Who needs GCC High?

GCC High is designed for organizations that fall into one or more of these categories:

1. Defense contractors handling CUI: If you process, store, or transmit CUI, you likely need GCC High since it is permissible for all categories of CUI (GCC only supports some types). GCC High is a common choice for many in the DIB, especially the larger tier 1 prime contractors.
2. ITAR/EAR-regulated organizations. If you handle export-controlled technical data, the data must be stored in environments accessible only by US persons in continental US locations to meet ITAR and EAR requirements. Since GCC High was built to support this type of data and meet these requirements natively, it is the only environment which Microsoft will commit to export controls.
3. Organizations pursuing CMMC Level 2 or 3: While GCC High is not explicitly mandated by CMMC, the practical reality is that most contractors need it, especially if subject to Level 2 requirements or higher. Microsoft explicitly recommends it for CMMC Levels 2 and 3 since it holistically safeguards all categories of CUI and offers built-in support for NIST 800-171 requirements through underlying Cloud-Native controls provided by Microsoft, reducing the number that must be implemented through your own configuration, policies, and processes.
4. Federal agencies requiring FedRAMP High: Agencies with high-impact data systems that need to demonstrate compliance with FedRAMP High (or Moderate) use GCC High. This includes the US Department of Homeland Security, the Department of Justice, Department of the Treasury, and FBI.
5. Subcontractors in the defense supply chain: For aerospace and defense manufacturers and other subcontractors in the DIB, DFARS 252.204-7012 and CMMC requirements flow down from primes to your tier. Since Microsoft supports a flow-down for DFARs 7012 in GCC High and in Azure Government, GCC High automatically meets some NIST 800-171 requirements, reducing the number of requirements the customer has to meet through their own configuration, policies, and processes when pursuing DFARs or CMMC Level 2 compliance.

Who does NOT need GCC High:

• Contractors that handle only Federal Contract Information (FCI) — CMMC Level 1 does not require GCC High (but is recommended)
• Commercial Off-The-Shelf (COTS) suppliers — exempt from CMMC entirely
• Organizations using alternative FedRAMP-authorized platforms (e.g., Google Workspace with Assured Controls, AWS GovCloud with supplemental tools)

Do you need GCC High for CMMC?

Technically, no. GCC High is not the only Microsoft cloud offering you could use to meet CMMC requirements. 

Microsoft 365 Commercial could be used to demonstrate compliance with CMMC Level 1 for FCI, but this cloud offering is not intended for US government requirements and therefore it is a risk since changes in regulations may lead to non-compliance in the future.

For CMMC Level 2 or higher, this is where it gets nuanced.

DFARS 252.204-7012 is the clause that requires contractors to protect Covered Defense Information and was amended and strengthened by the final CMMC 48 CFR rule. This clause states that cloud services must meet "security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline."

A December 2023 DoD memo further clarified that "FedRAMP equivalent" means the cloud service must either:

1. Hold a FedRAMP Moderate or High authorization, or
2. Be assessed by a FedRAMP-recognized third-party assessment organization confirming all FedRAMP Moderate baseline controls

Since Microsoft 365 Commercial could not sufficiently meet these requirements to demonstrate FedRAMP Moderate equivalency, this memo effectively eliminated it as a compliant option for storing, processing, or transmitting CUI under DFARS 7012 or CMMC. 

Microsoft 365 GCC, however, is FedRAMP Moderate authorized with demonstrated High equivalency through FedRAMP High Impact Level audits, and can technically support DFARS 7012 and CMMC Level 2 under some configurations. But it comes with more limitations and a greater burden of proving compliance.

That’s because it does not offer built-in support for certain categories of CUI, including export controlled data, like GCC High does. That means you’ll

• have to isolate and implement the necessary data residency and sovereignty controls for certain types of CUI that are protected under ITAR, EAR, and other US defense regulations.
• be responsible for ensuring you restrict certain services and properly configure your Microsoft GCC environment to limit the access, processing, and transmission of this data to US persons in the continental US only

This introduces the risk of non-compliance due to foreign access or misconfigured commercial features.

GCC High supports export controlled data natively, with controls in place for restricting sensitive data access, processing, transmission, and storage to only screened US persons and within the continental US. As a result, GCC High is the safest and most straightforward path for organizations that need to comply with CMMC Levels 2 or 3 requirements and is explicitly recommended by Microsoft.

Bottom line: You need a cloud environment that’s at least FedRAMP Moderate or equivalent with data residency and sovereignty controls for CUI to comply with CMMC Level 2 or higher. GCC High is the most common choice, but alternatives exist.

Is GCC High ITAR compliant?

Yes. GCC High was built with ITAR compliance in mind.

It meets all security requirements for protecting export-controlled data under ITAR and EAR, including exclusive US data residency, restricted US personnel access, and physical and logical separation from commercial Microsoft tenants.

If your business involves technical data or defense articles regulated under ITAR, GCC High is likely your only viable Microsoft 365 environment.

Note that ITAR compliance remains a shared responsibility. While GCC High covers Microsoft's infrastructure obligations, your organization must still manage access controls, data classification, and any third-party integrations.

What services are included in GCC High?

