GCC Guide

Microsoft 365 GCC is a version of Microsoft 365 Commercial tailored specifically for organizations that handle sensitive government data, including CUI and other data types subject to DFARS, CMMC, ITAR, and related mandates. It comes in two tiers.

Microsoft 365 GCC

Often shortened to GCC, this environment is commonly used by defense contractors pursuing DFARS and CMMC compliance because it helps simplify meeting certain security, compliance, and data residency requirements. While DFARS and CMMC focus on implementing the NIST SP 800-171 security controls, some contracts and export-control regulations may additionally require U.S. data residency and U.S.-person administrative access. GCC is a logically isolated government cloud environment running on Microsoft’s Azure Commercial infrastructure in U.S. regions and aligned with FedRAMP Moderate controls, while supporting organizations implementing the safeguards required under DFARS 252.204-7012.

Microsoft 365 GCC High

This tier, referred to as GCC High, meets additional DOD requirements for higher-level data security. GCC High offers a sovereign cloud environment operating on a U.S.-only network with dedicated U.S. data centers and is commonly used by organizations handling export-controlled data (ITAR/EAR) or sensitive defense workloads. It is physically and virtually segmented from Microsoft’s commercial environment.

GCC High licenses are the most expensive option, and for some contractors, they result in significant overspend. The right tier depends on your specific contract requirements, the type of data you handle, and how your environment is structured.

While the above chart gets you started, this is a business challenge, not just a technology problem. It’s best to have an expert look at your situation and environment to determine, in detail, what you need. The right compliance solution fits your organization and the way it operates in order to avoid overspending and under-complying. 

Software isn’t enough 

GCC is a tool, not a solution. Proper implementation of 110 NIST SP 800-171 security requirements across 14 control families is required for full DFARS and CMMC compliance. GCC and GCC High provide technical capabilities that help organizations implement some of these controls, but the majority of compliance requirements involve policy development, monitoring, documentation, and operational processes. 

Buying GCC High when standard GCC would suffice means overspending on licensing without improving your actual compliance posture. Common compliance gaps that software alone cannot close include: 

• Written policies and procedures required under NIST 800-171
• Continuous network monitoring and audit log review
• Incident response planning and tabletop exercises
• System Security Plan (SSP) and Plan of Action and Milestones (POA&M) documentation
• Access control management, user training, and physical security requirements 

How to spot a software-first vendor  

Many providers in this space are in business primarily to sell software licenses. If the first step in their process is for you to buy GCC licenses, usually GCC High, that’s the tell. They will talk about getting you to compliance, but many lack the depth of experience to deliver it. 

A compliance-first provider starts with a conversation. They assess your environment, understand your contracts, and determine what you actually need before recommending any technology. Software selection follows the assessment—it does not precede it. 

As your company works to improve its security posture and meet the requirements of NIST 800-171 and CMMC Level 2, Microsoft cloud solutions can provide the foundation you need to move forward.  

Microsoft has built a layered set of government cloud environments, each designed to meet progressively more restrictive security requirements. Understanding how they differ helps you make the right licensing decision. 

Office 365 GCC / Azure Commercial / Dynamics 365 Government 

GCC originated as a dedicated segment of Microsoft’s commercial cloud, purpose-built to serve state and local government, federal civilian agencies, and the defense industrial base (DIB). It uses Azure Commercial as its underlying platform and aligns with FedRAMP Moderate authorization while supporting organizations implementing DFARS 252.204-7012 and NIST SP 800-171 security requirements.

For DIB contractors whose work does not involve export-controlled data, GCC is generally sufficient to support CMMC Levels 1 and 2. Note that the environment shares underlying infrastructure with Azure Commercial, which is a globally distributed platform, and therefore does not satisfy the data sovereignty requirements associated with most export-controlled CUI categories.  

Office 365 GCC High / Azure Government / Dynamics 365 GCC High 

GCC High is Microsoft’s sovereign cloud offering for the DIB, as well as non-DOD federal entities including agencies such as the FBI, DOJ, and DHS. The GCC High environment has aligned with Defense Information Systems Agency (DISA) Security Requirements Guide (SRG) Impact Level 4 requirements.  

GCC High is designed to support defense contractors implementing DFARS 252.204-7012 and CMMC requirements. It operates in a sovereign cloud environment that is architecturally separated from Microsoft’s commercial cloud at the network and data layer. Referred to as the US Sovereign Cloud, it is a fully physically and virtually segmented environment from Microsoft’s commercial offerings. Microsoft’s core security and compliance toolset—including Defender, Purview, Entra, and Priva—is available within this environment.

The underlying infrastructure of GCC High is Azure Government, which also supports the DOD cloud. Contractors subject to ITAR, EAR, or other export-control obligations will generally require GCC High rather than standard GCC. 

