Does CMMC 2.0 Require GCC High for Compliance?

Do You Need GCC High for CMMC 2.0 Compliance?

For government contractors operating within the defense industrial base (DIB), Microsoft Government Community Cloud (GCC) High can be an invaluable resource as it provides comprehensive security and compliance features critical in safeguarding Controlled Unclassified Information (CUI). Migrating to GCC High can then help contractors comply with regulations like DFARS, NIST 800-171, and ITAR. Yet, you may find yourself wondering if you need GCC High to comply with CMMC 2.0, or if Microsoft GCC is sufficient for your compliance needs.

The good news if you already use Microsoft GCC is that there’s no official requirement to use GCC High to comply with the controls outlined in CMMC 2.0. However, investing in GCC High may be the best option for your organization depending on your overall security and compliance needs. In particular, Department of Defense (DoD) contractors will likely need GCC High to ensure compliance due to the higher security standards these organizations are held to. So, how will you know whether you need GCC High? To help you decide which Microsoft Cloud environment your organization should invest in, keep reading to learn more about CMMC, Microsoft GCC High, and which will help you maintain compliance.

Understanding CMMC 2.0

When deciding which cloud environment you need to meet CMMC, it’s important to understand how we got to CMMC 2.0, and the underlying requirements for compliance.

Federal Acquisitions Regulation (FAR)

Federal Contract Information (FCI) is covered by Federal Acquisition Regulation 52.204-21, which includes 15 information safe-guarding requirements. This was codified as a subset of NIST 800-171 in CMMC 1.0 Level 1, with 17 controls. (There was actually no new requirement, the additional 2 controls were a split of the existing controls to clarify compliance).

FAR was introduced in 1979, and was an attempt to create an easier, more streamlined way for the government to acquire goods and services. Its goals were to assure competition, create common contracting methods, and set out mandatory clauses that must exist in every federal contract.

Ironically, the Government Accountability Office published a 38-page “highlights” whitepaper in 2006 that came to the conclusion that the FAR was so complex that it actually limited competition for federal contracts.

What is most important to us is that there are differences in the ways that various federal agencies must buy things, and so almost every cabinet level department, like the Department of Agriculture, and many agencies like the FDA, have their own supplements to the FAR. The one we are most concerned about? The Defense Federal Acquisition Regulation (DFARS).

The Defense Federal Acquisition Regulation (DFARS)

In 2010, The DOD published their supplement to the FAR. Like FAR, DFARS is not just about cybersecurity, rather it talks about things like Labor protection, mandatory clauses in contracts, penalties, and competition. It is VERY important to note that DFARS does not replace FAR, it supplements it.

In December 2017, DFARS Clause 252.204-7012 went into effect, mandating adherence to NIST 800-171 for contractors managing CUI and Covered Defense Information. At the time there was a 12-month period for organizations to meet NIST 800-171 and to document this with a system security plan (SSP) and a Plan of Action and Milestones (POA&M). DFARS 7012 also introduced a cyber incident reporting requirement in paragraphs c-g that included a requirement to preserve and protect all relevant monitoring and packet data for 90 days.

Between 2017 and November 2020, continued cyber-incidents and intellectual property theft from the defense industrial base made it clear that the self-assessment of cybersecurity against NIST 800-171 was not sufficient, and CMMC 1.0 was codified in DFARS 7021. DFARS 7021 set out a timeline for CMMC to be rolled out, and for the first time, cybersecurity would require third-party assessment for the entire defense industrial base. It also added the immediate requirement that contractors perform a self-assessment against the 110 controls in NIST 800-171 and submit it to the DoD Supplier Performance Risk System prior to renewing or being awarded any new contracts. A reminder here, DFARS 7021 did not remove or revoke any part of FAR or DFARS, it expanded it.

However, the complexity and added cost of CMMC compliance led to an internal review of CMMC by the DoD. In November 2021, CMMC 2.0 was introduced to simplify compliance, reduce cost, and reduce the threat of shutting small businesses out of the defense supply chain. This had zero effect on DFARS, ITAR, and other frameworks that require GCC and GCC high.

The Cybersecurity Maturity Model Certification (CMMC)

So, what exactly is CMMC? The Cybersecurity Maturity Model Certification (CMMC) is a maturity model with a series of three levels that build on each other and are meant to protect Federal Contract Information (FCI) (as regulated by FAR), as well as Controlled Unclassified Information (CUI). After years of waiting, the final version of CMMC was released on October 15, 2024, and outlines three distinct levels of compliance:

• Level 1: For contractors handling Federal Contract Information (FCI), requiring 17 basic security controls. This level allows for self-assessment.

• Level 2: For contractors handling Controlled Unclassified Information (CUI), requiring compliance with 110 security controls from NIST SP 800-171. Some contractors may self-assess, while others will need a third-party assessment.

• Level 3: For contractors managing sensitive CUI, incorporating 24 additional controls from NIST SP 800-172 to mitigate advanced persistent threats. These assessments will be conducted by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

The CMMC program will roll out in four phases, with full implementation planned by 2028. Here’s an overview of the timeline:

Phase One (Estimated June 2025): Focuses on CMMC Level 1 self-assessment. has been extended to a full year instead of the initial 6 months to allow for the capacity issues of C3PAOs. With the limited number of C3PAOs currently, the DIBCAC understands that not all OSAs will be able to schedule their assessments in a timely manner.  Additional extensions may be considered but there are no plans to do so yet.

