CMMC

Full GCC High Migration vs. GCCH Enclave: What CMMC Auditors Are Expecting

Blake Bernard
May 13, 2026
Share this post
Yellow text reads FULL GCC HIGH MIGRATION VS. GCCH ENCLAVE on a black background with curved gray lines. A white R3 logo is in the bottom right corner, and the image is bordered in blue.

For defense contractors handling Controlled Unclassified Information (CUI), the choice between a full GCC High migration and a GCC High (GCCH) enclave is less about technology or cost, and more about audit scope. 

The decision shapes what systems fall under a CMMC compliance assessment and how defensible that scope is to an auditor. 

What do CMMC audits focus on?

CMMC Level 2 audits are focused on scope clarity, specifically, which systems store, process, or transmit CUI, and whether those boundaries are clearly defined and enforced. 

What do CMMC auditors look for?

  • Where does CUI live? 
    Is CUI confined to clearly defined systems and locations, or does it move freely across email, Teams, SharePoint, and endpoints? 
  • Who can access it? 
    Can you demonstrate that only authorized users with a defined business need can access CUI, and that this access is enforced consistently? 
  • What is in scope vs. out of scope? 
    Can you clearly show which systems are assessed under CMMC and which are not, with evidence to support those boundaries? 

What is the difference between full GCC High migrations and a GCC High enclave?

A full GCC High environment places the entire organization inside a compliant tenant, making all users and systems in scope. 

A GCC High enclave limits GCC High to a defined subset of users and systems handling CUI. This can reduce audit scope, but it requires tighter governance to clearly defend those boundaries. 

Full GCC High migration and CMMC audit scope

full GCC High migration simplifies audit scope with all users, systems, and data inside a single compliance boundary, making it easier for assessors to evaluate and validate. 

A full GCCH model often results in:

  • Clear, unified scope: There’s less need to justify exclusions or segmented environments. 
  • Reduced dataflow complexity: CUI is already contained within the compliant environment. 
  • A straightforward audit narrative: Controls are applied consistently across the organization. 

The tradeoff: broader scope and higher overhead

The downside is that everything becomes in scope, even if only some users handle CUI. This expands: 

  • The audit surface area 
  • The operational impact on users and workflows 
  • The ongoing effort required to maintain compliance 

When does a full GCC High model make sense?

A full migration is typically more defensible when: 

  • Most users routinely interact with CUI 
  • Simplicity is prioritized over segmentation 
  • Compliance maturity is still developing, and risk tolerance is low 

Is full GCC High migration required for CMMC compliance?

No, both a full GCCH environment and a well-defined GCCH enclave can be acceptable. The deciding factor is scope defensibility during a CMMC compliance assessment, not tenant choice. 

GCCH enclaves can reduce audit scope, but raise the bar for governance

GCCH enclave is designed to limit CMMC scope to a defined subset of users and systems that handle CUI. When done well, this can significantly reduce the audit footprint. 

Do auditors accept a GCC High enclave for CMMC Level 2? 

Yes, if it’s clearly defined and enforced. Auditors accept GCC High enclaves for CMMC Level 2 when CUI boundaries, access controls, and evidence are clear.   

A defensible GGCH enclave includes:

  • Clearly defined CUI boundaries and data handling policies 
  • Strict and consistently enforced access controls 
  • Documented separation between enclave and non-enclave systems 

Where can GCCH enclave design break down?

Enclaves demand stronger governance and documentation than a full GCC High environment. Auditors expect proof that boundaries are actively enforced. 

Common enclave issues include: 

  • Users operating across enclave and commercial environments without separation. 
  • CUI shared outside the enclave through email or collaboration tools. 
  • Inconsistent policy enforcement or monitoring. 
  • Documentation that doesn’t match real-world behavior. 

When boundaries can’t be clearly validated, assessors often expand scope, eliminating the benefit of the enclave altogether.  

Microsoft GCC High helps, but does not equal compliance

A common mistake in CMMC preparation is assuming that moving to Microsoft GCC High, or deploying a GCCH enclave, automatically results in compliance. GCC High is a compliance enabling platform, not a certification.  

What does GCC High provide?

GCC High offers an environment designed to support regulated workloads, including built-in security capabilities and opportunities for control inheritance. This can reduce risk and implementation effort, but it does not remove user responsibility. 

Auditors will still hold you accountable for:

  • Documented policies and procedures 
  • Evidence that controls are enforced in practice 
  • Ongoing monitoring and governance over time 

How to choose the right GCC High strategy

The right choice for a GCC high strategy can evolve with time. Changes in audit scope, contracts, and risk posture may require adjustments in scope decisions over time. 

Some organizations start with a GCCH enclave to limit initial scope, then expand as CUI volume grows. Others begin with a full GCC High migration to simplify early assessments, then introduce segmentation later. 

From an audit perspective, evolution isn’t the risk; failing to reassess is. 

The most defensible CMMC outcomes come from choosing the model you can: 

  • Clearly define and maintain  
  • Govern and enforce consistently 
  • Defend with evidence as your environment changes 

Whether that leads you to a full Microsoft GCC High tenant or a tightly governed GCCH enclave depends less on architecture, and more on what your organization can sustain under audit scrutiny. 

Need a defensible GCC High decision?

R3 works with DIB organizations to pressure test GCC High and enclave decisions before assessments begin. 

Talk to our team today about making a clear and defensible GCCH choice.

Tags
cmmc compliance assessment GCC high GCCH
About the Author

Blake Bernard

More from this Author
Back to Blog
Related Content
See All
Yellow text on a black and blue background reads, Why one-time CMMC compliance is a myth and What continuous compliance looks like. Blue vertical lines and R3 logos are on the right side.
CMMC
Blake BernardJune 25, 2026
Why Onetime CMMC Compliance Is a Myth (And What Continuous Compliance Looks Like)
Yellow text on a black background reads Why ongoing MSP support matters for compliance. Below is a blue and white section with the R3 logo.
CMMC, Managed IT Services
Rob McGowanJune 2, 2026
Why Ongoing MSP Support Matters for CMMC Compliance 
A man with glasses works at a computer in an office. Next to him, bold black text on a bright yellow background reads: The Complete Guide to Managed IT Services. Blue and white stripes line the bottom.
Cloud, Cybersecurity, , , GCC High, IT Strategy, Managed IT Services, Technology, Uncategorized
Kyle McNaneyAugust 6, 2025
The Complete Guide to Managed IT Services
Black background with bold white and blue text in the center reading WHAT IS CMMC? and a small stylized R3 logo in the top right corner. Blue gradient lines appear in the bottom right corner.
CMMC, Governance, Risk & Compliance
Rob McGowanSeptember 5, 2023
What is CMMC?