What Is GCC and GCC High?
Microsoft Office 365 has four cloud environments for its users, each one serving a different purpose. Understanding the differences between them is crucial in determining which one you'll need to utilize based on your specific requirements...
Microsoft Office 365 has four cloud environments for its users, each one serving a different purpose. Understanding the differences between them is crucial in determining which one you’ll need to use and why you’ll need to use it. Depending on the level of screening you’ll need to undergo to access a specific environment, the type of cloud you use will vary. Government users require more background checks and more secure environments for their data, so Microsoft established new environments with this in mind.
The first cloud developed was Microsoft Office 365 (Commercial). This is the general type of cloud environment most Office 365 users use. From there, Office 365 GCC (Government Community) was established for government users. This offered data residency rather than data sovereignty (more on the difference between those two below). Microsoft developed a cloud specifically for the Department of Defense (DOD), which received authorization for impact Level 5 in Azure Government. The only issue here was that only DOD personnel were allowed into this Level 5 environment. That’s why GCC High was born — this was a cloud environment for other agencies and contractors to access as well.
Let’s take a closer look at the concept of data residency vs. data sovereignty, the types of cloud environments (specifically GCC and GCC High), and how they differ, as well as the major distinctions between Azure Commercial and Azure Government.
Data Residency vs Data Sovereignty
It’s important to understand the difference between data residency and data sovereignty. The terms are interchangeable at times, but there are notable and significant distinctions between the two. Data residence refers to the location data stored in at rest without any controls to keep it from moving to another location. Data sovereignty refers to restrictions in place to keep data in the same location at all times. The concept of data sovereignty is relatively new, gaining awareness after Edward Snowden’s surveillance disclosures in 2013.
It’s also critical to note that data sovereignty is not a global constant. While data sovereignty is a requirement in the U.S., not every nation requires it. Knowing the difference between the two is crucial to understanding whether an environment supports global residency and sovereignty requirements such as GDPR, CCPA, and ITAR. Each cloud environment has different requirements with which it is compliant.
Now that you understand the distinction between data residence and data sovereignty, let’s take a deeper dive into the various cloud environments and how they can accommodate for data residency and data sovereignty requirements.
Commercial
Microsoft Office 365 Commercial is the form of Office 365 used outside the government by most private sector organizations that use Office 365. It was built on globally replicated directory services with a global network and global support personnel. Within Commercial, there’s a multi-geo service that addresses data residency requirements. This is perfect for meeting compliance frameworks such as GDPR, HIPAA, PCI, and FINRA. Where it’s lacking is having export controls for ITAR to ensure information doesn’t leave the U.S. You can achieve data residency with Office 365 commercial and some data sovereignty requirements, but not for DFARS and ITAR.
GCC
GCC (Government Community) is a copy of Office 365 commercial. State, local, federal, and tribal governments use it. Screened personnel use it and allow for data residency. From a feature parity standpoint, GCC is usually not far behind Commercial in terms of feature updates. Additionally, GCC is compliant with DFARS.
GCC High
GCC High is a copy of the DOD cloud environment for use by DOD contractors and cabinet-level agencies as well as cleared personnel. One critical distinction: when handling classified data, environments have a high side and a low side, the high side existing so users can handle classified data. GCC High is NOT a high side environment. It received its name because it meets FedRAMP high impact requirements.
For many government standards, one must make sure anyone working in the environment meets the requirements of specific government background checks. GCC High acts as a data enclave of Office Commercial. It’s compliant with DFARS, ITAR, NIST-800 171, and NIST-800 53.
Regarding feature parity: Microsoft does not offer any calling plans available in GCC High. There’s also often a 10-13 month gap between when features are available in Commercial and when they become available in GCC High.
Azure Commercial Vs Azure Government
Both Commercial and GCC pair with Azure Active Directory in Azure Commercial. Data residency is available while data sovereignty is not. Many state, local, and federal civilian agencies will not deploy workloads in Azure Commercial.
Azure Government (or Azure Gov) is isolated physically and virtually. It exists in a compliance foundry dedicated to U.S. government workloads. It’s exclusively for the federal government and contractors. Four key things to remember about Azure Gov are:
- It has U.S. sovereign directory services (unlike Azure Commercial, it’s not global).
- It’s on a sovereign network. Data transmission and processing occur in the continental U.S. only.
- Support personnel is limited to screened U.S. persons.
- It supports US export-controlled data.
How CallTower and Agile IT Have Teamed up to Help You
While it seems difficult to navigate through the various cloud environments, having a partner in the process helps. What’s even better is having two partners with the experience and knowledge in managing these Office 365 cloud environments, ensuring you’re using the right one and fulfilling all necessary requirements. As noted above, one challenge with GCC High is that Microsoft Calling plans aren’t available within it. However, CallTower and Agile IT have teamed up to provide compliant VOIP solutions as part of Agile IT’s unique GCC High compliance foundation. This will enable DOD contractors to stay compliant with all ITAR and CMMC requirements with the use of a single platform. For more information on how our partnership can help you start calling in GCC High, contact us today!
