If you’re preparing for CMMC, you’ve probably heard some version of this: “You need GCC High.”

Here is the direct answer: CMMC itself does not require GCC High. CMMC is a cybersecurity framework that defines practices and evidence expectations, not specific cloud vendors or environments.

Where GCC High enters the picture is through DoD contract clauses, especially DFARS 252.204-7012,, which governs how contractors must protect Controlled Unclassified Information (CUI) and what standards cloud service providers must meet when CUI is stored, processed, or transmitted in the cloud.

So the real question is not whether CMMC requires GCC High. It is whether your contracts and your data require a FedRAMP-authorized cloud environment for CUI, and whether GCC High is the most defensible way to meet that requirement.

Does CMMC require GCC High?

No. CMMC does not explicitly require GCC High. The CMMC 2.0 framework defines security controls and assessment requirements, but it does not mandate any specific cloud platform.

However, many defense contractors still deploy GCC High because DFARS 252.204-7012 requires cloud services that meet the FedRAMP Moderate baseline when handling CUI. GCC High is one of the most common ways organizations satisfy that requirement when using Microsoft tools.

How requirements break down by certification level

For most organizations, the answer depends on what type of information your systems handle.

If you handle only Federal Contract Information (FCI) and are pursuing CMMC Level 1, GCC High is usually unnecessary. Level 1 is based on FAR 52.204-21 and does not introduce a FedRAMP cloud requirement.

If you handle CUI and are pursuing CMMC Level 2, DFARS 252.204-7012 typically applies. That clause introduces the FedRAMP Moderate equivalency requirement for cloud providers handling CUI.

CMMC Level 3 environments add additional controls beyond NIST 800-171  and are usually associated with higher sensitivity programs. In practice, most Level 3 programs operate in GCC High or other government cloud environments, although the framework itself still does not mandate a specific platform.

Where the GCC High requirement comes from

The cloud requirement many contractors encounter comes from DFARS 252.204-7012, a clause included in many Department of Defense contracts involving CUI.

This clause requires contractors to protect covered defense information using safeguards aligned with NIST 800-171 It also includes a requirement for cloud services.

Specifically, if a contractor uses an external cloud service provider to store, process, or transmit covered defense information, that provider must meet security requirements equivalent to the FedRAMP Moderate baseline.

For years, some organizations interpreted “equivalent” loosely and assumed that commercial cloud environments met the intent. That interpretation became harder to defend after a clarification from the DoD.

The 2023 DoD CIO memo that changed the conversation

In December 2023, the DoD Chief Information Officer issued guidance clarifying what FedRAMP equivalency means in practice.

According to the memo, a cloud service provider must either hold a FedRAMP Moderate or High authorization, or be assessed by a FedRAMP-recognized third-party assessment organization (3PAO) confirming that the service meets the full FedRAMP Moderate control baseline.

This clarification removed much of the ambiguity around commercial cloud environments. Standard commercial Microsoft 365 does not hold a FedRAMP authorization and has not been assessed against the FedRAMP Moderate baseline by a 3PAO.

As a result, many contractors concluded that continuing to store or process CUI in commercial Microsoft 365 environments would be difficult to justify under DFARS 252.204-7012.

That is why GCC High became a default recommendation in many CMMC planning discussions. Not because CMMC demands it, but because DFARS requires a FedRAMP-aligned cloud for CUI and GCC High provides the most direct Microsoft path.

What this means for CMMC Level 1

CMMC Level 1 applies to organizations that handle Federal Contract Information only, not CUI.

Level 1 requires implementation of 15 basic safeguarding practices derived from FAR 52.204-21. These practices focus on access control, authentication, media protection, and basic system protections.

The Level 1 requirements do not specify a FedRAMP-authorized cloud environment. In most cases, commercial cloud services such as Microsoft 365 or Google Workspace can support Level 1 when configured appropriately.

One caution is worth noting: some contracts that appear to involve only FCI still include DFARS 252.204-7012, and some organizations discover CUI in workflows they initially assumed were FCI-only. Contract review and CUI identification still matter even at Level 1.

When GCC High may be required

GCC High is not universally required, but there are common situations where it becomes the most defensible choice.

Organizations that handle export-controlled technical data governed by ITAR or EAR often need stronger restrictions around who can access data at the platform level. GCC High environments support stricter access controls that many contractors rely on when demonstrating compliance with export regulations.

GCC High is also frequently used when contracts involve higher impact levels or more sensitive defense programs. In these cases, organizations often choose infrastructure that clearly exceeds the minimum FedRAMP Moderate requirement rather than operating close to the threshold.

In other words, GCC High becomes necessary when the type of data involved or the contractual environment requires stronger guarantees than a baseline FedRAMP Moderate environment can comfortably provide.

Can you get CMMC certified without GCC High?

Yes, particularly for CMMC Level 2, as long as the environment protecting CUI meets the contract requirements.

Some organizations use Microsoft GCC, which aligns with the FedRAMP Moderate baseline referenced in DFARS 252.204-7012. Others use alternative FedRAMP-authorized cloud platforms outside the Microsoft ecosystem.

Many contractors also use an enclave architecture, where CUI systems operate inside a dedicated secure environment while the rest of the organization remains on commercial collaboration tools. This can reduce licensing costs and operational disruption but requires strong boundary controls and documentation.

The key point is that avoiding GCC High does not mean using commercial cloud infrastructure for CUI. It means choosing another environment that still satisfies FedRAMP expectations and supports NIST SP 800-171 implementation.

Do you need GCC High? What to figure out first

The fastest way to determine whether GCC High makes sense is to answer two questions.

First, identify whether you handle CUI, where it lives, and which users and systems interact with it.

Second, confirm which contract clauses apply, especially whether DFARS 252.204-7012 is included and whether export-controlled data is involved.

Once those two factors are clear, the cloud architecture decision becomes much easier.

After you choose your cloud architecture

Choosing GCC High, GCC, or another FedRAMP-aligned environment determines where CUI can live. It does not automatically demonstrate compliance.

For CMMC Level 2, organizations still need to implement and document the full set of 110 NIST 800-171 security requirements. That includes producing evidence across areas such as identity controls, logging, incident response, configuration management, and training.

Secureframe Defense helps after the cloud decision is made. It connects to environments such as Microsoft GCC High and GCC to map live configuration to NIST SP 800-171 requirements, automate evidence collection, and keep documentation aligned with your real environment.

If you are evaluating whether GCC High makes sense for your organization’s CMMC path, schedule a demo to see how Secureframe Defense supports both GCC High and alternative architectures.