One of the most common questions we receive is, “Which cloud is right for us?” Understanding your compliance needs is crucial when comparing GCC High vs. GCC. The distinctions between Commercial, GCC, and GCC High Microsoft 365 cloud computing environments are significant and directly impact security, regulatory adherence, and data sovereignty. Before making a decision, it’s essential to thoroughly understand the unique features, compliance capabilities, and specific requirements of each environment to ensure the best fit for your organization.
What is the difference between GCC and GCC High?
The primary contrast between Microsoft GCC and GCC High lies in the hosting location of the cloud where data (CUI) is housed. GCC High employs Microsoft’s US Sovereign Cloud, situated within the United States, accessible solely to Microsoft personnel possessing U.S. citizenship and specific clearances.
What is Microsoft 365 Commercial?
Commercial Microsoft 365 is the standard Microsoft 365 cloud environment. It is where Enterprise, Business Essentials, Academic, and even home Office 365 tenants reside. It has the most features and tools, nearly global availability, and the lowest prices. Everyone qualifies and no validations are needed. In many cases, security and compliance needs can be met in Commercial through tools like the Enterprise Mobility and Security suite, which includes Intune, Compliance Center, Cloud App Security, Azure Information Protection, and a portion of the Microsoft Defender suite..
Compliance frameworks that can reside in Commercial include HIPAA/HITech, PCI-CSS, GDPR, CCPA, etc. It is not meant for government or defense organizations and should not be used for such as it shares a global infrastructure and workforce. There is the possibility that an organization could meet FedRAMP moderate in Microsoft 365 Commercial, but it would need to be heavily augmented with additional tools to maintain compliance. The expense, complexity, and risk involved makes this an undesirable state, which would be impacted by any changes Microsoft makes to the environment, while leaving you on the hook to patch any gaps. Although it is not officially asserted yet, it is expected that Microsoft 365 commercial meets CMMC Level 1 requirements.
What is Microsoft GCC?
GCC, or Microsoft 365 Government Community Cloud, is a Platform as a Service (PaaS) provided by Microsoft. It is built on the Azure Commercial infrastructure but is distinct from Commercial Office 365, aligning with Microsoft’s accreditation boundary.
Compliance frameworks that can be met in GCC include:
- DFARS 252.204-7012 (As of February 2021 Microsoft will now attest to compliance)
- DoD SRG Level 2 (with no provisional authority)
- FBI CJIS (Criminal Justice Information Services)
- FedRAMP High
To accurately incorporate international traffic considerations, it is important to note that GCC is 100% insufficient for ITAR, EAR and most Controlled Unclassified Information (CUI) and Controlled Defense Information (CDI) handling. The reason behind this is that the identity component and network that GCC resides on is Azure Commercial and does not meet import/export controls since it is global, and access is not limited to U.S Citizens.
Organizations requiring stringent security compliance, especially those needing to limit access exclusively to U.S. citizens, should consider solutions within Azure and GCC High, which offer environments designed to meet these higher security standards.
GCC Employee Background Checks
Additionally, with GCC we begin to see additional employee background checks for Microsoft staff to meet government regulations and various federal, state, and local requirements.
| Microsoft personnel screening and background checks | Description |
|---|---|
| U.S. Citizenship | Verification of U.S. citizenship |
| Employment History Check | Verification of seven (7) year employment history |
| Education Verification | Verification of highest degree attained |
| Social Security Number (SSN) Search | Verification that the provided SSN is valid |
| Criminal History Check | A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level |
| Office of Foreign Assets Control List (OFAC) | Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions |
| Bureau of Industry and Security List (BIS) | Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities |
| Office of Defense Trade Controls Debarred Persons List (DDTC) | Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry |
| Fingerprinting Check | Fingerprint background check against FBI databases |
| CJIS Background Screening | State-adjudicated review of federal and state criminal history by state CSA appointed authority within each state that has signed up for the Microsoft CJIS IA program |
What is Microsoft 365 DOD? (Department of Defense Only)
We are only mentioning the DoD enclave here for completeness’ sake. You don’t qualify… unless you are DoD. The DoD cloud was purposely built for the Department of Defense and the DoD only. No contractors, no outside personnel, no exceptions. One thing to mention is that the DoD enclave is the ONLY of the four clouds to meet DoD SRG Levels 5 and 6.
