Decoding CMMC Compliance: Understanding When to Use GCC or GCC High

Compliance, data protection, and data sovereignty are crucial facets of modern businesses, especially those that deal with sensitive government data. Microsoft has risen to this challenge by providing distinct cloud solutions tailored to various compliance needs. Two prominent offerings, Microsoft’s Government Community Cloud (GCC) and GCC High, are versions of the Microsoft 365 suite that are designed to address different compliance levels. This article will help you understand when to opt for either GCC or GCC High, particularly if you are considering Cybersecurity Maturity Model Certification (CMMC). For a full analysis, download our Buyer’s Guide to GCC and GCC High.

The GCC and GCC High Breakdown

Microsoft’s GCC caters to a broad spectrum of governmental organizations such as federal civilian agencies and contractors, as well as state and local governments, while GCC High is specifically engineered for the Defense Industrial Base (DIB) and delivers a solution that supports high compliance requirements. The choice between the two typically depends on the nature of the data you handle and the level of compliance you need to achieve.

When to Consider GCC?

You should contemplate using the GCC platform:

• If you need to comply with DFARS 252.204.7012
• For achieving CMMC Level 2 (but with caveats; more on this below…)
• If you handle data that has IRS-1075 or CJIS requirements

That said, GCC falls short when it comes to supporting U.S. data sovereignty requirements, such as handling export-controlled data under the International Traffic in Arms Regulations (ITAR). If your business currently (or will in the future) need to comply with these requirements, you should consider GCC High instead.

When to Opt for GCC High?

GCC High, on the other hand, is your ideal choice when you:

• Handle export-controlled data under ITAR or Export Administration Regulations (EAR)
• Handle certain types of Controlled Unclassified Information (CUI) that require U.S. data sovereignty
• Anticipate handling such data in the future

It’s important to keep in mind that even if you may only require GCC now, choosing GCC High in anticipation of future requirements can save you the inconvenience and costs of a migration later.

What about CMMC?

For defense contractors who are planning for CMMC, our opinion is that GCC High is likely the most appropriate choice given CMMC’s stringent data protection and sovereignty requirements.

• GCC may be suitable for CMMC Level 2, but cannot support U.S. data sovereignty requirements, such as those dictated by export-controlled data such as ITAR.
• If you will never hold CUI and only need to achieve CMMC Level 1, you may be able to consider GCC or even Commercial, depending on your other business requirements.

Wrapping Up

Choosing between GCC and GCC High should be driven by your data handling needs, along with your current and future compliance requirements. Our full GCC and GCC High Buyer’s Guide can help you navigate all your Microsoft licensing options, based on your current – and future – business needs. Another good source of information is Microsoft’s Public Sector blog, which provides monthly updates on both functionality and compliance for GCC and GCC High.

Lastly, the C3 team is an invaluable source of information and experience: we’ve been migrating clients to GCC or GCC High for years and can provide a deep-dive into the various Microsoft cloud offerings based on the hundreds of real world scenarios and business needs we’ve navigated first-hand. Our biggest tip? It’s better to select a cloud solution that can accommodate both your current state AND future growth and changes in compliance needs to avoid future disruptions and added costs.

In the digital world, choosing the right cloud environment is critical to meeting your organization’s compliance requirements, protecting data, and future-proofing your operations. With the right guidance, you can make an informed decision about whether GCC or GCC High is right for you.