How to Obtain GCC High Licenses for Your Organization

For government contractors and partners who handle Controlled Unclassified Information (CUI), taking proper steps to safeguard this sensitive government data is essential to protect national security and maintain compliance with federal cybersecurity regulations like CMMC, DFARS, ITAR, and FAR CUI. The fact is that failing to maintain the proper cybersecurity posture and being found out of compliance can lead to loss of contracts, reputational damage, and even legal repercussions.

If you operate in a Microsoft Cloud environment, one way that you ensure your CUI is properly protected would be to migrate to Microsoft Government Community Cloud (GCC) High. For federal contractors handling sensitive government data, and in particular, those in the Defense Industrial Base (DIB), GCC High offers the most robust security, data residency, and compliance features you need to maintain your contractual cybersecurity obligations while still giving you access to the Microsoft productivity software you’ve come to rely on. The fact is that Microsoft understands the unique and evolving cybersecurity requirements of government contractors, which is why they specifically developed GCC High to provide a highly secure cloud environment that helps government agencies and their contractors keep data secure and meet their compliance obligations while maintaining productivity.

Yet, if your organization handles CUI or other sensitive government data and you are considering migrating to GCC High, you may be unsure whether GCC High is right for you or how you would go about obtaining these licenses for your organization. To help get you started, this series of blog posts will provide a comprehensive overview of the steps involved in obtaining Microsoft GCC High licensing, including an in-depth look at the validation process.

What is GCC High?

Of course, if you’re not familiar with Microsoft’s government licenses, the first thing you may find yourself is wondering what GCC High is. In contrast to Microsoft’s commercial licenses, Microsoft Government Community Cloud High is the cloud platform developed by Microsoft specifically for use by government agencies as well as government contractors handling sensitive government data. While GCC High offers many of the same features as Microsoft’s commercial licenses, it also provides enhanced security and compliance features specifically designed to meet the security needs of the federal government, to enhance national security. GCC High is then essential for government contractors subject to federal regulations like DFARS, ITAR, and CMMC Level 2+, as it provides enhanced security features as well as data residency, which can help these organizations achieve and maintain compliance.

Who Needs GCC High Licenses?

Next, you may find yourself wondering who needs Microsoft GCC High. How can you be certain whether you need GCC High or if another Microsoft product like GCC will be sufficient in helping you meet your compliance obligations? GCC High is specifically designed to meet the cybersecurity needs of government contractors. In particular, organizations that handle data subject to ITAR need GCC High to meet specific security and data residency standards. Additionally, while GCC High is not specifically required to comply with CMMC 2.0, Microsoft recommends that organizations within the DIB who need to meet CMMC 2.0 levels 2 or 3 adopt GCC High to ensure their data security needs are met. It is also important to note that any subcontractors with flow down clauses in their contracts may also need GCC High licenses to validate the sensitive data they handle continues to be properly protected. Ultimately, if you’re unsure whether you need GCC High to meet your compliance obligations, it is essential that you consult a Microsoft AOS-G partner to help you determine which Microsoft licenses are right for your organization.

Microsoft Validation Process

If you decide that migrating to GCC High is the right choice for your organization, your next step will be to start the eligibility validation process with Microsoft. Microsoft GCC High is only available to eligible government agencies, as well as government contractors who handle sensitive data, including CUI, EAR, and ITAR data. Since only certain organizations can use GCC High, you’ll first need to submit a request for validation to Microsoft before you can purchase GCC High licenses. Make sure that you apply for validation as a category 3 entity, as category 2 entities only qualify for Azure Government and not GCC High. Once you have submitted your validation request, Microsoft will contact you regarding your next steps. Be prepared to submit documentation that supports your organization’s eligibility, such as a signed contract, a sponsor letter from a US Government entity, or a valid CAGE code or SAM registration. Once you submit your documentation, Microsoft will send you an email with your final approval, which you will need to show your authorized reseller in order to purchase GCC High licensing. It’s important to note that the process of receiving final validation from Microsoft can take up to two weeks, so it is important to start this process as soon as possible.

Choosing the Right Licensing Partner

Once you’ve received validation for GCC High, your next step will be to select an authorized Microsoft AOS-G partner to help you purchase your licenses and manage the migration process. Only approved organizations are allowed to sell Microsoft GCC High licenses, and choosing the right partner is essential in helping ensure the GCC High migration process goes as smoothly as possible. Collaborating with an AOS-Partner is essential, as they can streamline the license procurement process, and they have expert knowledge on achieving compliance with federal regulations like CMMC, DFARS, and FAR CUI. The right migration partner can be essential in helping you manage your migration and achieve compliance in your new Microsoft tenant. To help you choose an experienced Microsoft partner, make sure to ask prospective AOS-G partners about their experience, including what government regulations they have experience helping government contractors achieve compliance with.

Common Mistakes and Pitfalls

To ensure your GCC High migration goes as smoothly as possible, you should take steps to avoid common mistakes and pitfalls government contractors make during this process. Perhaps the most important thing to keep in mind is the importance of starting the migration process as soon as possible. The fact is that migrating to GCC High can take several weeks to several months, or even longer depending on the complexity of your migration, the type and amount of data being moved, and the migration strategy you choose. Starting the process of obtaining GCC High licensing and planning your migration as soon as possible will then ensure that your data is protected and that you do not fail to meet your contractual compliance obligations. The fact is that you don’t want to store or handle GCC High on a commercial Microsoft tenant, as this could put your sensitive data and national security at risk.

Final Tips

The process of procuring GCC High licenses takes time, making it essential that you start this process as soon as possible so that you can achieve compliance and properly secure your CUI. The last thing you should be doing is storing, transmitting, and handling CUI on a commercial Microsoft tenant, as this could put your organization’s data, contracts, and reputation at risk. Of course, obtaining GCC High licenses for your team is just the beginning of your compliance journey, and you will need to take some time to plan out your GCC High migration to ensure everything goes smoothly and your data is properly protected. If you need help obtaining validation for GCC High, planning your GCC High migration, or achieving compliance with CMMC 2.0 and other federal cybersecurity regulations, consider contacting Agile IT today. As a Microsoft AOS-G partner and Cyber AB Registered Provider Organization (RPO), we can help you select and acquire the right Microsoft licenses for your organization, plan for GCC High migration, and help you properly secure your CUI to achieve compliance.