What is GCC High? (A Copy of DOD)
Office 365 GCC High, meaning Government Community Cloud High, was created to meet the needs of DoD and Federal contractors to meet the cybersecurity and compliance requirements of NIST 800-171, FedRAMP High, and ITAR, or who need to manage CUI/CDI.
As a distinct segment within Microsoft’s cloud offerings, GCC High tenants operate in a secure environment, mirroring the DoD cloud but existing in its own sovereign cloud environment due to its specialized security requirements. With GCC High, you begin to see a noticeable loss of feature parity with commercial environments. Things like PSTN Calling/PSTN Conferencing and Microsoft Purview Data Connectors aren’t available.Several tools are available but do not have feature parity - a good example being the Microsoft Defender Suite. The reasons for this are threefold. [Update: Agile IT is now able to enable calling and audio conferencing in GCC High]
- First is the federal approval process. Each feature must be rigorously tested in the DoD and GCC High cloud environments to assure compliance and security.
- Secondly, for many of the applications, a dedicated staff that has passed Department of Defense IT-2 adjudication based on an Office of Personnel Management investigation is required for development and support.
- Finally, some of Microsoft 365 applications will fail to meet compliance requirements by their very nature. Ironically, this happens most frequently with security and governance tools, since they require standing access to data in order to be effective. In some cases, when the tools are critical, such as Azure Sentinel, Cloud App Security and Microsoft Defender the tools are almost completely rebuilt to meet these criteria. For other tools, like Yammer, they are simply left behind with no intent to bring them onto the roadmap.
Feature Parity changes constantly. There are two places where customers can keep up with what is available. The first is the Microsoft Service Description Pages for each product, secondly, you can filter the Office 365 development roadmap for GCC High under the “Cloud Instance” filter.
GCC High Eligibility
GCC High is reserved for the Defense Industrial Base (DIB), DoD contractors, and Federal Agencies. Every customer, including government agencies and qualified private organizations, hoping to move to GCC High must first receive validation from Microsoft, which we cover in our blog, Getting GCC High Validation from Microsoft.
GCC High and DoD Background Checks
Microsoft GCC High and DoD feature the most stringent background checks for employees working in their data centers. It is largely the same as those for GCC cloud with the addition of the DoD IT-2 adjudication. This adjudication is part of an Office of Personnel Management (OPM) level 3 background check.
| U.S. Citizenship | Verification of U.S. citizenship |
|---|---|
| Employment History Check | Verification of seven (7) year employment history |
| Education Verification | Verification of highest degree attained |
| Social Security Number (SSN) Search | Verification that the provided SSN is valid |
| Criminal History Check | A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level |
| Office of Foreign Assets Control List (OFAC) | Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions |
| Bureau of Industry and Security List (BIS) | Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities |
| Office of Defense Trade Controls Debarred Persons List (DDTC) | Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry |
| Fingerprinting Check | Fingerprint background check against FBI databases |
| Department of Defense IT-2 | Staff requesting elevated permissions to customer data or privileged administrative access to Dept of Defense SRG L5 service capacities must pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation |
How to Buy GCC High or GCC?
Need to acquire a GCC High or GCC license? Agile IT is one of the few AOS-G partners authorized to license GCC High for any size company (Including under 500 seats). We hold over 15 Microsoft Gold Competencies, are a FastTrack Ready Partner, and were also one of the first Microsoft Partners selected to license and manage Azure Government. Ready to get started? Request a quote today.
Published on: .
Sales@AgileIT.com