Microsoft 365 is a great choice for a powerful, secure cloud collaboration solution that can empower your business to work from anywhere. But with the upcoming rollout of the Cybersecurity Maturity Model Certification (CMMC), which will introduce new compliance requirements for DoD contractors and subcontractors, you may be wondering whether it’s secure enough to pass muster for handling CUI. You may also have heard of another version of Office 365 that’s intended to meet stringent government security requirements, called GCC High.
Since many of our clients rely on Microsoft 365, we are helping them to make sure that their cloud resources are secure and compliant as well.
In this article, you’ll learn what Office 365 GCC High is and how it’s different from other MS365 options. You’ll also learn whether GCC High is a requirement for CMMC certification and what alternatives there are. Finally, we’ll discuss how GCC High pricing compares with other MS365 versions.
WHAT IS MICROSOFT 365 GCC/GCC HIGH?
GCC and GCC High are Microsoft 365 service offerings designed to meet various Federal data security regulations, including CMMC and DFARS 7012. GCC High includes additional controls that make it suitable for protecting export-controlled CUI at CMMC Level 2 or above.
Government Community Cloud (GCC) and GCC High are specific service offerings of Azure cloud services and the Microsoft 365 and Office 365 suite designed to ensure compliance with various federal government information and cybersecurity regulations. They are available to government agencies and private organizations that are required to comply with regulations such as CMMC, FedRAMP High, DFARS 7012, ITAR, or CJIS Policy.
HOW IS MS365 GOVERNMENT DIFFERENT FROM MS365 COMMERCIAL?
The main difference between Office 365 US Government and their commercial offerings is that data for Office 365 Government is segregated from commercial Office 365 data.
Data for GCC is located in a separate “enclave” of the Azure Commercial cloud, while the GCC High and DoD offerings are housed in a completely separate Azure Government environment called the “US Sovereign Cloud”, which is 100% located within the US and is supported only by screened and background-checked US persons.
Most features and services available to commercial MS365 tenants are available to GCC and GCC High, however there are exceptions to some application features that use internet-based services. Additionally, future features may be slower to roll out to Government tenants or not available at all due to compliance issues.
HOW IS MICROSOFT 365 GCC DIFFERENT FROM GCC HIGH?
While both GCC and GCC High are part of MS365 US Government, they are designed to comply with different sets of regulations. This is reflected in which datacenters they use, and which Microsoft personnel can provide support. GCC is built on top of Microsoft’s commercial datacenters and global Azure services.
While the Government “enclave” ensures that GCC data is stored within the continental United States (CONUS), some services available in GCC use data processing that occurs outside the US. Additionally, GCC uses the same global support model as Commercial, meaning that non-US persons will be involved in supporting GCC tenants, and thus could have access to GCC data at times.
In contrast, GCC High was designed for the needs of the Defense Industrial Base (DIB). It uses dedicated datacenters in the continental US and is supported solely by cleared US persons. Unlike GCC, GCC High includes a contractual guarantee that no data will leave the United States and that only US Persons will ever have access to GCC High data.
COMPLIANCE
As of 2021, GCC includes support for DFARS 7012, and can meet the requirements for CMMC certification. However, if you are subject to ITAR or handle controlled defense information (CDI), you will need GCC High to ensure that your information remains in the US and is only accessible by US persons.
Interoperability. In order to maintain compliance, GCC High lacks some of the features and integrations available to commercial and GCC customers. The exact features that are available change often, so it’s best to make use of Microsoft’s official service descriptions. GCC High organizations can share data with other GCC High and DoD tenants, but not with GCC or commercial ones.
Microsoft 365 GCC pricing matches pricing of the Commercial version. Compared to a GCC solution, GCC High can easily be 50% more expensive. As mentioned above, it runs on dedicated US infrastructure and support personnel, both of which are more expensive to maintain. Additionally, organizations that move to GCC High often end up licensing more features, like eDiscovery and Enterprise Mobility and Security, to achieve the higher level of compliance they are seeking.
Purchasing. While commercial and GCC MS365 licenses can be purchased from a number of vendors, GCC High must be purchased directly from Microsoft or a limited number of channels. Organizations must go through a screening process to ensure eligibility, and this has to be renewed each year. Additionally, organizations must pay for a year of GCC High licenses up front — there is no month-to-month option available.
DO I NEED OFFICE 365 GCC HIGH FOR CMMC CERTIFICATION?
The short answer is not necessarily. Since 2021, Microsoft has agreed to include contractual guarantees for DFARS 7012 compliance for FCI and some categories of CUI for GCC tenants. This means that it generally meets the requirements of CMMC Level 1, and it can be configured to meet CMMC Level 2 for protection of CUI.
However, there are a number of services and features included in GCC that do not comply with CMMC Level 2 for protection of CUI. These must be identified and disabled – and monitored so that they stay disabled. And there is always the possibility that a feature or settings change introduced in the future could introduce compliance issues. With GCC High, you’ll have a reasonable expectation that this won’t happen.
As mentioned, GCC High users can only share data and use B2B federation with other GCC High and DoD users and organizations. If you are a prime contractor, or you’re a subcontractor whose prime is on GCC High, it will greatly simplify data sharing if you are also on GCC High.
Finally, GCC High is the only environment with a guarantee that only U.S. citizens will ever have access to your data and that your data will never leave the US. If any data you handle is subject to ITAR, GCC High is really your only option. Even unintentional ITAR violations can and will cost your company in fines and lost contracts.
WILL BUYING GCC HIGH AUTOMATICALLY MAKE US READY FOR CMMC?
Again, the short answer is no. Like any tool, GCC High requires proper setup and ongoing management to ensure compliance with CMMC. But Microsoft can only guarantee that their practices and infrastructure comply with regulations. While GCC High offers some guardrails, it’s not a turnkey solution for CMMC certification. You are still responsible for configuring and operating it in a compliant way.
Microsoft offers several cloud-based security products for GCC High customers that can help your organization comply with CMMC. These include Enterprise Mobility & Security (EMS), Azure Information Protection (AIP), Microsoft Cloud App Server, and Microsoft Defender. These products are also hosted in Azure Government datacenters. Again, with proper configuration, these tools can satisfy a number of CMMC and NIST 800-171 controls.
HOW MUCH DOES MICROSOFT 365 GCC HIGH COST?
GCC High is available as Microsoft 365 F3, E3, and E5 licenses, or Office 365 F3, E1, E3 and E5 licenses. As with MS365 Enterprise offerings, the “Microsoft 365” flavor includes additional security and device management features such as Advanced Threat Protection, as well as a Windows 10 Enterprise license, while the “Office 365” version is limited to the Microsoft Office suite, Exchange Online, and collaboration features. The F1 and F3 licenses do not include the desktop version of Office programs.
As you would expect, there is a premium for GCC High over the commercial versions of Microsoft 365. The price difference includes the additional overhead involved with ensuring compliance with DFARS 7012 and ITAR and maintaining separation between Azure Government and commercial operations.
For Microsoft GCC High licenses, you can expect to pay an average of 50% more than the retail price of the equivalent Enterprise license. F1 and F3 licenses are somewhat less expensive at around 15% more than their commercial counterparts.
IS MS365 GCC HIGH WORTH IT?
This question will need to be considered in the broader context of your business and IT strategy. For many contractors, the increased cost and feature limitations will easily be justified by the compliance features and ability to share data with the DoD and other GCC High organizations. For others, particularly those who do a lower volume of contract work and aren’t subject to ITAR, other options may be more cost-effective overall.