Microsoft 365 GCC vs. GCC High
How do you know which level of GCC is right for you? Here’s key criteria to help you distinguish GCC and GCC High so that your organization makes the move to the right cloud.
Government Community Cloud (GCC)
You can think of GCC as a government version of the Microsoft 365 commercial environment. It resides on the Azure Commercial infrastructure and has many of the same features, but servers must be located in the continental United States (CONUS) as mandated by FedRAMP Moderate. Although the servers are only in CONUS, access to data is available on a global basis. In general, non-defense-related government agencies and contractors can deploy GCC.
It provides Microsoft 365 functionality and requires fewer approvals and background checks. However, GCC deals with Federal Contract Information (FCI) compliance requirements and does not meet requirements for International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR) and most Controlled Unclassified Information (CUI) and Controlled Defense Information (CDI) handling.
What is GCC High?
Moving to GCC High is the better choice to secure the above-mentioned types of government data. GCC High provides security, intelligence, and collaboration capabilities to help protect data, increase efficiencies and enhance communication. If you work with highly sensitive CDI or CUI, then GCC High is the cloud infrastructure that will ensure compliance with regulations like NIST 800-171, FedRAMP High and ITAR. GCC High is technically a copy of the DoD cloud but exists in its own sovereign environment.
GCC High meets the compliance requirements for the following certifications and accreditations:
- Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2
- The Federal Risk and Authorization Management Program at FedRAMP High, including those security controls and control enhancements as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53.
- The security controls and control enhancements for United States Department of Defense Cloud Computing Security Requirements Guide (SRG) for information up to Impact Level 4 (L4).
Taking the Next Steps
Hopefully this clears up some confusion on the differences between GCC and GCC High. If you’re ready to get started, contact us. Our Government Services Team is ready to walk you through the steps required to meet Microsoft's Cloud Services eligibility