Microsoft 365: GCC High, GCC, DoD & Commercial Explained

Which Microsoft 365 cloud environment is right for your organization?

This is one of the most common questions we receive. Understanding the differences between Commercial, GCC, and GCC High is essential, as your compliance needs will dictate the best choice for you.

Here is a brief overview of each environment:

• Commercial: The standard Microsoft 365 cloud, used by organizations of all sizes around the world. It offers the widest range of features and tools, nearly global availability, and the lowest prices.
• GCC: The Government Community Cloud, designed for US government agencies and contractors. It meets the FedRAMP High Impact level of compliance, and data is stored in the US.
• GCC High: The Government Community Cloud High, designed for US Department of Defense (DoD) contractors and other organizations that handle Controlled Unclassified Information (CUI). It meets the DoD SRG Level 4 level of compliance, and data is stored in the US and can only be accessed by US citizens with special clearances.

To choose the right environment for your organization, you need to consider your compliance requirements and budget. If you are unsure which environment is right for you, please contact us for assistance.

What is Microsoft 365 Commercial?

Microsoft 365 Commercial is the standard Microsoft 365 cloud environment. It is used by organizations of all sizes around the world, and it offers the widest range of features and tools, nearly global availability, and the lowest prices.

Microsoft 365 Commercial can be used to meet the compliance requirements of many industries and frameworks, including HIPAA/HITech, NIST 800-53, PCI-CSS, GDPR, and CCPA. However, it is not specifically designed for government or defense compliance, and it should not be used for such purposes.

While it is possible to meet FedRAMP Moderate Impact in Microsoft 365 Commercial, it would require significant additional investment and complexity. This is not a recommended approach, as it would leave your organization vulnerable to changes that Microsoft makes to the environment, and you would be responsible for patching any gaps.

Microsoft 365 Commercial is expected to meet CMMC Level 1 and 2 requirements, but this has not yet been officially confirmed.

Here are some key points to keep in mind about Microsoft 365 Commercial:

• It is the most comprehensive and feature-rich Microsoft 365 environment.
• It is also the most affordable environment.
• It can be used to meet the compliance requirements of many industries and frameworks, but it is not specifically designed for government or defense compliance.
• If you need to meet FedRAMP Moderate Impact or higher, or if you have other specific compliance requirements, you should consider using a different Microsoft 365 environment, such as GCC or GCC High.

Which Microsoft 365 environment is right for you?

To choose the right Microsoft 365 environment for your organization, you need to consider your specific needs and requirements. Here are some questions to ask yourself:

• What industries and frameworks do I need to comply with?
• What is my budget?
• What features and functionality are important to me?
• What level of security and compliance do I need?

Once you have answered these questions, you can start to narrow down your choices. If you are still unsure which environment is right for you, please contact a Microsoft partner or reseller for assistance.

What is Microsoft GCC?

Microsoft GCC (Government Community Cloud) is a cloud computing environment designed for US government agencies and contractors. It offers the same features and functionality as Microsoft 365 Commercial, but it stores data in the US and meets the FedRAMP Moderate Impact level of compliance.

GCC is a good choice for organizations that need to meet the requirements of FedRAMP Moderate, DFARS 252.204-7012, DoD SRG Level 2, or FBI CJIS. However, it is not sufficient for handling ITAR, EAR, or most CUI and CDI.

Here are some key points to keep in mind about Microsoft GCC:

• It is designed for US government agencies and contractors.
• It stores data in the US and meets the FedRAMP Moderate Impact level of compliance.
• It offers the same features and functionality as Microsoft 365 Commercial.
• It is not sufficient for handling ITAR, EAR, or most CUI and CDI.

If you are considering using Microsoft GCC, you should carefully evaluate your compliance requirements to make sure that it is the right choice for your organization.

Here are some additional reasons why GCC is not sufficient for handling ITAR, EAR, or most CUI and CDI:

• GCC uses the same identity and network as Azure Commercial, which is not limited to US citizens. This means that there is a risk that foreign nationals could access CUI or CDI data.
• GCC does not meet the encryption requirements for ITAR data.
• GCC does not meet the physical security requirements for most CUI and CDI data.

If you need to handle ITAR, EAR, or most CUI and CDI data, you should consider using Microsoft GCC High. GCC High is designed to meet the most stringent security requirements, including those for ITAR and CUI.

GCC Employee Background Checks

Microsoft GCC employee background checks are more stringent than those required for commercial Microsoft 365 tenants. This is because GCC is designed for US government agencies and contractors, which must comply with a variety of federal, state, and local government requirements.

The following background checks are required for GCC employees:

• U.S. Citizenship Verification: Verification that the employee is a US citizen.
• Employment History Check: Verification of the employee's employment history for the past seven years.
• Education Verification: Verification of the employee's highest degree attained.
• Social Security Number (SSN) Search: Verification that the provided SSN is valid.
• Criminal History Check: A seven-year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level.
• Office of Foreign Assets Control List (OFAC): Validation against the Department of Treasury list of groups with whom US persons are not allowed to engage in trade or financial transactions.
• Bureau of Industry and Security List (BIS): Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities.
• Office of Defense Trade Controls Debarred Persons List (DDTC): Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry.
• Fingerprinting Check: Fingerprint background check against FBI databases.
• CJIS Background Screening: State-adjudicated review of federal and state criminal history by state CSA appointed authority within each state that has signed up for the Microsoft CJIS IA program.

