Back

What Is GCC and GCC High?

Microsoft Office 365 has four cloud environments for its users, each one serving a different purpose. Understanding the differences between them is crucial in determining which one you'll need to utilize based on your specific requirements...

5 min read
Published on Jan 25, 2021
What Is GCC and GCC High?

Microsoft Office 365 has four cloud environments for its users, each one serving a different purpose. Understanding the differences between them is crucial in determining which one you’ll need to use and why you’ll need to use it. Depending on the level of screening you’ll need to undergo to access a specific environment, the type of cloud you use will vary. Government users require more background checks and more secure environments for their data, so Microsoft established new environments with this in mind.

The first cloud developed was Microsoft Office 365 (Commercial). This is the general type of cloud environment most Office 365 users use. From there, Office 365 GCC (Government Community) was established for government users. This offered data residency rather than data sovereignty (more on the difference between those two below). Microsoft developed a cloud specifically for the Department of Defense (DOD), which received authorization for impact Level 5 in Azure Government. The only issue here was that only DOD personnel were allowed into this Level 5 environment. That’s why GCC High was born — this was a cloud environment for other agencies and contractors to access as well.

Let’s take a closer look at the concept of data residency vs. data sovereignty, the types of cloud environments (specifically GCC and GCC High), and how they differ, as well as the major distinctions between Azure Commercial and Azure Government.  

Data Residency vs Data Sovereignty

It’s important to understand the difference between data residency and data sovereignty. The terms are  interchangeable at times, but there are notable and significant distinctions between the two. Data residence refers to the location data stored in at rest without any controls to keep it from moving to another location. Data sovereignty refers to restrictions in place to keep data in the same location at all times. The concept of data sovereignty is relatively new, gaining awareness after Edward Snowden’s surveillance disclosures in 2013.

It’s also critical to note that data sovereignty is not a global constant. While data sovereignty is a requirement in the U.S., not every nation requires it. Knowing the difference between the two is crucial to understanding whether an environment supports global residency and sovereignty requirements such as GDPR, CCPA, and ITAR. Each cloud environment has different requirements with which it is compliant.

Now that you understand the distinction between data residence and data sovereignty, let’s take a deeper dive into the various cloud environments and how they can accommodate for data residency and data sovereignty requirements.

Commercial

Microsoft Office 365 Commercial is the form of Office 365 used outside the government by most private sector organizations that use Office 365. It was built on globally replicated directory services with a global network and global support personnel. Within Commercial, there’s a multi-geo service that addresses data residency requirements. This is perfect for meeting compliance frameworks such as GDPR, HIPAA, PCI, and FINRA. Where it’s lacking is having export controls for ITAR to ensure information doesn’t leave the U.S. You can achieve data residency with Office 365 commercial and some data sovereignty requirements, but not for DFARS and ITAR.

GCC

GCC (Government Community) is a copy of Office 365 commercial. State, local, federal, and tribal governments use it. Screened personnel use it and allow for data residency. From a feature parity standpoint, GCC is usually not far behind Commercial in terms of feature updates. Additionally, GCC is compliant with DFARS.

GCC High

GCC High is a copy of the DOD cloud environment for use by DOD contractors and cabinet-level agencies as well as cleared personnel. One critical distinction: when handling classified data, environments have a high side and a low side, the high side existing so users can handle classified data. GCC High is NOT a high side environment. It received its name because it meets FedRAMP high impact requirements.

For many government standards, one must make sure anyone working in the environment meets the requirements of specific government background checks. GCC High acts as a data enclave of Office Commercial. It’s compliant with DFARS, ITAR, NIST-800 171, and NIST-800 53.

Regarding feature parity: Microsoft does not offer any calling plans available in GCC High. There’s also often a 10-13 month gap between when features are available in Commercial and when they become available in GCC High.

Azure Commercial Vs Azure Government

What is GCC and GCC High? Both Commercial and GCC pair with Azure Active Directory in Azure Commercial. Data residency is available while data sovereignty is not. Many state, local, and federal civilian agencies will not deploy workloads in Azure Commercial.

Azure Government (or Azure Gov) is isolated physically and virtually. It exists in a compliance foundry dedicated to U.S. government workloads. It’s exclusively for the federal government and contractors. Four key things to remember about Azure Gov are:

  • It has U.S. sovereign directory services (unlike Azure Commercial, it’s not global).
  • It’s on a sovereign network. Data transmission and processing occur in the continental U.S. only.
  • Support personnel is limited to screened U.S. persons.
  • It supports US export-controlled data.

How CallTower and Agile IT Have Teamed up to Help You

While it seems difficult to navigate through the various cloud environments, having a partner in the process helps. What’s even better is having two partners with the experience and knowledge in managing these Office 365 cloud environments, ensuring you’re using the right one and fulfilling all necessary requirements. As noted above, one challenge with GCC High is that Microsoft Calling plans aren’t available within it. However, CallTower and Agile IT have teamed up to provide compliant VOIP solutions as part of Agile IT’s unique GCC High compliance foundation. This will enable DOD contractors to stay compliant with all ITAR and CMMC requirements with the use of a single platform. For more information on how our partnership can help you start calling in GCC High, contact us today!

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

How MSPs, RPOs, and C3PAOs Help Organizations Achieve CMMC Compliance

How MSPs Help Organizations Achieve CMMC Compliance

MSPs, RPOs, and C3PAOs play a crucial role in CMMC compliance. Learn how to choose the right consultant, third-party auditor, or provider to meet CMMC certification requirements.

May 20, 2025
8 min read
CMMC Compliance Requirements for Level 1 Level 2 and Level 3

CMMC Compliance Requirements for Level 1 Level 2 and Level 3

CMMC certification requires different cybersecurity controls at each level. Learn the key requirements for Level 1, Level 2, and Level 3 compliance and how they align with NIST 800-171.

May 16, 2025
5 min read
Common Questions About Azure Migration Answered

Common Questions About Azure Migration Answered

Get answers to the most common Azure migration questions. Learn about costs, best practices, security, compliance, and troubleshooting cloud migration challenges.

Apr 29, 2025
3 min read
AVD vs W365 in GCC high reducing your CMMC scope

AVD vs W365 in GCC High Reducing Your CMMC Scope and Simplifying Compliance

Comparing AVD vs W365 for GCC High? Learn how each can reduce your CMMC assessment scope and simplify security and compliance management in government environments.

Apr 28, 2025
7 min read
Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

Implementing Cybersecurity Policies for CMMC Compliance and Managing CUI

CMMC compliance requires well-documented cybersecurity policies. Learn how to implement security controls, create an SSP and POA&M, and manage Controlled Unclassified Information (CUI).

Apr 25, 2025
7 min read
CMMC compliance for DoD contractors

CMMC Compliance Requirements for DoD Contractors and Subcontractors in the Defense Industry

CMMC compliance is mandatory for DoD contractors and subcontractors. Learn about certification levels, requirements, and the consequences of failing to meet compliance.

Apr 24, 2025
6 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation