Defense contractors navigating cloud compliance encounter four terms with alarming frequency: FedRAMP, GCC, GCC High, and CMMC. Each one appears in contracts, solicitations, compliance guidance, and vendor marketing. Each one means something specific. And the confusion between them is one of the most common sources of compliance gaps in the Defense Industrial Base.
This post explains exactly what each term means, how they relate to one another, and what the practical compliance implications are for a contractor handling Federal Contract Information or Controlled Unclassified Information.
Editorial note: This post distinguishes between statements sourced directly from official regulatory and government publications and statements that reflect practitioner guidance or industry understanding. Sections are labeled accordingly. Microsoft-specific claims about GCC and GCC High authorization levels and features are sourced from Microsoft’s official compliance documentation, as these facts are not included in DoW regulatory materials. Because cloud provider authorization status can change, contractors should always verify current authorization status through the FedRAMP Marketplace at the time of use, regardless of what any vendor or published article states.
Start With the Foundation: What FedRAMP Is
Sourced from official government documentation. The Federal Risk and Authorization Management Program is a government-wide program that provides a standardized approach to security authorization for cloud service offerings used by federal agencies. It is administered by the General Services Administration and documented at fedramp.gov.
FedRAMP defines three authorization baselines: Low, Moderate, and High. Each baseline is built on the security controls in NIST SP 800-53, with the number and rigor of required controls increasing with each level. A cloud service provider that achieves FedRAMP Moderate authorization has had its security controls independently assessed and has received either a Provisional Authority to Operate from the FedRAMP Joint Authorization Board or an individual agency Authority to Operate.
The FedRAMP Marketplace is the authoritative source for verifying the current authorization status of any cloud service offering. Authorization status should be verified there at the time of use, not assumed based on prior knowledge or vendor claims. If a cloud provider claims FedRAMP authorization, verification starts at the marketplace.
FedRAMP itself is a federal program. It is not a CMMC requirement, a DoW program, or a Microsoft product. It is the baseline framework on which defense cloud compliance requirements are built.
The DFARS Requirement: Why FedRAMP Moderate Matters for Defense Contractors
Sourced from official regulatory text. The connection between FedRAMP and defense contractor cloud use is established by DFARS 252.204-7012, the clause that has appeared in DoW contracts since 2016. The relevant language from the clause is direct: if a contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of a contract, the contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the government for the Federal Risk and Authorization Management Program Moderate baseline.
DFARS 252.204-7012 applies specifically to covered defense information and CUI scenarios. Contractors whose contracts involve only FCI under FAR 52.204-21 are subject to different requirements, and cloud obligations in FCI-only environments depend on the specific contract terms. Contractors should review their specific contract clauses carefully to determine which requirements apply before making cloud platform decisions.
An important distinction from official DoW guidance. The DoW published a FedRAMP Authorization and Equivalency guidance document available at dodcio.defense.gov that clarifies a critical point: FedRAMP Moderate Equivalency is not the same as FedRAMP Moderate Authorization. A cloud service provider can meet the security requirements of the FedRAMP Moderate baseline through equivalency without holding a formal FedRAMP authorization. The DoW guidance states explicitly that equivalency does not confer FedRAMP Moderate Authorization for cloud service offerings that meet the equivalency criteria.
During a CMMC Level 2 certification assessment, a C3PAO will verify that cloud service providers used within the assessment scope meet the applicable requirements. The CMMC Assessment Process (CAP) v2.0 addresses verification of the body of evidence supporting cloud provider compliance as part of the assessment engagement. A contractor that cannot produce documentation demonstrating the FedRAMP authorization status or equivalency of a cloud provider handling CUI within the assessment scope may have a finding on that basis.
Customer Responsibility Matrices and Inherited Controls
Practitioner guidance informed by CMMC assessment practices. When a contractor uses a cloud service provider within its CMMC Assessment Scope, certain security controls may be inherited from the provider rather than implemented directly by the contractor. The mechanism for documenting this is the Customer Responsibility Matrix (CRM), which cloud service providers typically publish alongside their FedRAMP authorization package.
A CRM identifies which security controls the cloud provider implements on behalf of the customer, which controls are shared between the provider and the customer, and which controls remain the customer’s sole responsibility. During a CMMC Level 2 certification assessment, a C3PAO will examine how inherited controls are documented in the contractor’s System Security Plan and whether the contractor can demonstrate that controls listed as provider-managed are in fact implemented and operational within the assessed environment.
Contractors using cloud environments within their CMMC Assessment Scope should obtain the applicable CRM from their cloud provider, review it against the 110 security requirements in NIST SP 800-171 Revision 2, and document inherited controls clearly in their SSP before a C3PAO engagement begins. Controls that appear inherited in the CRM but cannot be verified through the body of evidence during assessment will not be credited as MET. The DoW CIO CMMC Scoping Guide Level 2 and the DoW CIO CMMC Assessment Guide Level 2 are the authoritative references for how cloud provider controls are treated within the assessment scope.
Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and understand what steps are required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.
SCHEDULE YOUR FREE CONSULTATION!
