Support: 800-699-0925 Sales: 800-481-1984

SysArc

IT Company

What’s the Difference Between Microsoft 365 GCC and GCC High?

by

What’s the Difference Between Microsoft 365 GCC and GCC High?

Microsoft GCC and GCC High are both more robust and secure versions of the Microsoft 365 commercial platform that is typical in most modern office environments. While GCC and GCC High meet many of the requirements for DFARS 7012 and CMMC, it’s still important to know the differences and what they mean for DoD contractors who are needing to meet compliance regulations. 

The Main Difference: US Sovereign Cloud

The main difference between Microsoft GCC and GCC High is the location of the cloud where data (CUI) is stored. Microsoft GCC High utilizes Microsoft’s US Sovereign Cloud which is located in the United States and can only be accessed by Microsoft personnel who are U.S. citizens with special clearances. On the other hand, GCC utilizes the same cloud as Microsoft Commercial and can be accessed by Microsoft’s worldwide personnel. 

Other Differences

Other differences include:

  • GCC is only compliant up to DoD CC SRG Level IL2 and is not compliant with ITAR
  • GCC High is compliant up to DOD CC SRG Level IL4 and ITAR
  • DoD is compliant up to DoD CC SRG Level IL5 and ITAR

Below is a table showing the differences between the Microsoft platforms:

Microsoft GCC and GCC Compliance Table which shows the compliance regulations that each Microsoft cloud service complies with.

Source: https://techcommunity.microsoft.com/t5/public-sector-blog/understanding-compliance-between-commercial-government-and-dod/ba-p/3258326

About CC SRG Levels

CC SRG stands for Cloud Computing (CC) Security Requirements Guide (SRG). There are currently four Impact Levels (IL) in use for authorization of cloud service offerings (CSO) with the DoD. Each is based on the sensitivity of the information being stored, processed, or transmitted in the CSO. 

Our Advice for DoD Contractors

For DoD contractors that are considering Microsoft’s cloud service offerings for their organization’s DFARS and CMMC compliance needs, we recommend that they choose GCC High if they have or will have ITAR requirements, otherwise they can go with the less expensive GCC solution. Another consideration for larger organizations that may have a subset of personnel handling CUI, they might consider building an “enclave” in GCC/GCC High rather than paying the higher license fees and migration costs for the entire company.  In this scenario, you would need to set up the enclave under a separate domain name.  

Due to our expertise helping hundreds of DIB suppliers with DFARS/CMMC compliance, our team can work with you to understand your unique situation and help you decide on the most cost effective solution while fulfilling the most compliance requirements possible.  

Next steps…

If you are considering implementing Microsoft’s Government Community Cloud (GCC) offerings, and migrating your company’s current data, consider our Microsoft GCC Migration Services. We’ve helped hundreds of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171, 800-53 and CMMC. Through our expertise, we’ve been able to save DoD contractors time and money as they update their systems to comply with current DFARS 7012 law and prepare for upcoming CMMC audits. We would love to help you too. Give us a call or request a consultation.

  • Contact Us for a Free Cybersecurity Consultation

    Learn how we can protect your company's data and help you become compliant.

    Free Consultation