Microsoft GCC High Compliance Checklist: 25 Controls You Must Verify Before Go-Live

Why GCC High Compliance Verification Cannot Wait Until After Go-Live

Defense contractors and federal agencies that migrate to Microsoft GCC High often assume the platform does the heavy compliance lifting for them. It does not. Microsoft provides the compliant infrastructure. You are responsible for configuring it correctly, documenting your controls, and proving your configuration holds up under audit. That distinction has cost more than a few organizations their contracts.

This checklist covers 25 controls that compliance managers and IT leads must verify before any GCC High tenant goes live. Whether you are migrating from commercial Microsoft 365, consolidating tenants after an acquisition, or standing up a new environment to meet ITAR and CMMC 2.0 requirements, these items are non-negotiable.

Tenant Configuration Controls

The foundation of your GCC High compliance posture starts with how the tenant itself is configured. Errors at this level cascade through every downstream control.

1. Verify tenant is provisioned in the correct GCC High environment. Confirm your tenant URL resolves to a GCC High endpoint, not commercial or GCC. Check your license agreement and confirm U.S.-only data residency is enforced.
2. Confirm FedRAMP High authorization boundaries are in scope. Document which Microsoft services in your deployment carry FedRAMP High authorization and which do not. Third-party integrations frequently fall outside the boundary.
3. Validate that no commercial Microsoft 365 accounts have cross-tenant access. Hybrid configurations that allow commercial tenant users to access GCC High resources are a common ITAR violation vector. Review external access settings in the Entra ID admin center.
4. Review geographic data residency settings. Confirm data at rest is stored exclusively in continental United States datacenters. Pull the data location report from the Microsoft 365 admin center and retain it as evidence.
5. Audit all active subscriptions and licenses. Unused licenses assigned to former employees or test accounts expand your attack surface. Reconcile licenses against your current user roster before go-live.

Identity and Access Management Controls

Identity is the perimeter in a cloud environment. The controls below align with both NIST SP 800-171 and the GCC High features that enable CMMC compliance.

6. Enable and enforce multi-factor authentication for all users. MFA must be mandatory, not optional. Conditional Access policies should block any authentication attempt that bypasses MFA, including legacy authentication protocols.
7. Disable legacy authentication protocols. Basic authentication, SMTP AUTH, and similar legacy protocols do not support modern MFA challenges. Disable them in Exchange Online and Entra ID before go-live.
8. Configure Privileged Identity Management (PIM) for admin roles. Global Administrator and other privileged roles should use just-in-time activation with approval workflows. Permanent standing admin assignments are a significant audit finding.
9. Review and restrict guest and external user access. GCC High environments handling CUI or ITAR-controlled technical data should have guest access disabled or heavily restricted. Document any exceptions with a business justification.
10. Enforce Conditional Access policies based on device compliance and location. Unmanaged personal devices accessing GCC High data present unacceptable risk in regulated environments. Require Intune-enrolled, compliant devices as a Conditional Access condition.
11. Verify role-based access control (RBAC) assignments are documented. Every privileged role assignment must be traceable to an authorization record. Your System Security Plan should reflect actual role assignments in the tenant.

Data Protection and CUI Handling Controls

Controlled Unclassified Information handling is where most organizations encounter their first significant compliance gap. Review our guidance on CUI compliance and protection with Microsoft Security alongside these controls.

