Office 365 Government Plans & Pricing
GCC, GCC High, and DoD cloud solutions for federal, state, and local government agencies. FedRAMP, ITAR, CJIS, and HIPAA compliant.
Microsoft 365 / Office 365 for Government: Plans, Pricing & Compliance
Microsoft 365 Government (formerly Office 365 Government) provides the full suite of Microsoft productivity and collaboration tools within cloud environments purpose-built for US federal, state, local, and tribal government agencies. These government-specific plans are hosted in physically and logically separated datacenters within the United States, operated by screened personnel, and designed to meet the most stringent compliance requirements in the public sector.
Unlike commercial Microsoft 365, government plans are available exclusively to validated government entities and their contractors. Microsoft maintains three distinct government cloud environments — GCC, GCC High, and DoD — each designed for different levels of data sensitivity and compliance requirements. Choosing the right environment is critical, and the decision depends on the type of data you handle, your regulatory obligations, and your relationship with the Department of Defense.
EPC Group has 28+ years of Microsoft consulting experience and has helped government agencies across the federal, state, and local levels migrate to and optimize their Microsoft 365 Government environments. As a Microsoft Solutions Partner, we understand the unique challenges of government cloud adoption, from FedRAMP authorization to CMMC certification support.
Three Government Cloud Environments
Microsoft operates three separate cloud environments for government customers, each with different compliance certifications, data handling requirements, and eligibility criteria.
GCC (Government Community Cloud)
The Government Community Cloud (GCC) is designed for US government entities and contractors who handle Controlled Unclassified Information (CUI). GCC provides the same productivity tools as commercial Microsoft 365 but within an infrastructure that meets government compliance requirements.
Target Audience
Federal, State, Local, Tribal governments and contractors handling non-classified government data
Compliance Certifications
Data Residency
United States (segregated from commercial cloud)
GCC High
GCC High is built for defense contractors and organizations handling export-controlled data under ITAR and EAR regulations. All data is stored in US-based datacenters operated exclusively by screened US persons. This environment meets the strictest requirements short of classified workloads.
Target Audience
Defense contractors, ITAR-regulated organizations, DoD contractors with CUI
Compliance Certifications
Data Residency
United States only (US sovereign cloud, screened personnel)
DoD (Department of Defense)
The DoD environment is reserved exclusively for the US Department of Defense. It provides the highest level of compliance available in the Microsoft 365 ecosystem with dedicated infrastructure that meets DoD Security Requirements Guide (SRG) Impact Levels 4 and 5.
Target Audience
Department of Defense agencies and military branches exclusively
Compliance Certifications
Data Residency
United States only (DoD-exclusive infrastructure)
Office 365 Government Pricing Plans
Microsoft 365 Government is available in three tiers — G1, G3, and G5. Each tier is available for both GCC and GCC High environments, with GCC High carrying a pricing premium due to enhanced security infrastructure. All prices shown are approximate GCC pricing; contact EPC Group for exact quotes based on your agreement type and volume.
Microsoft 365 G1
~$6/user/month
Web and mobile apps with email, cloud storage, and collaboration tools for government workers who do not need desktop Office apps.
Best For: Frontline workers, field employees, kiosk scenarios
Included Features:
- Exchange Online (50 GB mailbox)
- SharePoint Online
- OneDrive for Business (2 TB)
- Microsoft Teams
- Office for the web (Word, Excel, PowerPoint)
- Microsoft Stream & Planner
- Basic security & compliance
Not Included:
- Desktop Office applications
- Advanced compliance tools
- Power BI Pro
- Phone System
Microsoft 365 G3
~$23/user/month
Full desktop Office apps plus advanced security, device management, and compliance tools for government knowledge workers.
