Understanding GCC High and GCC: An Overview of Microsoft Government Cloud Services
The Microsoft Government Cloud, containing both GCC (Government Community Cloud) and GCC High, provides secure cloud environments tailored for U.S. government agencies, contractors, and organizations handling sensitive data.
This overview aims to understand GCC High and GCC, highlighting their unique features, capabilities, and advantages. By delving into the intricacies of these government cloud services, we aim to reveal how Microsoft has successfully integrated advanced technology with the public sector’s stringent requirements.
What is Microsoft 365 GCC High?
Microsoft 365 GCC High is a specialized cloud service tailored to meet the needs of U.S. government agencies, defense contractors, and organizations handling sensitive government data. It is designed to comply with controlled unclassified information (CUI) and International Traffic in Arms Regulations (ITAR) requirements.
GCC High is hosted in dedicated U.S. data centers, offering enhanced security and compliance features. It adheres to strict government-specific regulations, providing advanced threat protection, data loss prevention, and stringent access controls. The GCC High environment is primarily intended for organizations directly involved with the U.S. Department of Defense (DoD) or those managing sensitive government data classified under CUI or ITAR.
Microsoft also offers the Government Community Cloud (GCC) environment for organizations that work with the U.S. government but do not require the same level of compliance as GCC High, thus ensuring a suitable cloud solution for various security and compliance needs.
Who needs GCC High, and who is eligible for it?
GCC High is designed for organizations that require a higher level of security and compliance to handle sensitive data associated with the U.S. government. Organizations that typically need GCC High include:
- U.S. Department of Defense (DoD) contractors
- Organizations handling Controlled Unclassified Information (CUI)
- Companies subject to International Traffic in Arms Regulations (ITAR)
- Other organizations that work with sensitive government data or operate under strict regulatory requirements.
Microsoft determines eligibility for GCC High based on an organization’s need to handle CUI, ITAR, or other sensitive government data. To be eligible, an organization must:
- Be located in the United States or be a U.S.-controlled company.
- Have a valid requirement to handle CUI, ITAR, or other sensitive government data.
- Be able to demonstrate compliance with the required security and regulatory standards.
What is Microsoft 365 GCC?
Microsoft 365 GCC (Government Community Cloud) is a cloud-based service offering designed specifically for U.S. federal, state, local, tribal, and territorial government agencies and other organizations working directly or indirectly with the U.S. government.
The GCC environment provides a range of productivity, collaboration, and security tools similar to those offered in the standard Microsoft 365 Commercial environment but with additional security and compliance features tailored to government customers.
The GCC environment is hosted within the United States and adheres to government-specific compliance requirements, including but not limited to the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline, the Health Insurance Portability and Accountability Act (HIPAA), and the Criminal Justice Information Services (CJIS) Security Policy.
However, GCC is a step down from GCC High in terms of security and compliance features, making it more suitable for organizations that work with the U.S. government but do not require the same level of stringent security controls as those handling Controlled Unclassified Information (CUI) or International Traffic in Arms Regulations (ITAR) data.
Who needs GCC, and who is eligible for it?
Microsoft 365 GCC (Government Community Cloud) is designed for U.S. federal, state, local, tribal, and territorial government agencies and organizations that work with the U.S. government but do not require the stringent security and compliance controls offered by the GCC High environment.
These organizations might handle sensitive government data but not Controlled Unclassified Information (CUI) or data subject to International Traffic in Arms Regulations (ITAR).
Organizations that typically need GCC include:
- Government agencies at various levels (federal, state, local, tribal, and territorial)
- Public educational institutions
- Government-affiliated healthcare organizations
- Nonprofit organizations working with government agencies
- Contractors and suppliers working with government agencies but not handling CUI or ITAR data
To be eligible for GCC, organizations must meet the following criteria:
- Be a U.S. federal, state, local, tribal, or territorial government entity, or an organization working directly or indirectly with the U.S. government.
- Be located in the United States or its territories.
- Not require the enhanced security and compliance controls of GCC High for handling CUI or ITAR data.
