Getting GCC Validation

Data security is of great concern to federal agencies and contractors. The federal government leverages Government Community Cloud (GCC) to ensure security within the federal ecosystem. Here is everything you need to know about acquiring GCC validation. If you are looking for GCC High validation, check out our video and guide for GCC High Validation.

What Is GCC Validation?

GCC is a secure version of Office 365 built by Microsoft for government entities, vendors, and contractors. This clone of Microsoft 365 Commercial introduces modern innovations and capabilities found in commercial cloud computing platforms to sensitive government systems.

It is, indeed, paramount to mention that GCC has the same suite of features and functionality you can find on Office 365. The outlier is that GCC’s data centers are located only within the continental United States (CONUS) as per FedRAMP moderate standards.

Further, note that GCC is the most basic infrastructure. Unfortunately, GCC doesn’t sufficiently comply with Controlled Unclassified Information (CUI) and Controlled Defense Information (CDI) handling. The consequence is that GCC is thus unable to comply with the International Tracking and Arms Regulation (ITAR) and Export Administration Regulation (EAR).

Think of GCC as a means for government agencies to consistently adopt commercial cloud solutions offered by cloud service providers.

How Is GCC Different From GCC High?

Given the recent government data breaches, choosing the right Microsoft GCC for your business is important. The Microsoft government cloud to choose from is either GCC or GCC High. To make the right choice, you’ve got to understand the difference between GCC and GCC High. However, before highlighting the difference between GCC and GCC High, it’s only right that we first examine what GCC High is.

GCC High

GCC High is a carbon of the DoD cloud environment. It was created for use by DoD contractors, cabinet-level agencies, and other cleared parties. Overall, GCC High is only available to businesses and organizations found within the Defense Industry Base (DIB), DoD contractors, and other federal agencies. Its servers remain highly isolated both physically and virtually. Further, it derives its name by virtue of meeting high-impact FedRAMP requirements.

What makes GCC High different from GCC is the additional security/ safety precautions. Further, you find that many cloud features and functionalities are unavailable within GCC  High primarily due to security restrictions. This is because every new feature that’s added to Microsoft must first be vigorously tested by the DoD and GCC High Clouds. Further, popular tools such as Azure Sentinel, Cloud App Security, and Microsoft Defender are rebuilt ground up for GCC High. That’s just how much compliance and safety requirements are a priority for GCC High.

GCC vs GCC High Support

Further, GCC and GCC High support different security and compliance framework. Specifically, in addition to the compliance frameworks supported by Microsoft 365 Commercial, GCC supports:

• FBI Criminal Justice Information Services
• FedRAMP Moderate
• DoD SRG Level 3
• Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012

It is prudent to mention that GCC began supporting DFARS 7012 flow-down requirements in February 2022. Additional compliance frameworks not supported include:

• International Traffic in Arms Regulations (ITAR)
• Export Administration Regulations (EAR)
• Unclassified Controlled Nuclear Information
• Handling Controlled Defense Information (CDI)

On the other hand, GCC High supports:

• FedRAMP, with an accreditation level of “High”
• ITAR
• EAR
• DoD SRG Level 5 and 6

Who Can Qualify for GCC? 

State, local, federal and tribal governments can all qualify for GCC installation and usage. GCC is, indeed, meant only for individuals who have clearance to access secure data on CONUS servers. Commercial private entities with data subject to regulations also qualify for GCC. Accepted government data types include:

• CUI
• Department of Defense UCNI
• Department of Energy UCNI
• CJI
• Department of Defense Impact Level Data
• Lastly, other types of data that require Azure Government

How to Get GCC Validation

To begin your migration to Microsoft GCC, you will need to start with a validation process, similar to GCC High validation.

Right off the back, it is important to mention that for you to be approved for GCC for CSP, you ought to be enrolled in the CSP program. Once you are a member of the CSP program, you will be approved only if you:

• Provide services or solutions to the US government either through direct or indirect contract
• Serve US government customers through GSA or other contract vehicles
• Have partnered with the federal, state, local or tribal government

Once you meet these prerequisites, the validation process is relatively straightforward.

• Request for said validation. This is as simple as contacting Microsoft to request validation as a Category 2 entity.
• Provide the documentation. This means providing a signed contract or sponsor letter to prove your eligibility.
• Acquire GCC licensing. Here, you will need to work with an AOS-G Partner to help along with the licensing request.

Evidently, this is mostly straightforward and should take between 3 to 7 business days. To ensure this timeframe is achieved, start by filling out this general validation form. To then ensure that your application is successful, there are considerations that you should make, including:

• The contract submitted must include the controlled data type that you intend to handle
• If you partner with a subsidiary for government contracts, you must apply your business name on the contracts
• You must use a US address if you are a multi-national organization

Getting GCC validation can be quite beneficial to your organization, including:

• Efficient operations on a vertically scalable platform
• Ready to host enterprise applications
• Faster delivery of public services
• Reduced TCO
• Best-in-class security with regular backups
• Lastly, platforms to roll out emerging technologies

Learn More About GCC Validation

Altogether, once you have GCC validation, you can optimally utilize your IT resources for flexible workloads. Further, you should be able to maintain increased uptime. Finally, you have the assurance that your cloud infrastructure remains compliant, especially since you handle sensitive applications. Evidently, there’s no longer a question of whether to GCC or not GCC. You get to have all the must-have Microsoft 365 functionality with fewer approvals and background checks. You just have to deal with the Federal Contract Information (FCI) compliance requirements and the fact that GCC doesn’t meet requirements for ITAR, EAR, and CDI handling.

If you are looking to license, implement or Migrate to GCC or want assistance in meeting government mandates for data governance and security, Agile IT can help.