Office 365 DOD / Azure Government / Dynamics 365 DOD 

The DOD cloud environment was developed directly with the DOD to satisfy SRG Impact Level 5, which as of the July 2025 SRG update is formally defined as reserved for unclassified National Security Systems (NSS). This environment is restricted to DOD entities and is not available to DIB contractors. Office 365 DOD uses Azure Government and aligns with FedRAMP High. 

Other Microsoft Government Environments 

Microsoft also operates additional sovereign cloud environments designed for classified government workloads with even more restrictive security requirements. Azure Government Secret supports workloads classified at the SECRET level and is authorized by the Department of Defense under the DISA Security Requirements Guide (SRG) at Impact Level 6. Azure Government Top Secret is designed for highly classified national security workloads and is primarily used by the U.S. intelligence community and other federal agencies operating at the highest classification levels.

Microsoft is continuously evolving their technology stack and partnerships to best meet the regulatory demands of CMMC. CyberSheath is a Microsoft Cloud Solutions Provider, Microsoft Premier Support Partner, and more. In addition, CyberSheath is one of a select few official resellers for Microsoft GCC High and Office 365 GCC licensing.  

An enclave is a strategic split-tenant or segmented architecture designed to minimize compliance costs. Instead of migrating your entire company to the expensive GCC or GCC High environment, you build a digital safe (the enclave) for only the employees and data that touch CUI or ITAR data. This strategy is popular for small-to-midsized contractors as it balances security with budget. 

How it works 

In an enclave model, your company operates in two distinct worlds. 

• Commercial: The majority of your staff (Sales, Marketing, HR, General Admin) stay in your existing Microsoft 365 environment and use standard, low-cost licenses. 
• GCC/GCC High: The staff who handle defense contracts (Engineering, Project Management, Compliance) are given accounts in a separate, highly secure GCC High tenant. 

 If you decide to leverage the power of an enclave, give us a call. We can help walk you through the process to ensure your CUI is protected and your organization is compliant with NIST SP 800-171, CMMC 2.0, and DFARS 252.204-7012. You can also learn more about enclaves in our CUI Enclave Guide. 

1. What is the difference between GCC and GCC High? 

GCC runs on Azure Commercial infrastructure and aligns with FedRAMP Moderate controls and can support organizations implementing DFARS 252.204-7012 requirements. It is appropriate for most contractors working with CUI who do not handle export-controlled data. GCC High is Microsoft’s fully sovereign cloud, and is required when your contracts involve ITAR, EAR, or other export-controlled CUI categories. 

2. Will buying GCC or GCC High make me CMMC compliant? 

No, GCC and GCC High address only a subset of the 110 controls required for full CMMC Level 2 compliance. Software is the starting point—not the finish line. Full compliance requires expertise, process, and ongoing management, not just a license. 

3. How do I know which GCC tier my contract requires? 

Your contract language and the type of CUI you handle are the determining factors. Review your DFARS clauses, any ITAR or EAR obligations, and the specific CUI categories identified in your contract.  

4. Can I migrate from GCC to GCC High later if my requirements change? 

Yes, migration from GCC to GCC High is possible, but it is not a simple lift-and-shift. It involves tenant migration, reconfiguration of applications and security controls, user re-provisioning, and updates to your System Security Plan and compliance documentation. The process takes time and resources. This is another reason why getting the licensing decision right from the outset is more cost-effective than migrating later. 

5. Can my team still collaborate with people outside of GCC High? 

Yes, but with friction. Collaborating between GCC High and Commercial (or standard GCC) is more restrictive than standard Commercial-to-Commercial sharing. You will need to configure B2B Collaboration settings specifically to allow for secure document sharing and guest access while maintaining your security boundary. 

6. Does CyberSheath sell GCC and GCC High licenses? 

Yes. CyberSheath is one of a select group of official Microsoft resellers authorized to provide GCC High and Office 365 GCC licensing (AOS-G/GCC High License Eligible). Critically, we never lead with a software sale. Our process starts with assessing the scope of your environment and requirements so that any licensing recommendation is grounded in what you actually need. 

• For a detailed breakdown of all Microsoft government cloud environments, including GCC, GCC High, Office 365 DOD, Azure Government, and Secret/Top Secret offerings, refer to Microsoft’s official breakdown on the Tech Community blog.
• Check out CyberSheath’s CUI Guide for what you need to know about Controlled Unclassified Information.
• Refer to CyberSheath’s CUI Enclave Guide to get started on establishing an enclave to protect your CUI. 

Before you buy a single license, talk to a compliance expert. The cost of the wrong decision—overpaying for licenses you don’t need, or under-complying with the requirements you have—is far greater than the cost of getting it right from the start.

CyberSheath offers a no-cost, no-obligation initial conversation to help you understand what you actually need. Contact us today to learn more.