Phase Two (Estimated June 2026): Applies to CMMC Level 2, targeting contractors handling Controlled Unclassified Information (CUI). Some contractors will perform self-assessments, while others will need to undergo third-party assessments by a Certified Third-Party Assessment Organization (C3PAO).

Phase Three (Estimated June 2027): Focuses on CMMC Level 2 certification assessment. This phase also provides for an optional period for the DoD to add CMMC requirements to contracts awarded prior to CMMC implementation.

Phase Four (Estimated June 2028): Represents the full implementation of the CMMC program across all DoD contracts, ensuring that all defense contractors meet the appropriate cybersecurity levels for the information they handle.

Given that the deadline for full implementation of CMMC 2.0 is fast approaching, government contractors will need to start their compliance journey now, so they’ll be ready in time. This includes evaluating whether or not you need to migrate to Microsoft 365 GCC High in order to achieve CMMC compliance.

What is Microsoft GCC High?

Microsoft GCC and GCC High are Microsoft cloud environments designed to meet the security and compliance needs of Government agencies, contractors, and suppliers. Contrary to popular belief, BOTH GCC and GCC High are compliant with DFARS 7012 and CMMC 2.0. This means that you will have to consider your overall security and compliance needs when deciding between these two options. To help you decide between these two environments, let’s take a look at the primary differences between these two platforms.

Microsoft 365 GCC

Of course, if you’re unfamiliar with Microsoft’s Government licenses, you may find yourself wondering what Microsoft Government Community Cloud is. Microsoft 365 GCC is actually very similar to the environment offered by their commercial products, as they provide many of the same capabilities.

The biggest difference between Microsoft’s commercial licenses and GCC is that GCC is specifically designed to meet the security needs of government agencies and their partners. For instance, data stored in a GCC environment is stored in a segregated cloud separate from Microsoft’s commercial tenants to enhance national security. Additionally, Microsoft 365 GCC also provides enhanced security and compliance features that, when leveraged properly, can help organizations satisfy DFARS 7012, CMMC 2.0, and NIST 800-171 requirements.

Microsoft 365 GCC High

For organizations that face even stricter compliance regulations, Microsoft 365 GCC High offers advanced security features designed to meet the needs of DoD contractors. In addition to providing more robust security measures, another significant difference between GCC and GCC High is that data stored in GCC High is isolated to U.S. data centers supported by background-checked U.S. citizens. This data sovereignty makes GCC High compliant with ITAR and EAR guidelines.

Do I Need GCC High for Compliance?

Ultimately, whether you need GCC High will depend on the specific compliance requirements outlined in your government contract. If your primary compliance concern is CMMC 2.0, then you may not need GCC High. In fact, if you only need CMMC L1, you may even be able to get away with maintaining Microsoft 365 Commercial if you have the right security measures in place.

You may also be fine to stick with Microsoft GCC if you need to comply with DFARS since Microsoft GCC is DFARS 7012 compliant.

Of course, just because you can maintain CMMC 2.0 compliance in a Microsoft GCC environment, this doesn’t make it a good idea, particularly if you handle CUI. For defense contractors, migrating to Microsoft 365 GCC High can significantly improve your security posture as it offers a more robust set of security and compliance features to keep your CUI safe. In fact, while GCC is CMMC 2.0 compliant, even Microsoft recommends organizations choose GCC High to protect CUI per the requirements outlined in CMMC levels 2 and 3.

Migrating to GCC High will also be necessary if you hold or expect to hold export-controlled data under ITAR or EAR, as this is the only Microsoft offering for DoD contractors that supports export-controlled information. Even if you are not currently required to maintain ITAR and EAR compliance, operating in a GCC High environment will ensure you’re ready if new contracts become available, and it will also ensure your CUI and any other sensitive government data you work with is properly secured.

When Do You Need Microsoft GCC High?

When is migrating to Microsoft 365 GCC High absolutely necessary? While most government contractors who handle CUI can benefit from the enhanced security provided by operating in a GCC High environment, you will need GCC High if you manage, create, or hold any of the following types of information:

• Export Controlled CUI

• International Traffic in Arms Regulations (ITAR)

• Export Administration Regulations (EAR)

• Criminal Justice Information Systems (Federal)

• Specified CUI that Requires US Sovereignty

  • Controlled Defense Information

  • Nuclear Information (FERC/NERC)

  • NASA

  • CUI Marked NOFORN

Of course, it’s important to note that this is not an exhaustive list of the information types that require GCC High. Rather, these are merely the information types that will always require GCC High. This is because GCC High is the only Microsoft environment available to non-government organizations that meets the data sovereignty and US citizenship requirements organizations within the DIB must adhere to when storing and transmitting sensitive government data including CUI.

Agile IT Can Help You Choose The Right Microsoft Environment

If you’re unsure whether Microsoft 365 GCC or GCC High is right for your business, don’t worry, Agile IT is here to help! As a Microsoft AOS-G partner capable of licensing, implementing, and managing GCC High, we have the knowledge and experience to help you make the best decision. Additionally, if you choose our AgileDefend MSP service, our skilled team can help your organization move toward achieving and maintaining compliance with CMMC 2.0, NIST 800-171, and DFARS. Feel free to contact us today to schedule a meeting to learn more about our services and to request a quote.