Understanding the GCC High Validation Process

Data security is one of the greatest concerns for federal agencies and contractors, as protecting sensitive government data is a matter of national security. As such, government contractors who handle Controlled Unclassified Information (CUI) and other sensitive government data need to follow strict federal cybersecurity and compliance regulations such as CMMC 2.0, ITAR, and FAR CUI. While maintaining compliance with these regulations can feel like a tall order, the good news is that there are a variety of resources available to help you secure the sensitive government data you handle. One such option would be Microsoft GCC High, which is a Microsoft 365 service offering specifically designed to meet the cybersecurity and compliance needs of government agencies and their partners by providing a secure cloud environment built within Azure Government and hosted on geographically isolated data centers located within the United States, helping to keep sensitive data safe. GCC High then provides the data security that government contractors, and in particular those within the defense industrial base (DIB), need while still providing them with the Microsoft productivity offerings they’ve come to rely on.

For many government contractors, GCC High plays a critical role in helping them maintain their contractual compliance obligations by providing them with the enhanced security features they need to protect the CUI and other sensitive government data that they handle. Yet, as we discussed in the previous segment of this blog series, obtaining GCC High licensing is no walk in the park, and it can prove to be a complicated process, which starts with obtaining validation of GCC High eligibility from Microsoft. Yet, how does GCC High validation work, and what does this process entail? If you need Microsoft GCC High to help you meet your compliance obligations, keep reading as we take an in-depth look at the GCC High validation process.

Who Needs GCC High?

Of course, if you’re new to GCC High, the first thing you may find yourself asking is who GCC High is for and how you’ll know if your organization needs GCC High. Microsoft GCC High is specifically designed to meet the cybersecurity needs of federal agencies, Department of Defense (DoD) contractors, and their suppliers who handle, transmit, and store CUI and are bound by regulations like DFARS, CMMC, and ITAR. GCC High offers enhanced security and compliance features to help these organizations secure the sensitive government data they handle, ensuring that they meet their contractual obligations. GCC High is a particularly valuable tool for organizations in the DIB operating in a Microsoft environment who must become CMMC compliant, as Microsoft recommends GCC High for all organizations that need to achieve CMMC Level 2 or 3 certification.

Who is Eligible for GCC High?

To ensure the security of the Microsoft Government Cloud environment, only specific entities are allowed to obtain GCC High licenses. Before being able to purchase GCC High licenses, organizations must then first confirm their eligibility and obtain validation from Microsoft. Of course, this may leave you wondering who is eligible to use GCC High. GCC High is only available to government agencies and their contractors who handle government-controlled data, including:

• Qualified Government Entities: This includes US federal, state, local, tribal, and territorial entities.

• Commercial, Private Entities With Data Subject to Government Regulations: This includes government contractors, subcontractors, and suppliers who handle sensitive government data, such as CUI, subject to government regulations like CMMC, DFARS, and ITAR.

Before being able to purchase GCC High licensing, your organization will need to be able to prove to Microsoft that you meet one of these requirements by applying for eligibility validation and providing supporting documentation, such as a DoD contract.

How Can I Obtain GCC High Validation?

Given that GCC High is specifically designed to meet the unique cybersecurity and regulatory requirements of government entities and private organizations handling government-controlled data, Microsoft requires organizations to obtain validation before they can purchase GCC High. This helps ensure that only eligible, vetted organizations have access to the sensitive Microsoft Government Cloud environment. Yet, you may find yourself wondering what this validation process entails and how your organization can go about obtaining GCC High validation. To help get you started, here’s an overview of the steps involved in the GCC High validation process.

Confirm Eligibility

The first step that you should take is to confirm that you are eligible for GCC High. In addition to having a valid government contract, you also need to be able to prove that you handle sensitive government data subject to federal cybersecurity regulations like CMMC 2.0. Government data types that can make an organization eligible to use GCC High include:

• Controlled Unclassified Information (CUI)
• Criminal Justice Information (CJI)
• Data Subject to the Defense Federal Acquisition Regulation Supplement (DFARS)
• International Traffic in Arms Regulations (ITAR) Data
• DoD Unclassified Controlled Nuclear Information (UCNI)
• And DoD Impact Level 2 Data

If you’re unsure whether you’re eligible for GCC High, consult a Microsoft-Authorized AOS-G partner to help you determine your eligibility and what Microsoft licenses will meet your compliance needs.

Submit a Validation Request

Once you determine your eligibility, your next step will be to submit a validation request by filling out Microsoft’s GCC Eligibility Intake Form. The purpose of this form is to help Microsoft verify your eligibility for GCC High as either a government entity, a solution provider serving a government entity, or a private organization handling sensitive government-controlled data. When applying for GCC High, make sure that you apply as a Category 3 entity, as Category 2 entities are only allowed into Azure Government and not GCC High. Once you have submitted your validation request, Microsoft should contact you via email within two business days regarding your next steps.

Provide Documentation

Once Microsoft reviews your initial application, they will likely contact you to request additional documentation demonstrating your eligibility to use GCC High. Documentation that you may be expected to present includes:

• A Signed Contract With a Government Agency Indicating a Regulated Data Requirement as Part of Delivery

• A Sponsor Letter From a Government Entity (Signed Within the Last 12 Months)

• A Valid CAGE Code

• Or a Valid SAM (System for Award Management) Registration With DUNS. (Note: Your SAM registration must be for ALL Awards. You will not receive validation if the purpose is only for Federal Assistance Awards.)

Wait For Microsoft’s Eligibility Review

Once you’ve submitted any documentation requested by Microsoft, you will have to wait for Microsoft to review your information and determine your eligibility. While this process can take as little as 1-2 weeks, Microsoft often experiences delays, and it can take up to six weeks to review your eligibility, particularly if there are delays because you failed to submit all the requested information and documentation. This is why it is essential that you start this process as soon as possible to allow for sufficient processing time. Once Microsoft has reviewed your application and relevant details, you will receive an email confirming your eligibility validation or requesting additional documentation.

Next Steps

Once you are validated by Microsoft, you will be eligible to purchase GCC High licenses for your organization. At this point, it is essential to partner with a qualified Microsoft AOS-G authorized reseller, as they can help you select the proper GCC High licenses for your team. They can also prove instrumental in planning your migration, facilitating onboarding, and helping you establish and maintain compliance in your new tenant.

Common Pitfalls to Avoid

It is essential that you avoid common mistakes and pitfalls that can delay your validation. Specifically, it’s essential that you thoroughly review the application instructions as well as any emails from Microsoft’s validation team, as submitting any incorrect or outdated information, or failing to submit a requested document, can result in significant delays. Additionally, when filling out your application, do not use a generic justification like “compliance.” You need to specify the type of government data you handle and why you need GCC High, or your application may be rejected if you do not provide detailed justification.

Contact Agile IT for Help With GCC High Validation

Getting validated to purchase GCC High can be complicated, but it is an essential strategic first step that will help facilitate your compliance journey. Make sure you take the time to gather your documentation and prepare to show your compliance and security needs clearly so that you can submit your application with minimal hassle.

If you’re unsure how to proceed with the GCC High validation process, consider contacting Agile IT today. As a Microsoft-Authorized AOS-G partner, we can help you not only navigate the GCC High validation process, we can be also help you select and purchase the right licenses for your organization, plan your migration, and help you achieve compliance with federal cybersecurity standards.