Best For: Knowledge workers, department heads, most government employees
Included Features:
- Everything in G1
- Desktop Office apps (Word, Excel, PowerPoint, Outlook, Access)
- Exchange Online (100 GB mailbox)
- OneDrive for Business (5 TB)
- Advanced threat protection
- Data Loss Prevention (DLP)
- Microsoft Intune (device management)
- Windows 10/11 Enterprise
- eDiscovery & legal hold
- Information Rights Management
Not Included:
- Power BI Pro
- Phone System
- Advanced compliance analytics
- Microsoft Defender for Endpoint P2
Microsoft 365 G5
~$38/user/month
The most comprehensive government plan with advanced security, compliance analytics, voice capabilities, and Power BI Pro included.
Best For: Security teams, compliance officers, executives, agencies requiring full protection
Included Features:
- Everything in G3
- Microsoft Defender for Endpoint P2
- Microsoft Defender for Office 365 P2
- Microsoft Defender for Identity
- Phone System & Audio Conferencing
- Power BI Pro included
- Advanced eDiscovery
- Customer Lockbox
- Advanced Compliance analytics
- Insider Risk Management
- Communication Compliance
- Information Barriers
- Privileged Access Management
Note: GCC High pricing is higher than standard GCC pricing due to the enhanced security infrastructure and screening requirements. DoD pricing is available only to Department of Defense entities. Volume licensing, Enterprise Agreements (EA), and Cloud Solution Provider (CSP) agreements may affect final pricing. Contact EPC Group for a detailed government licensing assessment.
GCC vs. GCC High: Which Environment Do You Need?
Choosing between GCC and GCC High is one of the most important decisions in government cloud adoption. The wrong choice can leave you non-compliant or overspending.
| Criteria | GCC | GCC High |
|---|---|---|
| FedRAMP Level | Moderate | High |
| ITAR Support | No | Yes |
| CMMC Support | Level 1 only | Level 2+ |
| Personnel Screening | Standard background checks | US persons only, adjudicated |
| Data Sovereignty | US-based, segregated | US-only sovereign cloud |
| Typical Users | State/local gov, civilian federal | DoD contractors, ITAR orgs |
| Pricing | Standard government pricing | Premium (higher than GCC) |
| Feature Parity | Near-commercial parity | Some features delayed/unavailable |
Choose GCC If:
- You are a federal civilian, state, local, or tribal government agency
- You handle CUI that does not fall under ITAR or EAR
- You need FedRAMP Moderate authorization
- You need CJIS compliance for law enforcement data
- Budget is a primary concern and you do not handle defense data
Choose GCC High If:
- You are a DoD contractor handling CUI on DoD contracts
- You handle ITAR or EAR export-controlled data
- You need CMMC Level 2 or higher certification
- You need FedRAMP High authorization
- DFARS 252.204-7012 is a contractual requirement
Government Compliance Frameworks We Support
EPC Group has deep expertise in configuring Microsoft 365 Government environments to meet the compliance requirements of the most demanding regulatory frameworks in the public sector.
FedRAMP
Federal Risk and Authorization Management Program
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services used by federal agencies. Microsoft 365 GCC meets FedRAMP Moderate, while GCC High meets FedRAMP High.
ITAR
International Traffic in Arms Regulations
ITAR controls the export and import of defense-related articles and services. GCC High is specifically designed for organizations handling ITAR-controlled data, ensuring all data remains within US borders and is accessible only by US persons.
CJIS
Criminal Justice Information Services
CJIS Security Policy applies to law enforcement, criminal justice agencies, and their contractors. Microsoft 365 GCC provides CJIS-compliant cloud services with appropriate background checks and security controls.
HIPAA / HITECH
Health Insurance Portability and Accountability Act
HIPAA requires safeguards for Protected Health Information (PHI). Microsoft 365 Government plans support HIPAA compliance with Business Associate Agreements (BAAs), encryption, access controls, and audit logging for government healthcare agencies.
CMMC
Cybersecurity Maturity Model Certification
CMMC is required for Defense Industrial Base (DIB) contractors. GCC High supports CMMC Level 2 and higher, providing the technical controls needed for NIST 800-171 compliance and safeguarding Controlled Unclassified Information (CUI).
