Who needs GCC High?

GCC High is designed for organizations that fall into one or more of these categories:

1. Defense contractors handling CUI: If you process, store, or transmit CUI, you likely need GCC High since it is permissible for all categories of CUI (GCC only supports some types). GCC High is a common choice for many in the DIB, especially the larger tier 1 prime contractors.
2. ITAR/EAR-regulated organizations. If you handle export-controlled technical data, the data must be stored in environments accessible only by US persons in continental US locations to meet ITAR and EAR requirements. Since GCC High was built to support this type of data and meet these requirements natively, it is the only environment which Microsoft will commit to export controls.
3. Organizations pursuing CMMC Level 2 or 3: While GCC High is not explicitly mandated by CMMC, the practical reality is that most contractors need it, especially if subject to Level 2 requirements or higher. Microsoft explicitly recommends it for CMMC Levels 2 and 3 since it holistically safeguards all categories of CUI and offers built-in support for NIST 800-171 requirements through underlying Cloud-Native controls provided by Microsoft, reducing the number that must be implemented through your own configuration, policies, and processes.
4. Federal agencies requiring FedRAMP High: Agencies with high-impact data systems that need to demonstrate compliance with FedRAMP High (or Moderate) use GCC High. This includes the US Department of Homeland Security, the Department of Justice, Department of the Treasury, and FBI.
5. Subcontractors in the defense supply chain: For aerospace and defense manufacturers and other subcontractors in the DIB, DFARS 252.204-7012 and CMMC requirements flow down from primes to your tier. Since Microsoft supports a flow-down for DFARs 7012 in GCC High and in Azure Government, GCC High automatically meets some NIST 800-171 requirements, reducing the number of requirements the customer has to meet through their own configuration, policies, and processes when pursuing DFARs or CMMC Level 2 compliance.

Who does NOT need GCC High:

• Contractors that handle only Federal Contract Information (FCI) — CMMC Level 1 does not require GCC High (but is recommended)
• Commercial Off-The-Shelf (COTS) suppliers — exempt from CMMC entirely
• Organizations using alternative FedRAMP-authorized platforms (e.g., Google Workspace with Assured Controls, AWS GovCloud with supplemental tools)

Do you need GCC High for CMMC?

Technically, no. GCC High is not the only Microsoft cloud offering you could use to meet CMMC requirements. 

But this is where it gets nuanced.

While Microsoft 365 Commercial could be used to demonstrate compliance with CMMC Level 1 for FCI, this cloud offering is not intended for US government requirements and therefore it is a risk since changes in regulations may lead to non-compliance in the future.

For CMMC Level 2 or higher, we have to look at one of the DFARS clauses that make up the CMMC program.

DFARS 252.204-7012 is the clause that requires contractors to protect Covered Defense Information and was amended and strengthened by the final CMMC 48 CFR rule. This clause states that cloud services must meet "security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline."

A December 2023 DoD memo further clarified that "FedRAMP equivalent" means the cloud service must either:

1. Hold a FedRAMP Moderate or High authorization, or
2. Be assessed by a FedRAMP-recognized third-party assessment organization confirming all FedRAMP Moderate baseline controls

Since Microsoft 365 Commercial could not sufficiently meet these requirements to demonstrate FedRAMP Moderate equivalency, this memo effectively eliminated it as a compliant option for storing, processing, or transmitting CUI under DFARS 7012 or CMMC. 

Microsoft 365 GCC, however, is FedRAMP Moderate authorized with demonstrated High equivalency through FedRAMP High Impact Level audits, and can technically support DFARS 7012 and CMMC Level 2 under some configurations. But it comes with more limitations and a greater burden of proving compliance.

That’s because it does not offer built-in support for certain categories of CUI, including export controlled data, like GCC High does. That means you’ll

• have to isolate and implement the necessary data residency and sovereignty controls for certain types of CUI that are protected under ITAR, EAR, and other US defense regulations.
• be responsible for ensuring you restrict certain services and properly configure your Microsoft GCC environment to limit the access, processing, and transmission of this data to US persons in the continental US only

This introduces the risk of non-compliance due to foreign access or misconfigured commercial features.