What GCC Is
Sourced from Microsoft official documentation, not DoW regulatory materials. Authorization status should be independently verified through the FedRAMP Marketplace at the time of use. Government Community Cloud, commonly referred to as GCC, is Microsoft’s cloud environment designed for U.S. federal, state, local, and tribal government entities and their contractors. According to Microsoft’s official compliance documentation, GCC holds a FedRAMP Moderate authorization, with data stored within the United States.
GCC runs on Azure Commercial infrastructure rather than Azure Government infrastructure. According to Microsoft’s GCC High documentation, GCC does not natively support ITAR or EAR-controlled data in the same way GCC High does, and Microsoft will only agree to ITAR contract language for the GCC High environment.
Practitioner guidance, not a DoW regulatory requirement. The official CMMC and DFARS materials do not designate GCC as appropriate or inappropriate for any specific contractor scenario by name. They require that cloud service providers meet the FedRAMP Moderate baseline requirements for covered defense information under DFARS 252.204-7012 and that CMMC assessment scope be properly defined under 32 CFR § 170.19. Whether GCC meets those requirements for a given contractor depends on the specific data types handled, applicable contract clauses, and CMMC assessment scope. Verify current authorization status through the FedRAMP Marketplace before relying on that status for compliance purposes.
What GCC High Is
Sourced from Microsoft official documentation, not DoW regulatory materials. Authorization status should be independently verified through the FedRAMP Marketplace at the time of use. Government Community Cloud High is Microsoft’s cloud environment built specifically for the Defense Industrial Base and federal agencies handling sensitive defense information. Unlike GCC, GCC High runs on Azure Government infrastructure, which is physically and logically separated from Microsoft’s commercial data centers and from the standard GCC environment.
According to Microsoft’s FedRAMP compliance documentation, the Office 365 GCC High cloud service is designed according to DoW Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base, and government contractors.
According to Microsoft’s DoD IL4 documentation, the DoW Cloud Computing Security Requirements Guide specifies that support personnel having access to IL4 data must be restricted to U.S. citizens, U.S. nationals, or U.S. persons, with no foreign persons permitted access. GCC High is built on Azure Government and is designed to meet this personnel requirement.
According to Microsoft’s ITAR compliance documentation, Microsoft will only agree to ITAR contract language for the GCC High and DoD environments, not for commercial Microsoft 365 or standard GCC environments.
Authorization level claims for GCC High are sourced from Microsoft’s Azure Government compliance documentation. Contractors should independently verify current authorization status through the FedRAMP Marketplace before relying on that status for compliance purposes, as authorization status can change over time.
Practitioner guidance, not a DoW regulatory requirement. The official CMMC and DFARS materials do not mandate GCC High by name. The official requirements focus on protection of CUI, FedRAMP Moderate requirements for cloud service providers handling covered defense information under DFARS 252.204-7012, and meeting CMMC requirements within the defined assessment scope under 32 CFR § 170.19. Whether GCC High is appropriate for a given contractor depends on the contractor’s specific contract obligations, data types, and ITAR requirements. Verify current authorization status through the FedRAMP Marketplace before making cloud platform decisions.
What CMMC Is and How It Relates to the Others
Sourced from official regulatory text. The Cybersecurity Maturity Model Certification program, governed by 32 CFR Part 170 and administered by the DoW CIO, is the DoW’s framework for assessing and certifying that defense contractors have implemented required cybersecurity standards for systems that process, store, or transmit FCI or CUI.
CMMC is not a cloud program. It is a compliance certification program. Its three levels are defined at 32 CFR § 170.14. Level 1 applies to contractors handling FCI and is built around the requirements in FAR 52.204-21. Level 2 applies to contractors handling CUI and is built around the 110 security requirements in NIST SP 800-171 Revision 2. Level 3 applies to contractors on the highest-priority DoW programs and adds selected requirements from NIST SP 800-172. As confirmed in the DoW CMMC FAQ, CMMC assessment requirements address cybersecurity-related risk to FCI and CUI and apply when that information is processed, stored, or transmitted on a contractor-owned information technology system.
FedRAMP, GCC, and GCC High are inputs to CMMC compliance, not substitutes for it. A cloud environment does not write the System Security Plan, does not establish the policies and procedures, does not train the personnel, and does not produce the evidence that an assessor will review during the examination, interview, and test activities described in the DoW CIO CMMC Assessment Guide Level 2. The CMMC certification reflects the compliance posture of the organization. The cloud environment is part of the technical infrastructure that either supports or undermines that posture, but it does not substitute for the full body of evidence and operational implementation the certification requires.
The Relationship Between the Four
Sourced from official regulatory text and official Microsoft documentation as noted. Understanding how these four concepts relate to one another requires seeing them as a layered structure rather than competing alternatives.
FedRAMP is the foundational authorization framework. It defines what security controls a cloud service provider must implement to serve government and defense workloads. The FedRAMP Moderate baseline is the minimum cloud requirement under DFARS 252.204-7012 for any cloud environment handling covered defense information.
