If your organization handles federal data in Microsoft 365, you have already encountered a choice that carries real compliance weight: Microsoft Government Community Cloud (GCC) or GCC High. For defense contractors operating under the Defense Federal Acquisition Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC) program, selecting the wrong environment is not a configuration error you can patch later. It can disqualify your organization from contract eligibility entirely.
This post breaks down the difference between GCC and GCC High, explains why that distinction matters under the Department of War (DoW) compliance framework, and covers what contractors need to understand before a CMMC assessment puts that decision under a microscope.
What Is GCC?
GCC is Microsoft’s cloud environment built for U.S. federal, state, and local government customers and their contractors. It runs on Microsoft’s commercial infrastructure but applies additional controls to meet Federal Risk and Authorization Management Program (FedRAMP) Moderate requirements.
GCC restricts tenant access to vetted government customers and screens data center personnel for U.S. person status. It enforces data residency within the United States and provides a degree of logical separation from the commercial Microsoft 365 environment. For civilian agency contractors handling lower-sensitivity federal data, GCC can be a compliant choice.
GCC is appropriate for organizations that handle Controlled Unclassified Information (CUI) that does not fall under specific regulatory categories tied to national security systems or ITAR-controlled data. It is a valid environment for many civilian agency contractors.
For DoW contractors, GCC is generally not sufficient.
What Is GCC High?
GCC High is a separate, physically isolated Microsoft 365 environment built specifically to meet the requirements of DoW customers and their supply chain. It is authorized under FedRAMP High and the DoW Cloud Computing Security Requirements Guide (SRG) at Impact Level 4 (IL4) and Impact Level 5 (IL5).
Unlike GCC, GCC High operates on dedicated infrastructure that is physically separated from both commercial Microsoft services and the standard GCC environment. Personnel with access to GCC High data centers are required to be U.S. citizens, not merely U.S. persons, which is a meaningful distinction for programs with personnel security requirements tied to defense contracts.
GCC High is the environment required for organizations that:
- Handle CUI subject to DFARS clause 252.204-7012
- Handle export-controlled data under the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR)
- Are subject to CMMC Level 2 or Level 3 requirements where CUI is processed, stored, or transmitted in a cloud environment
- Support programs that require DoW SRG IL4 or IL5 authorization
Microsoft’s own guidance on GCC High eligibility is available through the Microsoft Government documentation.
Key Differences Between GCC and GCC High
| Feature | GCC | GCC High |
| FedRAMP Authorization Level | Moderate | High |
| DoW SRG Impact Level | IL2 | IL4 / IL5 |
| Data center personnel | U.S. persons (screened) | U.S. citizens only |
| Network isolation | Logical separation | Physical separation |
| Suitable for CUI under DFARS 7012 | Generally, no | Yes |
| Suitable for ITAR-controlled data | No | Yes |
| CMMC Level 2 / 3 eligibility | Generally, no | Yes |
| Azure Government integration | Limited | Full |
The distinction in personnel screening is operationally significant. GCC High limits data center access to U.S. citizens, which aligns with the access control requirements imposed on defense programs handling sensitive national security information. For contractors supporting programs with foreign-national exclusion requirements, GCC High is the only Microsoft 365 option that meets the underlying personnel security controls.
It is also worth noting that GCC High integrates with Azure Government, enabling contractors to build compliant workflows that span both cloud productivity tools and infrastructure services without crossing authorization boundaries. GCC does not provide this level of integration with DoW-authorized Azure services.
Why This Matters Under CMMC
The DoW’s CMMC framework, governed by 32 CFR Part 170, requires organizations handling CUI to implement and demonstrate the security controls defined in NIST SP 800-171. When an organization uses a cloud service provider (CSP) to process or store CUI, CSP must meet the equivalent requirements, or the organization must account for those gaps in its own System Security Plan (SSP).
