Protecting your data is of paramount importance for every organization, no matter what kind of data they hold. But some data requires special protection, particularly when it comes to handling government information. This information comes with some stringent requirements for how it is stored. Microsoft has a cloud solution specifically meant for this. If your organization handles this type of information, a migration may make sense. That’s where Migrating to GCC High comes into play. Let’s take a closer look at GCC High as well as what to expect during the migration process and how you can make it a more seamless transition for you and your team.
What Data Types Require GCC High to Manage?
Government Community Cloud High (GCC High) helps DOD and federal contractors meet some fairly robust and demanding cybersecurity and compliance requirements. If you manage any of the data types, you’ll need GCC High:
- International Traffic in Arms Regulations (ITAR)
- Controlled Unclassified Information (CUI) This includes all of the CUI subcategories
- Department of Defense Unclassified Controlled Nuclear Information (DOD UCNI)
- Department of Energy Unclassified Controlled Nuclear Information (DOE UCNI)
- Criminal Justice Information (CJI/CJIS)
- Department of Defense, Impact Level 4 or higher (DOD IL)
- North American Electric Reliability Corporation (NERC)
- Covered Defense Information (CDI)
Once Cybersecurity Maturity Modification Compliance (CMMC) level 3 starts appearing in contracts, it will almost assuredly be included in this list as well. So, it’s simple: if you don’t have contracts with any of these listed above, you don’t need GCC High. But if you do? It’s a critical system for you to implement.
How Do You Get Approved for GCC High?
Receiving approval for GCC High includes requesting validation from Microsoft. In Agile IT’s blog post on “Getting Category 3 Validation from Microsoft” we discuss this process in much greater detail.
The first part of the process involves three steps. First, you must request validation from Microsoft. Then you’ll provide documentation to prove your eligibility. Finally, you’ll work with an approved partner to license GCC High.
As far as documentation goes, you can either submit a signed contract that shows the data owner/data requirement or a sponsor letter justifying the regulated data requirements along with the required duration. This letter should have been signed within the past calendar year and should be from either a valid US Government entity or an approved Category 1,2, or 3 entity.
The process may seem simple, and it is fairly straight forward, but it’s not necessarily easy. Remember that each step of the process involves administrative tasks carried out on both ends, and those take time. Begin this process as early as possible, as soon as you know you need GCC High validation. You certainly don’t want to get stuck waiting for approval to be completed while you need to store sensitive information.
If you need to begin migrating to GCC High, your first step is to request GCC High Validation from Microsoft.
How to Buy GCC High?
Once you’ve gone through the proper protocols to acquire approval for buying GCC High, you can now begin the process of purchasing it. How you purchase GCC High will depend solely on the size of your company and the number of seats you require. If you’re a larger organization with the need for 500 or more seats of GCC High, you can buy it through an enterprise agreement. You can arrange this through a deal with an information technology solutions provider such as SHI, Dell, or CDW.
If your company is smaller, you’ll need to do so through an Agreement for Online Services - Government (AOS-G) partner. This is where you work with an approved partner to acquire the software needed. There are only nine of these partners. Because there are only nine partners available to assist with this, it’s important to perform your due diligence in understanding which one is the most well-versed in managing GCC High approval and migration to help guide you through the process.
How Much Does GCC High Cost?
For many organizations, buying GCC High is a necessity based on the type of information they require. That said, understanding the costs associated with it is critical to ensure you can reliably and accurately forecast the budget for your IT needs. Unfortunately, you won’t be able to determine the exact cost for GCC High without talking with an AOS-G partner. The GCC High price list is protected under a non-disclosure agreement. However, to gauge a relatively safe ballpark estimate, plan on spending about 40-50% on top of what you’d spend for Office 365 enterprise licenses. You’ll buy GCC High under a modified Enterprise Agreement, meaning that you must pay up front for a full year.
How Long Does It Take to Get GCC High?
From an administrative standpoint, there’s a clear process involved once you’ve purchased GCC High. You’ll want to properly account for the time each step takes, as this can vary depending on a number of factors. Receiving GCC High involves validation, licensing, tenant provisioning, whitelisting, and migration. Below is a rough estimate of how long you can expect each part to take:
Validation takes 5-10 business days. This is the normal time frame but can take up to 15-20 days if there are disruptions. For an example of this, look no further than the COVID-19 pandemic and the accompanying rush for cloud services. If you’re looking to start the validation process, you never know when there’s going to be an uptick in requests, so you never can start too soon.
Licensing takes 2-10 business days. The reason for the disparity here is that you’re depending on administrative tasks such as payment and processing is completed swiftly. Because this is often outside of your control, budget for anywhere from 2-10 days for this to take place.
Microsoft maintains a 30 day SLA for tenant provisioning, however we have seen this time frame drop dramatically in the last few months, sometimes taking less than a week. Again, this will depend on Microsoft. It can take up to 30 days to provision a tenant of GCC High, so account for this accordingly.
Whitelisting takes 5-10 business days. This component will depend on your experience setting up GCC High tenants. It involves submitting requests to Microsoft to ensure services are turned on and ports are opened. If it’s your first time doing so, it may take longer than if you have experience or are working with a skilled AOS-G partner.
Migrating to GCC High
Migrating to GCC High can take anywhere from days to weeks. It’s largely dependent on the platform from which you’re migrating. Take GoDaddy, for example. It can’t run automation while also requiring some flexibility in juggling the domain to manage it effectively. Or look at Google, which does not provide a static IP address which leads to whitelisting issues. This step will require patience and attention to detail in case any platform-specific issues arise.
What Should You Migrate to GCC High?
Once you’ve acquired GCC High, you’ll now go about the task of determining what data you should be moving. The final question to consider is figuring out what data and information you’ll need or want to migrate. But an even more appropriate question might be: SHOULD you migrate? Not all of your organization’s data may need to be moved, and you’ll want to understand what does need to be moved and why.
To reiterate: if you don’t have contracts with any of the data types listed above, you won’t require GCC High. But if you require it for some (but not all) of your data or information, you may need to implement GCC High without a migration. For example, say you’re part of a smaller internal team in a larger company. Most of the company likely doesn’t handle controlled information, and the need to do so could be new and specific to the smaller team. This would be an appropriate time for a greenfield deployment, where a system is installed where none existed before. If no CUI existed prior to this, you won’t need to migrate anything and can continue using the systems you were previously. If you do have CUI in your environment already, that’s when migration will be needed. In this instance, you’ll want to migrate the information and remove the previous tenant.
The Bottom Line on Migrating to GCC High?
Migrating to GCC High is not complicated but requires knowledge and flexibility. Your migration to GCC High will depend on:
- Whether you need to handle CUI
- The amount of existing CUI you need to migrate
With this in mind, you’ll need to maintain a patient approach, as thorough and comprehensive migrations take time and careful administration to pull off. You’ll also want to budget accordingly as GCC High does cost more than traditional Office 365 services. If you don’t have experience with a GCC High migration, the process can seem a bit overwhelming. But you don’t have to go it alone. Agile IT can be your trusted partner who has experience helping organizations make this necessary transition. By partnering with Agile IT, you can worry less about the migration itself or your data storage and more on focusing on your area of expertise. Agile IT is a CMMC-AB Registered Provider Organization, and is available to help meet your defense department compliance requirements. For more on how Agile IT can help ease your transition process, contact us today.