The Five Big Questions About Microsoft 365 GCC High

by | October 14, 2022

As a contractor for the Department of Defense, you’ve probably noticed an increase in chatter about “DFARS 7012” and “NIST 800-171”. And if you’ve done any research into how to implement these requirements, you have probably come across “Microsoft 365 GCC High”.

You may be wondering, “What is it?” and “How is it different from regular Microsoft 365?” Fortunately, you are not alone. In this article, we will discuss what exactly Microsoft GCC 365 High is, why you would migrate to it, and what its capabilities are.

How is Microsoft 365 GCC High Different than general Microsoft 365 Commercial and Microsoft 365 GCC?

The main difference between Microsoft 365 GCC High and Microsoft 365 Commercial and GCC is in how Microsoft stores, protects, and supports the infrastructure. Put simply, with GCC High, Microsoft guarantees that your data remains in U.S. data centers, supported by U.S. persons. In Microsoft 365 Commercial, data can be stored outside of the U.S., and support can be provided by foreign nationals. Microsoft 365 GCC sits somewhere in the middle, where data remains within the U.S., but support continues to “follow the sun,” in which foreign nationals can provide support.

GCC High is intended to protect Controlled Unclassified Information (CUI) and International Traffic in Arms Regulation (ITAR) data. These data types include plans, images, diagrams, documents, and other articles used to build military weaponry, provide wartime capabilities and broadly support the Department of Defense. GCC High conforms to the requirements in DFARS 7012, including requirements to protect media involved in incidents. Microsoft 365 Commercial and GCC are not intended to protect these data types at the same level and may not fully support the DFARS 7012 requirements.

What are the Benefits of Switching to Microsoft 365 GCC High?

The primary benefit of migrating to GCC High is in achieving the “highest watermark” for protecting data in line with DoD/Federal requirements. What does that mean? Well, consider the idea of a pole used for marking the rise of water in a flood zone – wouldn’t you want to build your house above the highest point on that pole where water has reached? Building below that line puts you at risk of being caught in the flood. GCC High achieves that – it is rated to handle the most scenarios and protected data types for organizations in the defense industry.

Beyond reaching the high watermark for compliance, you also benefit from being in the same platform as much of the DoD – many agencies and branches of the DoD have, or are currently, migrated into Microsoft 365 DoD, which is tightly aligned to GCC High. As of the time of this writing, it is possible to use the Microsoft 365 suite of tools to do robust collaborations with DoD counterparts, but only for users in GCC High.

What happens if I don’t make the switch?

Well, you put your organization in a position of risk. That risk is entirely dependent on the types and amount of protected data you handle. If most of your organization supports DoD work and handles protected data (certainly if you handle anything ITAR), it’s best to be in GCC High. Failure to protect the data in line with requirements could result in negative outcomes, like loss of contracts or even punitive fines for data involved in compromise.

Ultimately, it’s about the risk and the reward. GCC High comes at a higher cost when compared to the commercial counterpart; but if you are an organization supporting the U.S. defense industry, you get the flexibility of the high watermark and improved collaboration experience with DoD counterparts, and you set a strong foundation for your future growth and ability to comply with requirements.

What about GCC? I heard that can handle CUI?

Microsoft 365 GCC is a middle option that will comply with DFARS 7012 and is rated to handle some CUI types, but it is not rated for handling data that has NOFORN (No Foreign Nationals) and ITAR data; it can be a good choice if you handle very limited CUI of types that aren’t limited to U.S. nationals. But these are very rare circumstances, and in our experience, it is often not a good use case for organizations in the defense industrial base (DIB).

What Capability does Microsoft 365 GCC High Have?

Microsoft 365 GCC High is a near-clone of the services and capabilities of Microsoft 365 Commercial. Think of email, SharePoint, Microsoft Teams, OneDrive, Intune, Information Protection, and more – all of these services are also available in Microsoft 365. However, it should be noted that not all features of these services are available. Because of the regulatory environment of GCC High, it can sometimes take months for newer features to be delivered in GCC High (this has been more of an issue in years past; as of the time of this writing, Microsoft has vastly improved its timelines for delivery of new features in GCC High).

Just about everything you are used to using in Microsoft 365 Commercial is available to you in GCC High.

How do I switch over to Microsoft 365 GCC High?

Moving to Microsoft 365 GCC High is a full-scale migration. There is no one-click pathway or simply upgrade process; you have to completely move your data. This can sound daunting, but there are incredible tools and knowledgeable partners (like Sentinel Blue) that can simplify the process.

Once you move your data, we recommend taking the time and effort to develop a strong starting baseline for the services you intend to use; lock things down, get high visibility of the environment and implement security controls – doing this from the start will make everything easier for you (and vastly more secure) than taking a loose posture from the start. Again, selecting the right partner here can make all the difference.

Beyond the data migration, you will also need to work with a licensing partner (if you have under 500 seats), as Microsoft will not sell GCC High licenses directly to small organizations. This can feel a bit clunky, but with the right partner, it can be incredibly easy.

We hope this information is helpful in understanding what Microsoft 365 GCC High is and how to get there. If you are considering making the move, we’d be happy to help you. Simply send us a note here

Ready to get to work? So are we.

Our cyber adversaries aren’t waiting and neither are we. We want to learn more about your IT and cybersecurity needs so let’s get the conversation started.