GCC is Microsoft’s government-oriented cloud environment. According to Microsoft’s documentation, it holds FedRAMP Moderate authorization and runs on Azure Commercial infrastructure. It does not carry contractual ITAR commitments per Microsoft’s documentation. Verify current authorization status through the FedRAMP Marketplace.
GCC High is Microsoft’s defense-oriented cloud environment. According to Microsoft’s documentation, it is designed to DoW IL4 standards and runs on Azure Government infrastructure with U.S.-persons-only access requirements and contractual ITAR support commitments. Verify current authorization status through the FedRAMP Marketplace.
CMMC is the certification that indicates whether a contractor’s overall security program, including, but not limited to, the cloud environment, meets the requirements of NIST SP 800-171 across the CMMC Assessment Scope defined at 32 CFR § 170.19. It is assessed by an accredited C3PAO and results in a CMMC Status recorded in SPRS.
A Decision Framework: Key Questions Before Choosing a Cloud Environment
Practitioner guidance. The following reflects questions drawn from official requirements but the application to specific scenarios is not prescribed by DoW regulatory materials. Contractors should review their specific contract requirements and consult applicable DFARS clauses before making platform decisions.
Does your contract include DFARS 252.204-7012? If yes, any cloud service provider used for covered defense information must meet FedRAMP Moderate requirements or demonstrate equivalency per the DoW FedRAMP Authorization and Equivalency guidance. Verify authorization status through the FedRAMP Marketplace.
Do you handle CUI? If yes, CMMC Level 2 requirements under 32 CFR § 170.17 apply to your contractor-owned systems processing that CUI. The cloud environment you use must be documented in your System Security Plan and evaluated within your CMMC Assessment Scope under 32 CFR § 170.19. Obtain the cloud provider’s Customer Responsibility Matrix and document inherited controls in your SSP before your C3PAO engagement begins.
Do you handle ITAR-controlled technical data? If yes, and you use a Microsoft environment, GCC High is the only Microsoft 365 environment where Microsoft provides contractual ITAR commitments per Microsoft’s ITAR compliance documentation. The ITAR requirement is governed by 22 CFR Parts 120 through 130, not CMMC.
Do you handle only FCI with no CUI? CMMC Level 1 applies under 32 CFR § 170.15. Cloud requirements depend on your specific contract terms and applicable FAR and DFARS clauses. Review your contract carefully before selecting a cloud environment.
Need to verify a cloud provider’s current authorization status? Check the FedRAMP Marketplace directly. Authorization status can change and vendor claims should always be verified against the marketplace listing at the time of use.
A Critical Distinction: Cloud Compliance Is Not CMMC Certification
This point deserves its own emphasis because it is the most common misconception in this space.
A contractor that moves to any cloud environment, including GCC High, has made a platform decision that may support CMMC Level 2 certification. It has not achieved CMMC Level 2 certification. The certification comes from a C3PAO assessment conducted under 32 CFR § 170.17 and the CMMC Assessment Process (CAP) v2.0. That assessment evaluates the full environment including technical controls, documented policies, operational procedures, evidence, personnel training, and the System Security Plan that describes how all 110 security requirements in NIST SP 800-171 Revision 2 are implemented across the assessment scope.
Similarly, a FedRAMP Moderate authorization held by a cloud provider satisfies the cloud requirement in DFARS 252.204-7012 for that provider. It does not satisfy the 110 NIST SP 800-171 requirements that CMMC Level 2 demands of the contractor’s own security program. Cloud provider controls may be inherited by the contractor and documented in the SSP using the provider’s Customer Responsibility Matrix, but the contractor remains responsible for demonstrating that all applicable assessment objectives are met across its own environment as evaluated by the C3PAO using the DoW CIO CMMC Assessment Guide Level 2.
Final Thought
FedRAMP, GCC, GCC High, and CMMC are four different things that operate at different layers of the defense contractor compliance landscape. FedRAMP is the government cloud authorization framework. GCC and GCC High are Microsoft cloud environments built on that framework at different levels of rigor and with different compliance commitments per Microsoft’s documentation, verified through the FedRAMP Marketplace. CMMC is the certification program that assesses whether your organization’s security program meets the requirements the DoW demands for protecting FCI and CUI.
Understanding the relationship between them is not an academic exercise. It determines which cloud environment may be appropriate for your workload, what your DFARS obligations require of your cloud provider, how inherited controls must be documented through a Customer Responsibility Matrix, and what a C3PAO will expect to see when they evaluate your environment against the DoW CIO CMMC Level 2 Scoping Guide and the DoW CIO CMMC Assessment Guide Level 2.
Organizations are expected to implement, document, maintain, and demonstrate the required security controls within the defined assessment scope. The applicable requirements, assessment procedures, and scoping guidance are all publicly available through the DoW CIO CMMC Documentation page and the FedRAMP website.
If your organization supports defense contracts and is unsure how CMMC timelines, SPRS requirements, or assessment readiness apply to you, now is the time to get clarity.
About Brea Networks
Brea Networks is a cybersecurity and compliance-focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework. From Level 1 self-assessments to Level 2 readiness and certification preparation, our team works alongside contractors to strengthen system security, define scope, prepare documentation, and build sustainable compliance programs that protect FCI and CUI.