Today more so than ever, government contractors need a cloud solution that meets their growing security and compliance needs. With multiple types of clouds to choose from, however, how can you know which one is right for your business?
In this post, we’ll take a look at the Microsoft cloud solutions, how they’re different, and what’s your best bet when it comes to security and compliance.
What’s the GCC High and How Does It Differ from Other Solutions?
The most common cloud solutions include Microsoft 365 Commercial, Microsoft 365 Government Community Cloud (GCC), and Microsoft 365 GCC High; but how are they different and what does each offer? Let’s take a closer look at each.
Microsoft 365 Commercial
First, let’s talk about Microsoft 365 Commercial, a solution that anyone can use with no validations required. While it can meet compliance and security needs (including those related to HIPAA, GDPR, CCPA, HITech, NIST 800-53, PCI-CSS, and—in some cases—even FedRAMP), it’s not ideal for defense or government compliance because it shares a global infrastructure and workforce.
Microsoft 365 Government Community Cloud (GCC)
While Microsoft 365 Government is basically a government-focused copy of Microsoft 365 Commercial—offering many of the same features—the main difference between the two is that the Government cloud has data centers located only in the continental United States, as mandated by FedRAMP Moderate. Compliance frameworks that can be met in GCC include FedRAMP High, DFARS 252.204-7012, FBI CJIS, and DoD SRG Level 2.
GCC High
GCC High is a copy of Microsoft 365 Department of Defense (DOD), which was built for the Department of Defense only and not for contractors or outside personnel. Because of this, GCC High was created for cleared personnel, agencies, and other DOD contractors. It was developed to ensure compliance with federal regulations and cybersecurity, including CMMC, FedRAMP High, CJIS Policy, ITAR, NIST 800-171, and DFARS 7012.
Cloud Solutions and CMMC
How do all of these cloud solutions relate to CMMC? Microsoft 365 Commercial and Government (GCC) can be configured to meet the vast majority of CMMC’s requirements with native security products and capabilities. But while you may not need GCC High to meet CMMC requirements, you may need it to meet the requirements of your specific CUI and business scenarios. In other words, you may need to move from GCC to GCC High for your organization’s long-term compliance strategy.
Benefits of GCC High
Here are some of the greatest benefits of moving to GCC High:
- Compliance: GCC High is the only cloud solution that guarantees only US citizens will have access to your data; it’s also the only solution you can implement if your organization handles any data subject to ITAR.
- Guarantee: Microsoft offers a contractual guarantee that their infrastructure meets DoD regulatory requirements—something that’s especially important if you need to comply with CMMC.
- Sharing: GCC High makes sharing data with other DoD and GCC High users and organizations simple and secure.
- Management: Unlike GCC High, certain features of Microsoft 365 Commercial and Government (GCC) must be identified, disabled, and monitored so that they remain disabled in order to comply with DFARS 7012, NIST 800-171, and/or CMMC.
GCC High Eligibility & Requirements
How do you know if you need GCC High? While not an exhaustive list of information types that require GCC High, the following types of information—whether you create, manage or hold it—will always require it:
- Specified CUI that requires US Sovereignty (including CUI marked NOFORN, Controlled Defense Information, NASA, and Nuclear Information, FERC/NERC)
- Export Administration Regulations (EAR)
- Criminal Justice Information Systems (Federal)
- International Traffic in Arms Regulations (ITAR)
- Export Controlled CUI
Ultimately, if you’re subject to DFARS clause 7012, you’ll need GCC, and if you have US citizenship requirements, export control, or covered information with sovereignty, you’ll need GCC High. That’s why GCC High is reserved for Federal Agencies, the Defense Industrial Base (DIB), and DoD contractors.
However, if you wish to move to GCC High, you must first receive validation from Microsoft. This process includes a request for validation, providing the appropriate documentation, and the submission of a GCC High licensing request.
How Much Does GCC High Cost?
After completing Microsoft’s screening process to ensure eligibility, you can purchase a GCC High license through select partners, like R3.
Due to the increased security and compliance features—including ensured compliance with ITAR and DFARS 7012 and the separation between commercial operations and Azure Government—there is a premium for GCC High. Expect to pay, on average, 50% more than the retail price of the equivalent Enterprise license.
Work with R3 to Obtain GCC High
After you’ve completed and submitted the form for GCC High and your organization’s eligibility has been validated, you can work with R3 to place an order. As a qualified Microsoft licensing solution provider (LSP), we can transact both GCC and GCC High through Enterprise Agreement (EA) to create the customer price sheet (CPS) for under 500 seats.
Ready to get started? Send us a message today to learn how we can provide the experienced, knowledgeable GCC High support you need.