GCC High supports many of the compliance-enabling tools that DoD contractors need, such as:

• Microsoft Entra ID: Formerly Azure Active Directory, Entra ID provides identity and access management for users, devices, and applications in GCC High. It supports features like Conditional Access, multifactor authentication (MFA), and role-based access control (RBAC), all critical for enforcing zero trust principles and meeting CMMC and NIST identity management requirements.
• Microsoft Intune: Intune enables mobile device management (MDM) and mobile application management (MAM) for government cloud environments. It allows you to securely manage endpoints, enforce configuration baselines, and apply security policies across all devices accessing sensitive data, supporting controls in NIST 800-171 and CMMC related to system configuration and media protection.
• Microsoft Sentinel: Sentinel is a cloud-native security information and event management (SIEM) platform that collects, analyzes, and correlates logs from across your environment—including GCC High workloads. It enables advanced threat detection, incident response, and security analytics aligned with continuous monitoring and audit logging requirements in frameworks like CMMC, DFARS, and FedRAMP.
• Microsoft Purview Information Protection: Allows you to discover, classify, and protect CUI through sensitivity labels and data loss prevention policies. It helps ensure that sensitive data stays within your controlled environment.
• Microsoft Defender for US Government: Provides endpoint and email protection, with features like threat analytics, attack surface reduction, and real-time reporting to support NIST 800-171’s system integrity requirements.
• SharePoint and OneDrive for US Government: Provide secure content management, storage, and collaboration tools, configured to meet FedRAMP High and CMMC data handling standards.
• Microsoft Teams: Enables secure communication and file sharing, though some features available in Commercial tenants like PSTN calling require workarounds in GCC High.

The feature set of Microsoft 365 GCC High is substantial but not identical to Microsoft 365 Commercial. For example, Microsoft Teams PSTN calling plans are not natively supported in GCC High, requiring third-party telephony integrations instead.

This is for two primary reasons: either the features are not currently available or they may never be. New features typically arrive in the commercial cloud first and roll out to GCC High months later due to the required security reviews. That’s why features like Microsoft Secure Score are noted as not yet available in GCC High, but coming soon in this documentation. However, some features like Shifts for Teams cannot be made available given the increased certification and accreditation of the infrastructure of GCC High.

Certain third-party app integrations may be restricted as well. File sharing in SharePoint and OneDrive is also limited to other GCC High environments and DoD tenants only.

These limitations are intentional, designed to reduce data security risks and preserve compliance with strict government regulations. Still, they can affect your team’s productivity, especially if you collaborate often with organizations outside the defense sector or rely on MS365 plugins that aren’t GCC High-compatible.

Check Microsoft documentation for the most comprehensive breakdown of feature availability for GCC High compared to GCC and Commercial.

How much does GCC High cost?

GCC High ricing varies by license type (G3, G5, etc.) and isn’t publicly published by Microsoft, since it’s sold through Enterprise Agreements and authorized partners. But you can expect to pay 50–70% more for Microsoft 365 GCC High compared to equivalent Commercial or GCC licenses.

This premium covers the cost of hosting data in dedicated US government data centers, employing screened US support personnel, and maintaining the additional security controls required to meet ITAR, DFARS, and CMMC compliance.

GCC High tenants often also license other cybersecurity and compliance tools like Microsoft Defender, Purview, and Enterprise Mobility + Security (EMS), which adds to the overall cost.

New option for small businesses: Microsoft launched GCC High Business Premium in November 2025, offering significant cost savings compared to enterprise licensing. This is a significant development for smaller defense contractors, such as component manufacturers and service providers, that need less than 500 seats and to comply with CMMC requirements.

How to get started with GCC High

Getting into GCC High isn't as simple as upgrading your existing Microsoft 365 subscription. The process involves the following steps:

1. Verify eligibility: You need to submit an eligibility validation request to Microsoft with a CAGE code or documentation proving you handle government-controlled data
2. Engage a licensing partner: You can work with a Microsoft-authorized government partner (AOS-G) for under 500 seats or a Licensing Solution Providers (LSP) for larger volumes to complete your purchase
3. Procure licenses: Complete purchase to procure new GCC High licenses (your existing commercial licenses don't transfer)
4. Provision a new tenant: GCC High requires a completely separate tenant from your Microsoft 365 Commercial or GCC tenant if you have one
5. Migrate data: Email, files, SharePoint sites, and Teams content move to the new environment
6. Configure security: Set up identity management, conditional access, MFA, DLP policies
7. Train users: The interface differs from commercial M365 in some areas
8. Renew license annually: GCC High licenses must be purchased on an annual basis (Microsoft does not offer monthly billing or allow mid-term license reductions)

Timeline: Expect 1-6 months from start to full migration, depending on organization size and complexity.

Building a strong infrastructure to protect CUI and other government data

Microsoft 365 GCC High is one of the most secure and compliant environments available to defense contractors and organizations in the DIB, but managing compliance across a federal tech stack still requires significant effort. From DFARS to CMMC, the path to certification involves continuous monitoring, rigorous documentation, and a strong internal security posture.

Secureframe’s compliance automation platform integrates directly with Microsoft GCC High, Azure Government, Entra ID, and AWS GovCloud to simplify compliance with frameworks like CMMC, DFARS 7012, NIST 800-171, FedRAMP, and more. We automate evidence collection, continuously monitor control performance, and give you full visibility into your compliance posture.

With Secureframe, you get more than just software. You get a partner that helps you operationalize cybersecurity, reduce assessment preparation time by up to 70%, and stay aligned with evolving federal requirements.

Ready to see how Secureframe and GCC High work better together? Schedule a demo to learn how we can help you move faster and stay secure.

This post was originally published in July 2025 and has been updated for accuracy and comprehensiveness