Guide to Microsoft 365 for Government Contractors GCC and GCC High

Introduction to GCC High, GCC, and Azure Government Cloud

Microsoft has made it easy to reach complex government-mandated compliance requirements, however, understanding which cloud, which environment, what type of licensing and how to approach migration to Microsoft’s Government cloud is almost as complicated. In this blog, we are going to attempt to simplify the hundreds of questions we have received as both Azure Government Cloud, GCC, and GCC High consultants and licensors. We are going to cover what the environments are, what their unique security and compliance features are, what environment is needed for specific compliance frameworks, how to license, and even how to make the case to internal stakeholders to explain the added costs. Any questions, please leave a comment. We’re here to help.

Microsoft 365 Environments: Commercial, GCC, GCC High, DOD

There are four Microsoft environments to understand in order to make sure you chose the right cloud for your organization (Not including Microsoft Cloud in Germany and 21ViaNet in China). These are Commercial, GCC, GCC High and DOD. Each has it’s own unique compliance abilities, features, pricing and licensing, and migration path.

Microsoft 365 - Commercial Environment

This is the good old Office 365 you are familiar with. Anyone can get an account here, for any number of users, and the full range of features are available. It is globally available and is where home, enterprise, commercial, non-profit, and academic tenants all reside.

Microsoft GCC Environment (Government Cloud Computing)

GCC is an isolated instance of Office 365 Commercial created specifically for government. GCC features additional compliance controls around its data centers. GCC is available for local, state, federal and tribal governments, and their approved contractors. GCC has near feature parity with the commercial environment.

Microsoft DOD Environment

On the opposite end of the security and compliance spectrum from commercial environments is Microsoft DOD. Microsoft 365 DOD is a completely isolated environment for use ONLY by the U.S Department of Defense. The DOD cloud is built for strict compliance controls, such as zero standing access to data, and all Microsoft employees operating in the environment must complete DOD IT-2 adjudication and a Tier 3 OPM investigation.  Each service in this environment is vetted and approved by the DOD, which leads to a difference in features and release dates. As a rule of thumb, new products and features get introduced to DOD about 12-14 months after reaching commercial general availability.

Microsoft GCC High

Just as GCC is an isolated copy of Microsoft commercial environments, GCC High is a copy of the DOD environment. GCC High is intended for DOD contractors who work with controlled unclassified information (CUI) or who are subject to International Traffic in Arms Regulations (ITAR). As it is a copy of the DOD environment, it also lacks feature parity with the commercial environments, with some services, such as Yammer and Compliance Center expected to never be included due to compliance architecture conflicts. (Yes, there is some irony that Compliance Center is not DOD compliant, which we explain below.)

Compliance in GCC, GCC High, and Commercial Environments

The various government clouds are built to meet specific compliance frameworks within a shared responsibility model. Shared responsibility means that Microsoft manages some controls, while the customer manages others. In the case of FedRAMP moderate, for example, there are 1022 individual actions that are mapped to specific controls. Under shared responsibility, Microsoft manages 807 of those controls and provides full documentation behind them, while the customer manages a much more reasonable 215. However, it is still important to understand what cloud to choose based on your own compliance requirements. Below is a breakdown of the four clouds


Commercial
GCCGCC HighDOD
AccreditationFedRAMP ModerateFedRAMP ModerateFedRAMP High
CUI / CDINoOnly UnspecifiedYes
Customer EligibilityAnyFederal / SLG / Tribal / DIBFederal / DIB
Customer SupportWorldwide / Commercial PersonnelWorldwide / Commercial PersonnelUS Based / Restricted Personnel
DFARS 252.204-7012NoYes (As of Feb 2021)Yes
DOD SRG LevelN/ALevel 2Level 4
Datacenter LocationsUS & OCONUSCONUS OnlyCONUS Only
Directory / NetworkAzure CommercialAzure CommercialAzure Government
FBI CJISNoYesNo
HIPAA / HITECHYesYesYes
ITAR / EARNoNoYes
NERC / FERCNoNoYes
NIST 800-171MaybeMaybeYes
NIST 800-52YesYesYes

Feature Parity between Commercial and GCC High

Due to the additional requirements in GCC High, there is not feature parity between it and the commercial clouds. The following are services not yet in GCC High:

  • PowerBI Pro
  • Office 365 ProPlus
  • Project Online
  • Cloud App Security
  • Visio
  • Calling Plans for MS Teams
  • Microsoft App Store
  • Yammer

Even when a product is available in GCC High, all of its features may not be. The Microsoft Office 365 US Government platform service description has further details on this:  An excellent example is Microsoft Defender ATP in GCC High , which, while available, lacks the following features:

  • Live Response
  • Threat protection reporting
  • Machine Health and compliance report
  • 3rd party integrations
  • Microsoft integrations with

Note, this list is not exhaustive, and new features are released frequently. The canonical source for feature updates in GCC High is Microsoft’s service description.

Published on: .

How can we help?

Loading...

Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon Sales@AgileIT.com

Don’t want to wait for us to get back to you?