Microsoft 365 GCC vs GCC High
|Microsoft 365 GCC
|Microsoft 365 GCC High
|U.S. federal, state, local, tribal, and territorial government agencies, contractors, and organizations working with the U.S. government but not handling CUI or ITAR data
|U.S. Department of Defense contractors, organizations handling CUI or ITAR data, and those requiring strict security and compliance controls
|Hosted within the United States
|Hosted within the United States
|Enhanced security compared to commercial offerings, compliant with government-specific regulations
|Enhanced security beyond GCC, including advanced threat protection, data loss prevention, and stringent access controls
|FedRAMP Moderate baseline, HIPAA, CJIS Security Policy, and other government-specific requirements
|Strict compliance standards for handling CUI and ITAR data, in addition to the requirements met by GCC
|Controlled access for government agencies and eligible organizations
|More stringent access controls compared to GCC, ensuring only authorized personnel and organizations have access
|Similar to commercial Microsoft 365, includes tools like Teams, OneDrive, SharePoint, and more
|Similar to commercial and GCC Microsoft 365, includes tools like Teams, OneDrive, SharePoint, and more
|Must be a U.S. government entity or organization working directly or indirectly with the U.S. government and not require the enhanced security and compliance of GCC High
|Must be a U.S. government entity, contractor, or organization handling CUI or ITAR data and require strict security and compliance controls
Why Should You Move to GCC High as Part of Your CMMC Compliance?
The Cybersecurity Maturity Model Certification (CMMC) is a standardized approach to cybersecurity implementation across the Defense Industrial Base (DIB) in the United States.
The Department of Defense (DoD) has made it mandatory for contractors and subcontractors to achieve a certain level of CMMC compliance to participate in DoD contracts. Moving to GCC High is a strategic decision for organizations seeking CMMC compliance. Here’s why:
GCC High is designed explicitly for organizations handling Controlled Unclassified Information (CUI) and other sensitive government data. It offers a better level of protection than the standard GCC, ensuring the protection of critical information and meeting the stringent requirements of CMMC.
GCC High is tailored for organizations that must meet strict government compliance standards like CMMC, DFARS, ITAR, etc. By opting for GCC High, you are choosing an environment designed with these regulatory requirements in mind, simplifying the compliance process.
GCC High ensures that your data is stored within the United States, a key requirement for many government agencies and contractors. This helps you maintain data sovereignty and comply with regulatory requirements for data residency.
Microsoft’s GCC High environment has a separate infrastructure from their commercial cloud offerings. This ensures that data and services are isolated from non-government entities, further enhancing the security and reliability of the environment.
Access to advanced features
GCC High offers access to the latest Microsoft technologies and features tailored for government use, including Azure Government, Microsoft 365 Government, and Dynamics 365 Government. This allows your organization to use cutting-edge tools and services while complying with CMMC and other regulatory requirements.
How Much Does GCC High Cost?
The cost of Microsoft 365 GCC High varies depending on the specific subscription plan chosen and the number of users within an organization. Multiple plans are available, each offering different features and services tailored to different organizational needs.
As a general guideline, GCC High plans tend to be more expensive than their standard Microsoft 365 Commercial and GCC counterparts due to the enhanced security and compliance features provided. To get accurate pricing information for your organization, it is recommended to contact EPC Group, as they can provide a detailed quote based on your specific requirements and user count.
Remember that pricing may change over time, and additional costs could be associated with add-on services or support. Discussing your organization’s needs with EPC Group is essential to ensure you select the most suitable plan and receive the most accurate pricing information.
Comparing pricing between Microsoft 365 GCC and GCC High can be challenging. The costs for both environments depend on the chosen subscription plan, the number of users, and any additional services or support required. In general, GCC High plans are more expensive than GCC plans due to their enhanced security and compliance features.
How Do You Obtain GCC High Licenses?
Obtaining GCC High licenses requires organizations to follow a structured process.
First, determine if your organization is eligible. To be eligible for GCC High, your organization must be a U.S. Department of Defense (DoD) contractor or handle Controlled Unclassified Information (CUI) or other sensitive data.
The cloud environment is designed to meet strict security and compliance requirements, ensuring that sensitive data is securely stored and transmitted.
Once you’ve confirmed your eligibility, you must contact EPC Group, an authorized Microsoft Licensing Partner, to begin the licensing process. As part of the process, you may be asked to provide documentation proving your organization’s eligibility and its need for the enhanced security features of GCC High.
After successful verification, you can choose the appropriate licenses for your organization and begin migrating your data and applications to the GCC High environment. Remember that you may need assistance from our Microsoft-certified partner or consultant to ensure a smooth and secure migration.
With over 25 years of experience in Information Technology and Management Consulting, Errin O’Connor has led hundreds of large-scale enterprise implementations from Business Intelligence, Power BI, Office 365, SharePoint, Exchange, IT Security, Azure and Hybrid Cloud eﬀorts for over 165 Fortune 500 companies.