A cloud environment operating at FedRAMP Moderate, such as GCC, does not satisfy the baseline DoW cloud security requirements for CUI associated with defense contracts. DFARS clause 252.204-7012 specifically requires that cloud services used to process covered defense information meet DoW security requirements, which in practice means IL4 or higher under the DoW SRG.
The DoW’s CMMC guidance and DFARS compliance requirements are published through the DoW CIO office and the Federal Acquisition Regulation system.
Assessors conducting CMMC Level 2 assessments will evaluate whether your Microsoft 365 environment is authorized to host CUI. An organization running on GCC commercial or standard commercial Microsoft 365 tenants will have findings against multiple NIST SP 800-171 practices, including those in the access control, audit and accountability, configuration management, and system and communications protection domains. These are not minor findings. They represent fundamental gaps in the security boundary that an assessor must document.
The practical impact is significant. A CMMC Level 2 assessment with open findings tied to an unauthorized cloud environment cannot be closed out solely by a Plan of Action and Milestones (POA&M) deferral. Cloud environment authorization is not a compensating control situation. It requires an actual migration to a compliant environment before the findings can be resolved.
Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and understand what steps are required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.
Understanding the DoW SRG Impact Levels
The DoW SRG defines a tiered structure for cloud service authorization based on the sensitivity of the information being processed and the potential mission impact of a security incident. Understanding where GCC and GCC High fall within that structure clarifies why the distinction matters for CMMC.
Impact Level 2 (IL2) covers non-controlled public information and low-sensitivity federal data. GCC satisfies IL2. This is adequate for publicly releasable information and general government collaboration that does not involve CUI.
Impact Level 4 (IL4) covers CUI, including the categories most associated with defense contracts: technical data, controlled technical information, export-controlled research, and similar. GCC High is authorized at IL4. This is the minimum authorization level required for cloud environments processing CUI under DFARS 252.204-7012.
Impact Level 5 (IL5) covers National Security Systems information and controlled unclassified information that requires a higher degree of protection due to its association with national security. GCC High supports IL5 for certain use cases. DoW’s own internal systems and some contractor environments supporting sensitive programs operate at this level.
The DoW SRG is maintained and published by the Defense Information Systems Agency (DISA). Contractors evaluating cloud options for CUI workloads should use the DISA Cloud Service Support authorization listings to verify current authorization status before committing to an environment.
Common Misconceptions
“We use Microsoft 365 Business Premium, so we are covered.”
Microsoft 365 commercial plans, including Business Premium, E3, and E5, operate on commercial infrastructure. They do not meet the FedRAMP High or DoW SRG IL4 requirements necessary for CUI handling in the defense supply chain. These plans are designed for private-sector enterprises, not for regulated defense environments. The fact that Microsoft is a large, reputable vendor does not change the authorization status of the underlying environment.
“GCC is good enough because we passed a review.”
GCC meets the FedRAMP Moderate baseline, which satisfies civilian agency requirements in some contexts. It does not satisfy DFARS 252.204-7012 or CMMC requirements for CUI in the DoW supply chain. A past compliance review that did not specifically assess cloud environment authorization level against the DoW SRG may not have identified this gap. Internal reviews, self-attestations, and even some third-party assessments have historically missed this issue when the reviewer lacked DoW-specific cloud expertise.
“We do not store CUI in Microsoft 365.”
This requires rigorous verification, not assumption. CUI can enter a Microsoft 365 environment through email attachments, Teams messages, SharePoint document libraries, OneDrive syncs, and OneNote notebooks. If your organization receives contract deliverables, technical data packages, statements of work, contract line-item details, or routine program correspondence tied to defense contracts, CUI may already be present in your tenant. A data flow analysis that maps where CUI enters, moves through, and exits your Microsoft 365 environment is a necessary step before concluding that your current setup is outside scope.
“We can just encrypt the data and use commercial Microsoft 365.”
Encryption addresses confidentiality but does not change the environment’s authorization status. DFARS 252.204-7012 requires that the cloud service itself meet DoW requirements, not merely that data be encrypted within it. Customer-managed encryption keys do not bring a commercial or GCC environment into compliance with the DoW SRG.
