What’s the Difference Between Microsoft 365 GCC and GCC High?
Microsoft GCC and GCC High are both more robust and secure versions of the Microsoft 365 commercial platform that is typical in most modern office environments. While GCC and GCC High meet many of the requirements for DFARS 7012 and CMMC, it’s still important to know the differences and what they mean for DoD contractors who are needing to meet compliance regulations.
The Main Difference: US Sovereign Cloud
The main difference between Microsoft GCC and GCC High is the location of the cloud where data (CUI) is stored. Microsoft GCC High utilizes Microsoft’s US Sovereign Cloud which is located in the United States and can only be accessed by Microsoft personnel who are U.S. citizens with special clearances. On the other hand, GCC utilizes the same cloud as Microsoft Commercial and can be accessed by Microsoft’s worldwide personnel.
Other differences include:
- GCC is only compliant up to DoD CC SRG Level IL2 and is not compliant with ITAR
- GCC High is compliant up to DOD CC SRG Level IL4 and ITAR
- DoD is compliant up to DoD CC SRG Level IL5 and ITAR
Below is a table showing the differences between the Microsoft platforms:
About CC SRG Levels
CC SRG stands for Cloud Computing (CC) Security Requirements Guide (SRG). There are currently four Impact Levels (IL) in use for authorization of cloud service offerings (CSO) with the DoD. Each is based on the sensitivity of the information being stored, processed, or transmitted in the CSO.
Our Advice for DoD Contractors
For DoD contractors that are considering Microsoft’s cloud service offerings for their organization’s DFARS and CMMC compliance needs, we recommend that they choose GCC High if they have or will have ITAR requirements, otherwise they can go with the less expensive GCC solution. Another consideration for larger organizations that may have a subset of personnel handling CUI, they might consider building an “enclave” in GCC/GCC High rather than paying the higher license fees and migration costs for the entire company. In this scenario, you would need to set up the enclave under a separate domain name.
Due to our expertise helping hundreds of DIB suppliers with DFARS/CMMC compliance, our team can work with you to understand your unique situation and help you decide on the most cost effective solution while fulfilling the most compliance requirements possible.
If you are considering implementing Microsoft’s Government Community Cloud (GCC) offerings, and migrating your company’s current data, consider our Microsoft GCC Migration Services. We’ve helped hundreds of DoD contractors throughout the United States over the last several years navigate the complexities of DFARS 7012, NIST 800-171, 800-53 and CMMC. Through our expertise, we’ve been able to save DoD contractors time and money as they update their systems to comply with current DFARS 7012 law and prepare for upcoming CMMC audits. We would love to help you too. Give us a call or request a consultation.