Microsoft GCC High and CMMC Compliance

Summary: Microsoft GCC High is not mandatory for CMMC compliance but it is needed if your organization handles CUI. Let us discuss more in this article.

It is one of the most common questions that whether you need GCC High (Government Cloud Computing High) for CMMC compliance or not. The right answer to this question is ‘no’. Microsoft Office 365 GCC High is not a mandatory requirement under the Cybersecurity Maturity Model Certificate (CMMC) requirements. However, a contractor will need this cloud computing platform if it handles Controlled Unclassified Information (CUI).

What is CMMC?

There is a series of five levels that build upon each other in the CMMC. The first two levels are meant to protect the Federal Contract Information (FCI) under the Federal Acquisitions Regulation (FAR) while the next three levels are meant to protect the CUI. The reporting requirements of Defense Federal Acquisition Regulation Supplement (DFARS)252.204-7012 are not included in the CMMC in its practice. However, this reporting is still a contractual requirement. It is an important step as it ensures the application of the CMMC in other industries and agencies. For example, the US Department of Homeland Security recently allowed that they would make CMMC compliance a mandatory requirement for their contractors. In the STARS III contract, the CMMC had been added as a requirement by the federal government. A contractor can easily meet the CMMC Level 1 and Level 2 requirements by using Microsoft 365 Commercial.

Do You Need GCC High if you Handle CUI?

The first two levels of CMMC compliance can be achieved by using M365 Commercial. However, for Level 3, Level 4, and level 5, you should have GCC High to ensure your CMMC compliance. They can also be achieved by using GCC or Commercial, but there are various risk factors associated with them. For long-term overall compliance with the federal regulations, the companies must have to plan to shift to Microsoft GCC High.

What is the Difference between Microsoft GCC High and Microsoft GCC?

GCC and GCC High have similar features and functionalities. However, there are some differences in terms of their cloud services. GCC provides cloud services to ensure compliance of the contractors with the federal, tax system, and criminal justice system while Microsoft GCC High deals with the compliance of contractors with DFARS, CMMC, DoD Security Requirements Guidelines, and other similar areas. Most of the features of both platforms are similar except for some dissimilarities. That is why the organizations must have to identify their needs and eligibility before choosing one of these two platforms. If your needs and eligibility can be accomplished by GCC, then you should go for it as GCC High is more costly. But if your needs and eligibility demand GCC High, then you should invest in it to ensure your compliance.


The DoD contractors are required to get compliant with the CMMC framework. The DoD is keen to protect the CUI under the CMMC. If your organization handles the CUI, then you will need Microsoft GCC High to ensure CMMC compliance. For overall compliance of an organization with important cybersecurity regulations, GCC High will be needed by a contractor. So, you should plan to transfer to this cloud computing platform as soon as possible.