DFARS 252.204-7012
Defense Federal Acquisition Regulation Supplement
DFARS requires DoD contractors to implement adequate security measures for Covered Defense Information (CDI). GCC High provides the infrastructure controls needed to meet DFARS requirements for cloud-hosted CUI.
EPC Group Government Cloud Consulting Services
From initial assessment through migration, configuration, and ongoing support, EPC Group provides end-to-end Microsoft 365 Government consulting for agencies and contractors at every level of government.
Government Cloud Assessment
Comprehensive evaluation of your current infrastructure, compliance requirements, and readiness for GCC or GCC High migration.
GCC / GCC High Migration
End-to-end migration from on-premises, commercial Microsoft 365, or other platforms to government cloud environments with zero data loss.
Compliance Configuration
Implementation of FedRAMP, ITAR, CJIS, HIPAA, and CMMC security controls, DLP policies, retention labels, and audit logging.
Identity & Access Management
Azure AD / Entra ID configuration with Conditional Access, MFA, PIV/CAC card integration, and zero-trust architecture for government environments.
Security Hardening
Microsoft Defender for Endpoint, Defender for Office 365, advanced threat protection, and incident response procedures for government agencies.
Training & Adoption
End-user training programs, administrator certification support, and change management strategies tailored for government workforces.
Why Government Agencies Choose EPC Group
Government Cloud Migration Process
EPC Group follows a proven methodology for government cloud migrations, refined across hundreds of successful deployments for agencies at every level of government.
Assessment & Planning
We evaluate your current environment, data classification, compliance requirements, and licensing needs. This phase includes eligibility validation for GCC or GCC High, tenant provisioning strategy, and a detailed migration roadmap with timelines and risk mitigation plans.
Identity & Security Configuration
We configure Azure AD / Microsoft Entra ID with government-appropriate Conditional Access policies, multi-factor authentication, PIV/CAC smart card integration (for DoD and federal agencies), and zero-trust security architecture aligned to NIST 800-207.
Data Migration & Validation
We migrate email (Exchange), files (SharePoint/OneDrive), and collaboration tools (Teams) with full audit trails. Every migration batch is validated for completeness and data integrity before cutover. We support hybrid configurations for phased migrations.
Compliance & DLP Configuration
We implement Data Loss Prevention (DLP) policies, sensitivity labels, retention policies, eDiscovery holds, and audit logging configured for your specific compliance framework requirements (FedRAMP, CJIS, ITAR, HIPAA, CMMC).
Training, Adoption & Ongoing Support
We deliver role-based training for end users, administrators, and security teams. Our change management approach ensures high adoption rates. EPC Group offers ongoing managed services and support contracts for government clients who need continued assistance.
Frequently Asked Questions: Office 365 for Government
What is Office 365 GCC and who is it for?
Office 365 GCC (Government Community Cloud) is a Microsoft cloud environment designed specifically for US government agencies at the federal, state, local, and tribal levels, as well as contractors who hold or process government data. GCC provides the same Microsoft 365 productivity tools (Exchange, SharePoint, Teams, Office apps) but hosted in a segregated infrastructure that meets FedRAMP Moderate, CJIS, and IRS 1075 compliance requirements. Organizations must be validated as eligible government entities or contractors to purchase GCC licenses.
What is the difference between GCC and GCC High?
GCC is designed for general government use and meets FedRAMP Moderate standards, while GCC High meets FedRAMP High and is built for organizations handling export-controlled data under ITAR and EAR regulations. Key differences: GCC High data is stored exclusively in US-based datacenters operated by screened US persons only, GCC High supports CMMC Level 2+ and DFARS 252.204-7012 compliance, and GCC High has stricter data sovereignty controls. Defense contractors handling CUI typically require GCC High, while state and local agencies often use standard GCC.
How much does Office 365 for government cost?
Microsoft 365 Government pricing varies by plan: G1 starts at approximately $6/user/month for web and mobile apps, G3 at approximately $23/user/month for full desktop apps plus advanced security, and G5 at approximately $38/user/month for the complete suite with Phone System and Power BI Pro. GCC High plans carry a premium over standard GCC pricing due to the enhanced security infrastructure. Exact pricing depends on your agreement type (EA, CSP, or direct), volume, and contract terms. Contact EPC Group for a customized government pricing quote.
