS 7012 and ITAR. Maintaining separation between Azure Government and commercial operations has expected service overhead.

You can expect to pay an average of 50% more than the retail price of the equivalent Enterprise license for Microsoft GCC High. F1 and F3 licenses are around 15% more than their commercial counterparts.

IS THE HIGHER COST OF MS365 GCC WORTH IT?

For many contractors, the increased cost and feature limitations will be justified by the compliance features and ability to share data with the DoD and other GCC High organizations. This will need to be considered in the broader context of your business strategy. For others, those who do a lower volume of contract work or who are only targeting a CMMC Level 1 certification there are other options may be more cost-effective overall.

Documents
img
NIST Compliance
NIST SP 800-171
img
FIPS Compliance
FIPS Publication 140-2
img
ITAR Compliance
International Traffic in Arms Regulations
img

How we can help you!

We resell Microsoft Office 365 GCC & GCC High!

Contact us
Both plans combine best-in-class productivity apps with intelligent cloud services to transform the way you work.

Discover the Microsoft 365 U.S. Government plan that’s right for you

Microsoft 365 Government G3
GCC & GCC High
  • Office Applications
  • Email & Calendar
  • Teams Voice, Video & Meetings
  • Intranet & Storage
  • Basic Threat Protection
  • Cloud Access Security Broker
  • Basic Idenity & Access Management
  • Device & App Management
  • Basic information protection
Get started
img
Microsoft 365 Government G5
GCC & GCC High
  • Office Applications
  • Email & Calendar
  • Advanced Voice, Video & Meetings
  • Intranet & Storage
  • Advanced Threat Protection
  • Advanced Idenity & Access Management
  • Device & App Management
  • Full Information Protection
  • Advanced Compliance
  • Analytics
Get started
img
Discover more about GCC, GCC High, and Azure for US Government

Azure options for US Government Partners

img
The broadest range of cloud innovation across US Government data classifications

The broad range of services will meet the demand for greater agility in the classified space, including the need to gain deeper insights from data sourced from any location as well as the need to enable the rapid expansion of remote work. Additionally, mission owners will benefit from greater choice in modernizing legacy systems, with a secure cloud platform that works on open standards and open frameworks with tools that work across a wide range of skill levels, from business analysts to developers to data scientists.

img
Tom Keane
Corporate Vice President, Azure Global, Microsoft Azure

US Government

CJIS, CNSSI 1253, DFARS, DoD IL2, DoD IL5, DoE 10 CFR Part 810, EAR (US Export Adm. Reg.), FedRAMP, FIPS 140-2, IRS 1075, ITAR, NIST 800-171, NIST CSF, Section 508 VPATS

img
Microsoft compliance offerings
Microsoft.com
Trust Azure Government GCC High—built for Controlled Unclassified Information (CUI)

Get comprehensive and powerful cloud services built exclusively to support US agencies and partners working with Controlled Unclassified Information (CUI). Developed using the same principles and architecture as Azure commercial clouds, Azure Government GCC High is enhanced for maintaining the security and integrity of CUI workloads while enabling fast access to sensitive, mission-critical information.

img
Azure Goverment
Partners

Companies who Trust us

logo
logo
logo
logo