GCC High supports export controlled data natively, with controls in place for restricting sensitive data access, processing, transmission, and storage to only screened US persons and within the continental US. As a result, GCC High is the safest and most straightforward path for organizations that need to comply with CMMC Levels 2 or 3 requirements and is explicitly recommended by Microsoft.

In practice, the choice between GCC and GCC High comes down to one question according to Wakeman: do you ever touch export-controlled data, or plan to? 

"About 90% of the customers that I work with go into GCC High versus 10% into GCC, because at some point, either now or in the future, they would have some export-control data,” he said.

Bottom line: You need a cloud environment that’s at least FedRAMP Moderate or equivalent with data residency and sovereignty controls for CUI to comply with CMMC Level 2 or higher. GCC High is the most common choice, but alternatives exist.

Is GCC High ITAR compliant?

Yes. GCC High was built with ITAR compliance in mind.

It meets all security requirements for protecting export-controlled data under ITAR and EAR, including exclusive US data residency, restricted US personnel access, and physical and logical separation from commercial Microsoft tenants.

If your business involves technical data or defense articles regulated under ITAR, GCC High is likely your only viable Microsoft 365 environment.

What about non-US persons? A common misconception is that using GCC High for ITAR or CMMC Level 2 requires your workforce to be 100% US persons. It doesn't. 

Wakeman explained: "You can put your enterprise environment in GCC High and Azure Government and still have non-US persons connecting from non-US locations. It's a shared-responsibility model: it's your responsibility to protect the CUI and ITAR in your tenant. So instead of relying only on the tenant boundary, you're implementing data loss prevention, data protection policies, and Purview sensitivity labels that protect the content itself." 

Just like CMMC, ITAR compliance remains a shared responsibility. While GCC High covers Microsoft's infrastructure obligations, your organization must still manage access controls, data classification, and any third-party integrations.

Understanding shared responsibility in GCC High

Choosing GCC High is not the same as being compliant. The single most important thing to understand before you migrate is that GCC High operates on a shared responsibility model: Microsoft secures and certifies the underlying platform, but a large share of your CMMC controls remain yours to implement, configure, and document.

As Wakeman bluntly told contractors: "Just because you go into GCC or GCC High doesn't make you magically compliant with CMMC Level 2. If you turn all the knobs and dials and configure all the products and services that Microsoft offers you, you're around maybe 86 of the controls, and that's in a purely cloud-native enclave approach. To get to a full 110, you have training, monitoring operations, and a number of other things that are not technology." 

In other words, the platform covers a large share of the controls, but the remaining gap is organizational: policies, training, and how your people actually use the tools.

So, which controls can be inherited from Microsoft, which are shared, and which are your responsibility?

To know the answer (and get through a CMMC assessment), you'll need Microsoft's FedRAMP body of evidence. The key artifact is the Customer Responsibility Matrix (CRM), an Excel file which lives inside the Control Implementation Summary. The CRM breaks down which controls Microsoft is responsible for versus what you must implement and document yourself, and your C3PAO will expect documentation showing how you meet each of your responsibilities. The CRM is provided under NDA, but you can share it with your assessor as long as an NDA is in place between you and that third party.

To map Microsoft's tooling to specific controls, Microsoft also publishes a "product placemat" that aligns its services to the 110 Level 2 requirements and the additional 24 Level 3 requirements, plus a companion "technical reference guide" with deeper, per-control implementation guidance.

What services are included in GCC High?

