Built to specifically help government contractors manage complex data security requirements, Microsoft GCC High is configurable to NIST 800-171 standards. As part of every GCC High licensing agreement, Microsoft also agrees to offer complete and continuous support for all cybersecurity requirements in the DoD's Defense Federal Acquisition Regulation Supplements (DFARS).
Previously, GCC High and its associated support were only available to Microsoft 365 customers with more than 500 seats under license. In 2018, however, Microsoft loosened these requirements to allow all contractors that needed compliance with DFARS 7012 or CUI/ITAR data management regulations to acquire a GCC High license.
Which Organizations Need Microsoft GCC High?
In addition to helping organizations manage ITAR data, Microsoft GCC High aids contractors in achieving regulatory compliance for all of the following data types:
Criminal Justice Information (CJI/CJIS): This data includes private and sensitive information collected by federal, state, and local law enforcement agencies. Examples of CJI/CJIS data include criminal records, vehicle license plates, and fingerprints.
Controlled Unclassified Information (CUI): As defined in Executive Order 13556, CUI is data that requires dissemination and safeguarding controls but is not considered classified under the Atomic Energy Act or under Executive Order 13526.
Covered Defense Information (CDI): Defined in clause 252.204-7012 of DFAR, CDI is a type of CUI that is either transmitted, collected, stored, or used during the performance of a contract or is specifically provided to a contractor and marked or identified as such by the Department of Defense.
Department of Defense Information (Impact Level 4 or Higher): Examples of DoD information categorized as Impact Level 4 (IL4) or higher include military personnel records, Unclassified Controlled Nuclear Information (UCNI), and Critical Energy Infrastructure Information (CEII).
Getting Your Organization Approved for a Microsoft GCC High License
To obtain approval for a GCC High license, you will need to:
Have Microsoft issue a Category 3 validation to your organization.
Prove that your organization is eligible to use Microsoft GCC High by providing a signed government contract that clearly displays the relevant data requirements or a sponsor letter that provides comprehensive justification for a license.
Find an official Microsoft AOS-G partner from which to obtain your license.
Budgeting for Microsoft GCC High
Only AOS-G partners are able to provide exact pricing for GCC High. With that said, a good rule of thumb is to allocate around 150% of what your organization is currently spending on Microsoft Office 365. If your organization is not currently using Office 365, then it's wise to run some quick estimates on what the budget for 365 would look like if you were to onboard today.
What Is the Timeline from Purchase to Onboarding?
The first step of the process, obtaining a Category 3 validation, can take up to 20 business days. Once your organization has been validated, obtaining the actual license from an AOG-S partner can take up to 10 business days. After this, the time it takes your organization to fully migrate to GCC High will depend solely on internal factors.
At Cleared Systems, we offer a full suite of Microsoft GCC and GCC High migration services for contractors of all sizes. To learn how we can help your organization succeed with GCC or GCC High, contact us today.