Organizations working with the United States Government Public Sector, there is wide array of compliance requirements depending on the given department and agencies, type of data and communication you’re working with, and the type of work that required.
This is general guidance and not an authoritative answer. We always recommend the following:
- Work with your program office
- Validate with an assessment/auditor
On this page, we’ll provide a quick primer on specific terms and where they come from. This is important to help understand how they’ll later map to your requirements. If you know this already, you navigate down to the Government Compliance Matrix to quickly dive deeper to what you’re looking for.
Leveraging Microsoft 365 and Azure services to reduce the risk and overhead in achieving the security and compliance requirements along with the productivity and innovation gains is a core motivator for many organizations.
Got all this?
You might know all this and ready to skip ahead
Where does GCC come from?
The term Community Cloud originated from the National Institute of Standards and Technology (NIST) Special Publication 800-145, “The NIST Definition of Cloud Computing” (https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf).
The following is a snippet from that publication:
- Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Community cloud. The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
- Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
- Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
What’s the difference between GCC Low, GCC Moderate, and GCC High?
The Government attachment to the phrase “Government Community Cloud” and the distinguishment of Low, Moderate and High also come from NIST and leveraged by FedRAMP.
The following snippet is from FedRAMP: https://www.fedramp.gov/baselines/
Federal Information Processing Standard (FIPS) 199 provides the standards for the security categorization of federal information and information systems. FedRAMP authorizes Cloud Service Offerings (CSOs) at the: Low (including Tailored Li-SaaS), Moderate, and High impact levels. FedRAMP Tailored was developed to support industry solutions that are low risk and low cost for agencies to deploy and use. Tailored policy and requirements provide a more efficient path for Low Impact-Software as a Service (LI-SaaS) providers. The LI-SaaS Baseline accounts for Low-Impact SaaS applications that do not store personal identifiable information (PII) beyond that is generally required for login capability (i.e. username, password, and email address).
Now we can put all this together and we get:
- Government Community Cloud, Low Impact (GCC Low)
- Government Community Cloud, Moderate Impact (GCC Moderate)
- Government Community Cloud, High Impact (GCC High)
There are new offerings showing up on the Internet that say you don’t need GCC or GCC High and claim to meet government requirements. We recommend the following:
- Visit the FedRAMP Marketplace to see if they're approved at the level you require.
- Validate with an assessment/auditor
What is Microsoft GCC and GCC High
The term GCC by itself is commonly referenced by many to associate with GCC Moderate. We’ll continue with that here.
- GCC/GCC Moderate on the commercial/global platform. Depending on your target compliance requirements and contract, this could meet your objective
- GCC High is a sovereign cloud offering where Microsoft ensures that their part of shared responsibilities for data storage location, access, operations/support staff background checks, etc. are met.
As defined by Microsoft:
The Office 365 GCC environment provides compliance with federal requirements for cloud services, including FedRAMP High, Defense Federal Acquisition Regulations Supplement (DFARS), and requirements for criminal justice and federal tax information systems (CJI and FTI data types).
The Office 365 GCC High and DoD environments deliver compliance with Department of Defense Security Requirements Guidelines, Defense Federal Acquisition Regulations Supplement (DFARS), and International Traffic in Arms Regulations (ITAR).
GCC High isn’t just a marketing name and small differences in licensing and deployment. It’s way more than that.
And at this point, you’re probably just thinking about Microsoft 365. The majority of all deployments related to public sector include Azure Government as well.