GCC vs. GCC High
In response to our CMMC coverage, we're getting many questions from defense contractors preparing for their CMMC certification. One topic that keeps coming up is Microsoft 365 GCC and GCC High (and whether you need it for CMMC). Here, we look at how GCC compares to GCC High with at-a-glance info regarding your migration to GCC High.
Do You Need GCC High for CMMC?
The short answer is no, not necessarily, but it depends. If that’s not clear enough, let’s put it this way: GCC and GCC High both help the federal government and government contractors meet demanding cybersecurity and compliance requirements. Although GCC High is not a direct requirement for any level of CMMC it is highly suggested to explore the option. It is our suggestion that if you are required to be CMMC Level 3 certified and are managing existing CUI in your cloud infrastructure on a Microsoft Platform, you should migrate to GCC High.
So, doesn't it make sense to stay on GCC?
While GCC High is not a direct requirement of CMMC Level 1-3, there are reasons it may still make sense to migrate. GCC High is the most secure and compliant platform currently available to defense contractors.
Once you start aiming for CMMC Level 4-5 certification or handling ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations) content, Microsoft officially recommends GCC High as the best option.
GCC and GCC High Costs
One of the biggest concerns about going from GCC to GCC High is the price difference. You should plan for a 25%-45% increase for GCC High over the commercial offerings of Office 365. Sometimes this leads contractors to look for alternate solutions.
Before you go price shopping, consider your requirements and what comes with GCC High to determine whether the price increase is warranted. For starters, GCC High is supported by new U.S. data centers built to FedRAMP high standards with U.S. based administrators and all U.S. based support personnel. Next, you’ll need more licensing to embody a fully compliant infrastructure, which costs more. You’ll also pay for the enterprise mobility plus security license for your mobile device management, advanced threat protection, and other advanced capabilities like export control data and ITAR support.
Also, consider your reporting requirements. DFAR-7012 paragraphs C through G covers the forensic reporting requirements you’ll need to perform that dictate what forensic information you need to provide when you suffer a breach. With commercial GCC, Microsoft will explain that they do not provide that level of support in GCC. When you move to GCC high, Microsoft becomes your partner in managing the breach and dealing with the government alongside you.
It’s important to note that all the large prime contractors are moving to GCC High too. If your organization hopes to team up or do business with anyone already migrated to GCC High, you'll want to be there too.
Why GCC High Even if You Don't Need It
Today, the benefits of GCC High make a case for migration. For one, all GCC High features must go through the FedRAMP (Federal Risk and Authorization Management Program) process, so you are protected from ever having an issue with exposing CUI data to a non-federal platform. All data centers, communications, and security are managed from within the continental United States, and GCC High comes with full DFARS, ITAR, EAR, CUI specified content support.
With GCC High, you have the foundation for cybersecurity and compliance from more secure in a more exclusive platform, making you a better solution for a teaming partner. Asking the right questions about the data you intend to protect will help you determine whether you need it.
You need GCC High if you have or manage:
- Controlled Unclassified Information (CUI)
- ITAR/EAR data
- Department of Defense Unclassified Controlled Nuclear Information (DOD UCNI)
- Department of Energy Unclassified Controlled Nuclear Information (DOE UCNI)
- Criminal Justice Information (CJI/CJIS)
- Department of Defense, Impact Level 4 or higher (DOD IL)
- North American Electric Reliability Corporation (NERC)
- Covered Defense Information (CDI)
When government organizations and large primes start vetting teaming opportunities, what will they conclude about your security infrastructure if you're on GCC and only meeting the minimum requirement? If you're stacked up next to a contractor with GCC High, will they evaluate you the same?
While GCC is only available to Government and DoD contractors like GCC high, GCC actually operates as part of the Commercial Cloud with datacenter locations and support personnel across the globe.
GCC High is not required for any level of CMMC but is great for scalability and expansion since industries and agencies will likely adopt CMMC outside of the defense supply chain.
While Microsoft's official recommendation for DIB organizations planning to meet CMMC Levels 3-5 is to deploy GCC High, our recommendation is that GCC High is critical to defense companies who want to be relevant in the DIB and climb the government contracting ladder.
Let us guide you through the process, securing the option, GCC or GCC High.