Migration Considerations
Moving from a commercial or GCC Microsoft 365 tenant to GCC High is not a simple license upgrade. It requires full migration, which includes:
- Establishing a new GCC High tenant with appropriate domain verification and eligibility documentation
- Migrating user accounts, mailboxes, SharePoint content, Teams data, and OneDrive libraries
- Reconfiguring third-party integrations for GCC High endpoint compatibility, since many commercial SaaS tools connect to standard Microsoft 365 endpoints that are not accessible from GCC High
- Verifying that connected applications and services are authorized for use in a GCC High environment
- Updating DNS records, email routing, and identity federation configurations
- Retraining end users on any workflow changes resulting from the new environment
Microsoft does not provide automated tenant-to-tenant migration tools. Organizations typically use third-party migration platforms or engage a Microsoft partner with experience in DoW cloud migrations. The migration itself needs to be planned to minimize business disruption, particularly for organizations with active contract performance obligations.
One area that frequently surprises contractors is third-party application compatibility. Many productivity tools, collaboration platforms, and line-of-business applications that work seamlessly with commercial Microsoft 365 or GCC require significant reconfiguration or replacement to function within GCC High. This scoping work should be done early, as incompatible applications can significantly extend migration timelines and costs.
Planning for this migration should begin well before a CMMC assessment or a contract requirement deadline. Migration timelines for mid-size organizations typically range from 60 to 180 days, depending on data volume, integration complexity, and the availability of migration resources. Organizations that wait until a contract award or an assessment notification to begin this process routinely find themselves unable to meet compliance deadlines.
What Happens During a CMMC Assessment
When a Certified Third-Party Assessment Organization (C3PAO) conducts a CMMC Level 2 assessment, cloud environments in scope for CUI processing are evaluated directly. The assessor will request documentation of the cloud service provider’s authorization status, including FedRAMP authorization letters and DoW SRG authorizations where applicable.
If your organization is running on a commercial Microsoft 365 tenant or a GCC tenant, the assessor will document findings across multiple NIST SP 800-171 control families. These findings will not be closed through compensating controls or short-term remediation plans. The environment itself must be brought into compliance, which means migration to GCC High or an equivalent DoW-authorized cloud environment.
CMMC assessments are conducted by C3PAOs accredited by the Cyber AB, the accreditation body for the CMMC ecosystem. Information on the assessment process and accredited organizations is available through the Cyber AB.
Operating in a non-compliant cloud environment also affects your Supplier Performance Risk System (SPRS) score. Self-attestations submitted to SPRS that do not accurately reflect cloud environment compliance gaps create additional legal and contractual exposure. Contracting officers and prime contractors can view SPRS scores, and discrepancies identified during audits or assessments can trigger adverse contract actions.
Getting Your Environment Right Before the Assessment Clock Starts
GCC vs. GCC High is one of the most consequential infrastructure decisions a defense contractor will make on the path to CMMC compliance. The gap between the two environments is not a paperwork difference. It is a fundamental difference in authorization level, infrastructure isolation, and personnel security that directly affects your ability to demonstrate compliance under DFARS and CMMC.
If your organization is still on commercial Microsoft 365 or GCC and you hold contracts with CUI obligations, the time to act is now. Environmental migration takes months, and CMMC assessment timelines are compressed as the DoW continues to roll out certification requirements across the defense industrial base.
Official DoW cloud security requirements are published by DISA and referenced through the DoW CIO CMMC resource page. DFARS cloud service requirements are codified at acquisition.gov.
If your organization supports defense contracts and is unsure how CMMC timelines, SPRS requirements, or assessment readiness apply to you, now is the time to get clarity.
About Brea Networks
Brea Networks is a cybersecurity and compliance-focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework. From Level 1 self-assessments to Level 2 readiness and certification preparation, our team works alongside contractors to strengthen system security, define scope, prepare documentation, and build sustainable compliance programs that protect FCI and CUI.