GCC High supports many of the compliance-enabling tools that DoD contractors need, such as:

• Microsoft Entra ID: Formerly Azure Active Directory, Entra ID provides identity and access management for users, devices, and applications in GCC High. It supports features like Conditional Access, multifactor authentication (MFA), and role-based access control (RBAC), all critical for enforcing zero trust principles and meeting CMMC and NIST identity management requirements.
• Microsoft Intune: Intune enables mobile device management (MDM) and mobile application management (MAM) for government cloud environments. It allows you to securely manage endpoints, enforce configuration baselines, and apply security policies across all devices accessing sensitive data, supporting controls in NIST 800-171 and CMMC related to system configuration and media protection.
• Microsoft Sentinel: Sentinel is a cloud-native security information and event management (SIEM) platform that collects, analyzes, and correlates logs from across your environment—including GCC High workloads. It enables advanced threat detection, incident response, and security analytics aligned with continuous monitoring and audit logging requirements in frameworks like CMMC, DFARS, and FedRAMP.
• Microsoft Purview Information Protection: Allows you to discover, classify, and protect CUI through sensitivity labels and data loss prevention policies. It helps ensure that sensitive data stays within your controlled environment.
• Microsoft Defender for US Government: Provides endpoint and email protection, with features like threat analytics, attack surface reduction, and real-time reporting to support NIST 800-171’s system integrity requirements.
• SharePoint and OneDrive for US Government: Provide secure content management, storage, and collaboration tools, configured to meet FedRAMP High and CMMC data handling standards.
• Microsoft Teams: Enables secure communication and file sharing, though some features available in Commercial tenants like PSTN calling require workarounds in GCC High.

The feature set of Microsoft 365 GCC High is substantial but not identical to Microsoft 365 Commercial. For example, Microsoft Teams PSTN calling plans are not natively supported in GCC High, requiring third-party telephony integrations instead.

This is for two primary reasons: either the features are not currently available or they may never be. New features typically arrive in the commercial cloud first and roll out to GCC High months later due to the required security reviews. That’s why features like Microsoft Secure Score are noted as not yet available in GCC High, but coming soon in this documentation. However, some features like Shifts for Teams cannot be made available given the increased certification and accreditation of the infrastructure of GCC High.

Certain third-party app integrations may be restricted as well. File sharing in SharePoint and OneDrive is also limited to other GCC High environments and DoD tenants only.

These limitations are intentional, designed to reduce data security risks and preserve compliance with strict government regulations. Still, they can affect your team’s productivity, especially if you collaborate often with organizations outside the defense sector or rely on MS365 plugins that aren’t GCC High-compatible.

Check Microsoft documentation for the most comprehensive breakdown of feature availability for GCC High compared to GCC and Commercial.

How much does GCC High cost?

GCC High pricing varies by license type (G3, G5, etc.) and isn't publicly published by Microsoft, since it's sold through Enterprise Agreements and authorized partners. But you can expect to pay 60–70% more for Microsoft 365 GCC High compared to equivalent Commercial licenses, and 30% more than GCC licenses.

This premium covers the cost of hosting data in dedicated US government data centers, employing screened US support personnel, and maintaining the additional security controls required to meet CMMC, ITAR, and DFARS 7012 compliance. GCC High tenants often also license other cybersecurity and compliance tools like Microsoft Defender, Purview, and Enterprise Mobility + Security (EMS), which adds to the overall cost.

Which license should you buy? The right SKU depends on whether you want Microsoft's security stack natively or plan to fill gaps with third-party tools. Wakeman's field guidance:

• G5 — the "easy button." It includes the holistic security stack, including Defender for Endpoint. The vast majority of DIB primes have moved to G5.
• G3 — viable, but "now you're plugging gaps," substituting third-party products (e.g., CrowdStrike, SentinelOne) where G5 would give you Defender for Endpoint. As Wakeman put it, "It's really impossible to be compliant with CMMC on anything less" than G3.
• F3 — has been popular for frontline/factory-floor workers who only need email.
• G1 — for purely on-prem scenarios (hosting Exchange/SharePoint on-premises). The moment you put content in the cloud and need CMMC Level 2 or higher, you'll move to at least G3.
• Business Premium — New option for small businesses

Microsoft launched GCC High Business Premium in November 2025, offering significant cost savings for small businesses compared to enterprise (G3/G5) licensing. It's available to DIB contractors with 300 employees or fewer (and federal agencies with 500 or fewer, or organizations with an equivalent number of seats in their enclaves). As of early 2026, the Microsoft Defender for GCC-H and Microsoft Purview for GCC-H add-ons are available, which are key for pursuing CMMC Level 2. 