Some organizations may also require additional background checks, such as a drug test or a credit check.

GCC employee background checks are typically conducted by third-party background check companies. The cost of the background checks will vary depending on the number of checks required and the company you choose.

It is important to note that GCC employee background checks can take several weeks to complete. Therefore, it is important to start the process early, especially if you are hiring for a critical position.

What is Microsoft 365 DOD?

Microsoft 365 DoD (Department of Defense) is a cloud computing environment designed specifically for the US Department of Defense. It offers the same features and functionality as Microsoft 365 Commercial, but it stores data in the US and meets the DoD SRG Levels 5 and 6 security requirements.

DoD SRG Levels 5 and 6 are the highest levels of security compliance in the US government. They are required for handling Controlled Unclassified Information (CUI) and Classified Information, respectively.

Microsoft 365 DoD is only available to US Department of Defense personnel and contractors. It is not available to the general public.

Here are some key points to keep in mind about Microsoft 365 DoD:

• It is designed specifically for the US Department of Defense.
• It stores data in the US and meets the DoD SRG Levels 5 and 6 security requirements.
• It offers the same features and functionality as Microsoft 365 Commercial.
• It is only available to US Department of Defense personnel and contractors.

If you are considering using Microsoft 365 DoD, you should carefully evaluate your compliance requirements to make sure that it is the right choice for your organization.

What is GCC High? (A Copy of DOD)

Microsoft GCC High is a cloud computing environment designed for US Department of Defense contractors and other organizations that handle Controlled Unclassified Information (CUI) and Controlled Defense Information (CDI). It meets the stringent cybersecurity and compliance requirements of NIST 800-171, FedRAMP High, and ITAR.

GCC High is technically a copy of the DoD cloud, but it exists in its own sovereign environment. This means that data stored in GCC High is isolated from data stored in other Microsoft cloud environments, such as Azure Commercial and GCC.

GCC High offers a wide range of features and functionality, but there are some key differences between it and commercial Microsoft 365 environments. For example, Calling Plans and Compliance Manager are not available in GCC High, and several tools like Microsoft Defender ATP, Cloud App Security, and Intune have reduced functionality.

There are a few reasons for these differences. First, each feature must be rigorously tested in the GCC High cloud to assure compliance and security. Second, some features require dedicated staff that has passed Department of Defense IT-2 adjudication to develop and support. Finally, some features, such as Yammer, simply do not meet the compliance requirements of GCC High.

Feature parity between GCC High and commercial Microsoft 365 environments is constantly changing. Customers can keep up with what is available by checking the Microsoft Service Description Pages for each product and filtering the Office 365 development roadmap for GCC High under the “Cloud Instance” filter.

Here are some of the key benefits of using Microsoft GCC High:

• It meets the most stringent cybersecurity and compliance requirements in the US government.
• It offers a wide range of features and functionality, including many of the same features found in commercial Microsoft 365 environments.
• It is isolated from other Microsoft cloud environments, which helps to protect data security.

However, it is important to note that GCC High is not a perfect solution. It has some key limitations, such as reduced feature parity and increased complexity.

If you are considering using Microsoft GCC High, you should carefully evaluate your needs and requirements to make sure that it is the right choice for your organization.

GCC High Eligibility

Yes, GCC High is reserved for the Defense Industrial Base (DIB), DoD contractors, and Federal Agencies. This is because GCC High is designed to meet the most stringent cybersecurity and compliance requirements in the US government.

To be eligible for GCC High, organizations must meet the following criteria:

• Be a US-based organization.
• Have a valid FedRAMP High authorization or be working towards one.
• Be able to demonstrate that they need to use GCC High to meet their compliance requirements.

Organizations that meet the eligibility criteria can apply for GCC High validation through the Microsoft GCC High Validation Portal. The validation process typically takes several weeks to complete.

Once an organization has been validated for GCC High, they can begin provisioning users and migrating data. Microsoft provides a variety of resources to help organizations with this process.

Here are some of the benefits of using GCC High:

• It meets the most stringent cybersecurity and compliance requirements in the US government.
• It offers a wide range of features and functionality, including many of the same features found in commercial Microsoft 365 environments.
• It is isolated from other Microsoft cloud environments, which helps to protect data security.

However, it is important to note that GCC High is not a perfect solution. It has some key limitations, such as reduced feature parity and increased complexity.

If you are considering using Microsoft GCC High, you should carefully evaluate your needs and requirements to make sure that it is the right choice for your organization.

How to Buy GCC High or GCC?

You can buy GCC High and GCC through a Microsoft Partner like Medha Cloud Solutions LLC. Medha Cloud Solutions LLC is one of the only AOS-G partners authorized to license GCC High for any size company. They hold over 15 Microsoft Gold Competencies, are a Fast Track Ready Partner, and were also one of the first Microsoft Partners selected to license and manage Azure Government.

To buy GCC High or GCC, you can contact Medha Cloud Solutions LLC and they will work with you to determine the best cloud environment for your organization's needs. They will also help you with the provisioning and migration process.

Here are some of the benefits of working with Medha Cloud Solutions LLC to buy GCC High or GCC:

• They have a deep understanding of the Microsoft cloud platform and can help you choose the right cloud environment for your needs.
• They have a proven track record of success in helping organizations migrate to the cloud.
• They offer a variety of support services to help you get the most out of your cloud investment.

If you are considering using GCC High or GCC, I recommend that you contact Medha Cloud Solutions LLC to learn more about their services and how they can help you.