Is Office 365 GCC HIPAA compliant?
Yes, Microsoft 365 Government plans (GCC and GCC High) support HIPAA compliance. Microsoft provides a Business Associate Agreement (BAA) that covers Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. However, HIPAA compliance requires proper configuration including encryption, access controls, audit logging, Data Loss Prevention (DLP) policies, and employee training. EPC Group helps government healthcare agencies implement the technical and administrative safeguards required for HIPAA compliance in the GCC environment.
Can contractors use Office 365 GCC?
Yes, government contractors can use Office 365 GCC if they handle government data subject to compliance requirements. Contractors working with the Department of Defense on contracts involving Controlled Unclassified Information (CUI) typically need GCC High to meet DFARS 252.204-7012 and CMMC requirements. Standard GCC is available to contractors supporting civilian federal, state, or local government agencies. Eligibility must be validated during the procurement process, and EPC Group can assist with eligibility verification and license procurement.
What is the DoD Office 365 environment?
The DoD (Department of Defense) Office 365 environment is a dedicated cloud infrastructure exclusively for the US Department of Defense, including the Army, Navy, Air Force, Marines, Space Force, and related agencies. It meets DoD Security Requirements Guide (SRG) Impact Levels 4 and 5. Unlike GCC and GCC High which are available to various government entities, the DoD environment is strictly limited to DoD organizations. It provides the highest level of security and compliance available in the Microsoft 365 ecosystem.
How long does it take to migrate to Office 365 GCC?
A typical migration to Office 365 GCC takes 4 to 12 weeks depending on organization size and complexity. Key phases include eligibility validation and tenant provisioning (1-2 weeks), identity and access configuration (1-2 weeks), email migration (2-4 weeks for 1,000+ users), SharePoint and OneDrive migration (2-4 weeks), and Teams deployment and training (1-2 weeks). GCC High migrations take longer due to stricter validation requirements. EPC Group provides end-to-end government cloud migration services with minimal disruption to agency operations.
Does EPC Group have experience with government cloud deployments?
Yes, EPC Group has 28+ years of Microsoft ecosystem expertise with extensive government cloud deployment experience. As a Microsoft Solutions Partner, EPC Group has helped federal, state, and local government agencies migrate to GCC and GCC High environments. Our team understands FedRAMP, ITAR, CJIS, HIPAA, and CMMC compliance requirements and provides end-to-end services from assessment and planning through migration, configuration, security hardening, and ongoing support.
What is CMMC and how does it relate to Office 365 GCC High?
CMMC (Cybersecurity Maturity Model Certification) is a framework required for Department of Defense contractors to protect Controlled Unclassified Information (CUI). CMMC Level 2 requires implementation of 110 NIST SP 800-171 security practices. Microsoft 365 GCC High provides the cloud infrastructure controls needed to support CMMC certification, including data encryption, access controls, audit logging, and US-only data residency. However, CMMC certification requires organizational controls beyond just the cloud platform, including policies, training, and physical security measures.
What are the main differences between commercial Office 365 and government plans?
The main differences between commercial Microsoft 365 and government plans include: (1) Data residency - government data is stored in segregated US-based datacenters, (2) Compliance - government plans meet FedRAMP, CJIS, ITAR, and other government-specific certifications, (3) Background checks - personnel operating GCC High infrastructure are screened US persons, (4) Network isolation - government cloud is logically separated from commercial cloud, (5) Feature availability - some commercial features may be delayed or unavailable in government clouds, and (6) Eligibility - only validated government entities and contractors can purchase government plans.
Ready to Move Your Agency to Microsoft 365 Government?
Whether you need GCC, GCC High, or DoD guidance, EPC Group has the compliance expertise and migration experience to get your agency to the government cloud securely and efficiently. Schedule a free government cloud assessment today.