According to Wakeman, Business Premium with those add-ons reaches "near parity with a G5 license at about half the cost” or 45% to be more specific. For smaller component manufacturers and service providers, this is one of the most consequential cost developments in years.

Enclave vs. going all-in: How to scope your GCC High deployment

Once you’ve decided whether to use GCC High or not, your next decision is how much of your organization to put in it. There are two broad approaches, and Wakeman describes most customers evolving from one toward the other over time.

The data enclave (swivel-seat) approach

You stand up a separate, cloud-native carve-out scoped specifically for CUI and CMMC Level 2, while the rest of your organization stays in your existing Commercial environment. Because only the users who actually touch CUI need a GCC High license, the enclave keeps your licensing footprint (and your assessment scope) as small as possible. It has a clean system boundary and can often be deployed quickly from a partner reference architecture. 

For the large majority of organizations, this is the starting point and can be the long-term solution. Wakeman estimates roughly nine in ten start here. For any company with a containable population of CUI users, a well-run enclave is the most cost-effective way to get and stay compliant.

There are trade-offs though: users typically "swivel-seat" between two accounts (a commercial .com identity and a government .us identity) often using a virtual desktop. Without proper training and governance, that can introduce both friction and compliance risk.

As Wakeman put it: "A big question to ask is: year one, year two into your data enclave: are people really using it? Users are jockeying between a .com and a .us email address, signing into a separate account, often through a non-persistent virtual desktop where they have to reopen everything each time."

The same swivel-seat setup can create a spillage risk with external personnel: "Even if you instruct your prime contractors to use your .us email address, they inadvertently use your .com and now you've got a spillage into your commercial-side environment."

These are governance and tooling problems, however, not reasons to abandon the model. They're exactly what a well-architected enclave and a capable partner are designed to handle, through clear user separation, conditional access, and DLP policies that keep CUI where it belongs.

Does Microsoft offer reference architecture for enclave setup? Not a do-it-yourself one. As Wakeman explained, "There's nothing published from Microsoft. There are many reference architectures for enclaves, but they're the intellectual property of our partner community. We've got a curated list of a couple dozen partners we work with, including Secureframe."

Microsoft's concern is that a published "formula" would leave organizations thinking deployment alone makes them compliant. When, as noted above, the inherited controls only get you to roughly 75%. This is why most contractors stand up and manage an enclave with a partner.

Does collaboration between the two pull Commercial into scope? A frequent worry is that bridging a commercial tenant and a GCC High tenant drags the commercial side into your assessment. It doesn't—provided you've controlled the data. 

"The short answer is no, as long as you have the right data-protection policies in place,” Wakeman explained. “Follow the CUI: as long as you prevent the exfiltration of CUI from your government environment into the commercial side, the commercial side stays out of scope."

The all-in approach

With the all-in approach, your entire enterprise tenant is GCC High, and any foreign subsidiaries sit in Commercial rather than the other way around. The benefit is a single tenant with one seamless collaboration experience, the highest compliance watermark across the whole organization, and minimal spillage risk because there's no commercial side to leak into.

The catch is cost and effort: every employee needs a GCC High license (which carries a meaningful premium over Commercial), and you take on a full enterprise migration rather than a contained carve-out. For that reason, all-in tends to make sense for organizations where CUI is so pervasive that a clean boundary isn't realistic, or where the overhead of running two environments outweighs the licensing savings of an enclave. 

The deciding factor is whether you have a clean line of demarcation between the people who touch CUI and those who don't. As Wakeman, who generally advocates for going all-in, frames it: "If more than 20% of your company is doing defense work, and you don't have a clean line of demarcation between the users who need the government cloud and those who don't, the enclave approach usually doesn't function the way it should, and they end up migrating into GCC High." 

Scope can creep, so it's worth sizing your CUI population honestly up front. Wakeman recalled one customer: "One customer started by saying they had four users. A few months later it was 14, then 140. By the time they went all-in, it was 4,000." The takeaway isn't that everyone ends up all-in necessarily. It's that mapping who genuinely needs CUI access before you deploy GCC High prevents surprises either way.

