Microsoft GCC High benefits defense contractors, cleared personnel, and other organizations in the Defense Industrial Base (DIB). Built to help government contractors manage complex data security requirements specifically, M365 GCC High is configurable to NIST 800-171 standards. As part of GCC High licensing agreement, Microsoft agrees to offer complete and continuous support for all DFARS cybersecurity requirements. Previously, GCC High and its associated support were only available to Microsoft 365 customers with over 500 seats under license. In 2018, however, Microsoft loosened these requirements, allowing all contractors that needed compliance with DFARS 7012 or CUI/ITAR data management regulations to acquire a GCC High license. See Microsoft 365 Government – How to Buy Licenses. This article will explore the advantages of Microsoft 365 GCC High and how it can enhance your organization’s collaboration efforts.
Which Organizations Need Microsoft GCC High?
In addition to helping organizations manage ITAR data, Microsoft 365 GCC High aids contractors in achieving regulatory compliance with:
- Criminal Justice Information (CJI/CJIS): This data includes private and sensitive information collected by federal, state, and local law enforcement agencies. Examples of CJI/CJIS data include criminal records, vehicle license plates, and fingerprints.
- Controlled Unclassified Information (CUI): As defined in Executive Order 13556, CUI is data that requires dissemination and safeguarding controls but is not considered classified under the Atomic Energy Act or Executive Order 13526.
- Covered Defense Information (CDI): Defined in DFARS 252.204-7012, CDI is a type of CUI that is either transmitted, collected, stored, or used during the performance of a contract or is specifically provided to a contractor and marked or identified as such by the Department of Defense.
- Department of Defense Information (Impact Level 4 or Higher): Examples of DoD information categorized as IL4 or higher include military personnel records, Unclassified Controlled Nuclear Information (UCNI), and Critical Energy Infrastructure Information (CEII).
Who is Eligible for GCC High in Office 365?
Office 365 GCC High license is not just given to any organization. There are some requirements that a company must fulfill before a license is awarded. Additionally, your organization should undergo Azure GCCH eligibility validation by completing and submitting a Government Community Cloud Eligibility Intake Form. To obtain approval for a GCC High license, you will need to:
- Have Microsoft issue a Category 3 validation to your organization. This validation indicates that your organization handles sensitive data and requires the highest level of cloud security.
- Prove your organization is eligible for GCC High Office 365 by providing signed government contract displaying the relevant data requirements. Alternatively, provide a sponsor letter that gives comprehensive justification for a license.
- Partner with Cleared Systems to obtain your Microsoft 365 GCC High license. Cleared Systems guides organizations through the process, ensuring all requirements for this restricted license are met. As a Microsoft partner, we have extensive experience assisting organizations to be licensed for GCC High.
Which Government Cloud Option is Right For You?
The available government cloud options, such as GCC, GCC High, and Microsoft DOD, offer varying levels of security and cater to different user categories. GCC is generally suitable for general government and vendor users, while GCC High is designed specifically for high-security clearance users. Microsoft DOD is exclusively meant for Department of Defense and its personnel. When considering the choice of a government cloud option that best fits your requirements, there are several key factors to consider, including:
Compliance with regulatory frameworks is crucial for any government cloud option. GCC complies with standards like FedRAMP Moderate, DFARS, and FBI CJIS. GCC High goes a step further by meeting criteria such as FedRAMP High, NIST 800-53, NIST-800 171, DFARS, ITAR, and the United States DoD CC SRG IL4.
Cost considerations are also important when making this decision. GCC tends to be the most budget-friendly option, followed by GCC High with medium costs, and Microsoft DOD with higher costs. It is essential to evaluate your budgetary constraints while weighing the benefits provided by each option.
Underlying Cloud Infrastructure
Lastly, the underlying cloud infrastructure is an important aspect to consider. GCC is hosted on Azure Commercial, GCC High is deployed on Azure Government, and Microsoft DOD utilizes Azure Government. Depending on your specific needs and any technical requirements, the choice of infrastructure may impact your decision.
For highly sensitive CUI or CDI, the most suitable cloud infrastructure option would be GCC High. While the functionality may be slightly reduced compared to the GCC, Azure GCC High guarantees compliance with crucial regulations described above. This ensures that government agencies and contractors working with highly sensitive CDI or CUI can securely store and manage their data in a trusted environment. Organizations not handling ITAR or highly-sensitive CUI can use Azure GCC. By opting for GCC, these organizations will benefit from cost savings and reduced complexities with regards to approvals and background checks.
Budgeting for Microsoft 365 GCC High
GCC High is about 50% more expense than Microsoft Commercial. With that said, a good rule of thumb is to allocate around 150% of what your organization is currently spending on Microsoft Office 365. If your organization is not currently using Office 365, then it’s wise to run some quick estimates on what the budget for 365 would look like if you were to onboard today.
What Is the Timeline from Purchase to Onboarding?
The timeline for onboarding to Microsoft 365 GCC High can vary depending on the organization’s requirements and eligibility. The first step of the process, obtaining a Category 3 validation, can take up to 20 business days. Once your organization is validated, obtaining the actual license from an AOG-S partner can take up to 10 business days. After this, the time it takes your organization to fully migrate to GCC High will depend solely on internal factors.