12. Configure Microsoft Purview sensitivity labels for CUI categories. Labels must align to the National Archives CUI Registry categories applicable to your contracts. Apply default labels to SharePoint libraries, Teams channels, and Exchange mailboxes that process CUI.
13. Enable and test Data Loss Prevention policies. DLP policies must prevent unauthorized exfiltration of CUI to personal email accounts, unapproved cloud storage, and external recipients outside your approved partner list. Test policies before go-live, not after. See our post on understanding Data Loss Prevention for configuration guidance.
14. Verify Microsoft Purview Information Protection is configured for ITAR technical data. ITAR-controlled technical data requires encryption that persists outside the Microsoft environment. Confirm Azure Information Protection policies enforce rights management on documents leaving the tenant.
15. Enable audit logging across all workloads. Unified audit logging must be active in the Microsoft Purview compliance portal. Confirm log retention meets your contractual and regulatory requirements, typically a minimum of one year with 90 days immediately accessible.
16. Configure SharePoint and OneDrive external sharing to disabled or restricted. Default external sharing settings in Microsoft 365 are far too permissive for a GCC High environment. Set external sharing to disabled at the tenant level and document any site-level exceptions with authorization.

Endpoint and Device Security Controls

GCC High tenant controls are only as strong as the endpoints connecting to them. These items address the device layer.

17. Enroll all user devices in Microsoft Intune and verify compliance policies. Compliance policies must enforce disk encryption, screen lock, OS patch currency, and antivirus status. Non-compliant devices should be blocked from accessing GCC High resources via Conditional Access.
18. Verify Microsoft Defender for Endpoint is deployed and reporting. Defender for Endpoint must be active on all in-scope devices. Confirm alerts are routed to a monitored security operations function, not silently accumulating in an unreviewed portal.
19. Confirm endpoint detection and response telemetry is retained per policy. Six months of EDR telemetry is a common audit expectation under CMMC Level 2. Verify your Defender for Endpoint log retention settings before go-live.

Email Security and Communication Controls

20. Configure Defender for Office 365 anti-phishing, anti-malware, and safe links policies. Default policies are insufficient for regulated environments. Deploy strict preset security policies and verify they are applied to all in-scope mailboxes.
21. Enable transport rules that restrict outbound email containing CUI to approved recipients. Use DLP and mail flow rules together to enforce CUI handling in email. Test with synthetic CUI content before go-live to confirm rules trigger correctly.
22. Verify DMARC, DKIM, and SPF records are properly configured. Email authentication failures are both a security and compliance issue. Confirm all sending domains have published accurate SPF records, DKIM signatures are active, and DMARC is set to at minimum quarantine policy.

Documentation, SSP, and Governance Controls

Configuration alone is not compliance. Assessors expect documented evidence of how controls are implemented and maintained. Our CMMC, CUI, and DFARS compliance services include full SSP development and control mapping support.

23. Update your System Security Plan to reflect the GCC High environment. Your SSP must accurately describe the GCC High authorization boundary, inherited controls from Microsoft, and customer-responsible controls your organization implements. An outdated SSP from a previous on-premise environment will not satisfy a CMMC assessor.
24. Document the shared responsibility model for all applicable controls. Microsoft covers infrastructure-level controls. You own identity configuration, data classification, endpoint management, and policy enforcement. The line between inherited and customer-managed must be explicit in your documentation.
25. Establish a continuous monitoring and review cadence before go-live. A compliant GCC High environment on day one can drift into non-compliance within weeks if no one is watching. Assign ownership for monthly Secure Score reviews, quarterly access recertification, and annual SSP updates before the tenant goes live.

Before You Flip the Switch

Twenty-five controls is a meaningful checklist, but it is not an exhaustive one. Your specific contractual obligations, the classification categories of CUI you handle, and your ITAR registration status will drive additional requirements on top of this baseline. Organizations pursuing CMMC Level 2 certification should treat this checklist as a starting point for a broader gap analysis aligned to NIST SP 800-171 Revision 3.

If your organization needs expert support configuring GCC High for CMMC, ITAR, or DFARS compliance, or if you need a compliance team to validate your tenant before go-live, Cleared Systems can help. Our Regulatory vCISO services provide hands-on GCC High compliance oversight for defense contractors and federal agencies at every stage of deployment.

Ready to get your GCC High environment audit-ready before go-live? Request a quote from Cleared Systems today and let our team verify every control before your tenant goes live.