How to get started with GCC High

Getting into GCC High isn't as simple as upgrading your existing Microsoft 365 subscription. The process involves the following steps:

1. Verify eligibility: To start, you need to fill out Microsoft's Government Community Cloud Eligibility Intake form with a CAGE code or documentation proving you handle government-controlled data. Wakeman also explained that "you must have a US person in a US location to contract with Microsoft" for the government clouds. Many customers headquartered abroad hold GCC High tenants, but they transact through a US person in a US location.
2. Engage a licensing partner: You can work with a Microsoft-authorized government partner (AOS-G) for under 500 seats or a Licensing Solution Providers (LSP) for larger volumes to complete your purchase.
3. Procure licenses: Complete purchase to procure new GCC High licenses (your existing commercial licenses don't transfer).
4. Provision a new tenant: GCC High requires a completely separate tenant from your Microsoft 365 Commercial or GCC tenant if you have one.
5. Migrate data: Email, files, SharePoint sites, and Teams content move to the new environment.
6. Configure security: Set up identity management, conditional access, MFA, DLP policies.
7. Train users: Train users since the interface differs from Commercial M365 in some areas.
8. Renew license annually: GCC High licenses must be purchased on an annual basis (Microsoft does not offer monthly billing or allow mid-term license reductions).

Timeline: Expect 1-6 months from start to full migration, depending on organization size and complexity.

Building a strong infrastructure to protect CUI and other government data

Microsoft 365 GCC High is one of the most secure and compliant environments available to organizations in the DIB, but managing compliance across a federal tech stack still requires significant effort. The path to CMMC certification involves a significant readiness effort and ongoing management, including continuous monitoring, rigorous documentation, and a strong internal security posture.

Secureframe can help on both sides of that effort. As an authorized GCC High seller, Secureframe can license your GCC High environment and, as an end-to-end CMMC solution, it can then help you auto-provision, configure, document, and continuously monitor it for CMMC.

Through its GCC High integration, Secureframe stands up your Microsoft 365 GCC High environment to meet CMMC Level 2 requirements. Once you connect and authorize your tenant, Secureframe automatically provisions the CMMC-compliant configurations on your behalf wherever the GCC High APIs allow, and guides you through the rest. Specifically, it:

• Provisions CUI segregation in SharePoint GCC High: Creates and continuously validates a CUI-designated SharePoint site with the required role groups (Super Admin, IT Admin, CUI User) so CUI stays properly segregated and access-controlled.
• Enforces CMMC technical configurations where APIs allow: Writes settings like MFA, conditional access policies, audit logging, and sharing restrictions for you, rather than asking you to make each change by hand.
• Enforces separation-of-duties rules: Prevents conflicting role assignments (for example, a global admin can't also hold a CUI data access role), which supports the separation of duties CMMC requires.
• Continuously syncs identity data: Pulls users, groups, admin roles, audit logs, and environment configurations from Azure AD GCC High on an ongoing basis.
• Walks you through manual steps where automation isn't possible: For settings GCC High doesn't expose to APIs (or when there's existing CUI in the tenant), with explicit step-by-step instructions, PowerShell scripts where applicable, and confirmation points before you move on.
• Captures configuration evidence automatically: Feeds enforced configurations into ongoing automated CMMC tests to demonstrate compliance to auditors, and monitoring that those configurations stay enforced over time.

For least-privilege assurance, Secureframe requests the admin permissions it needs to apply these configurations and then revokes its write access to your tenant once they're in place. Beyond GCC High, the platform also integrates with Azure Government, Entra ID, and AWS GovCloud to simplify compliance with CMMC, DFARS 7012, NIST 800-171, FedRAMP, and more.

With Secureframe, you get more than just an automation tool. You get a partner that helps you operationalize cybersecurity, reduce assessment preparation time by up to 70%, and stay aligned with evolving federal requirements.

Ready to see how Secureframe and GCC High work better together? Schedule a demo to learn how we can help you move faster and stay secure.

This post was originally published in July 2025 and has been updated for accuracy and comprehensiveness