What Is GCC High? Why Is it Critical for Compliance?

WRITTEN BY

Corrin Jones

POSTED ON

January 9, 2025

TAGS

Categories: Infrastructure

SHARING THIS ARTICLE

What Is GCC High? Why Is it Critical for Compliance?

Data security and compliance are critical in today’s organizational environments, especially for those handling sensitive or proprietary information, such as those managed by U.S. government entities.

Unfortunately, cybercrime is a persistent problem across the board and the government is no exception to the vulnerabilities faced. According to statistics, the number of incident reports filed by federal agencies in fiscal year 2023 totaled more than 32,000, a 5% increase over 2022. You figure these are known attacks that have been discovered.

Government officials and IT decision-makers must consistently ask themselves how to keep their cloud-based data secure while following compliance rules. They obviously don’t want their sensitive data to be exploited, but with so many options, it can be difficult to assess which cloud and technology solutions are the most secure.

To solve the dilemma of how to safely store, handle and manage data, Microsoft has developed its Government Community Cloud (GCC) High and Standard GCC solutions. This highly secure cloud is specifically designed as a U.S.-specific option.

In this blog post, we’ll define GCC High and explore the key differences between standard GCC and GCC High, including their compliance frameworks (FedRAMP, DFARS, CJIS) and suitability for various industries. We’ll also take a look at why GCC High is essential for organizations aiming to secure government contracts or meet Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

What is GCC High?

Microsoft’s GCC is a Platform as a Service (PaaS) that is built on Azure Commercial infrastructure but adheres to specific compliance frameworks and is designed to work in conjunction with government requirements.

You may have heard the phrase “GCC High” (GCCH) but might not be sure what it means. If you’re wondering “what is GCCH,” the best way to explain it is that it is a “next-level” PaaS, in part because it comes with far more stringent requirements. GCCH plays a critical role in meeting compliance and security requirements for organizations handling controlled unclassified information (CUI), export-controlled data (ITAR/EAR) and other regulated workloads.

The specialized cloud environment offered by GCC High is meant to meet the stringent compliance and security requirements of the U.S. Department of Defense (DoD). Essentially, it replicates DoD’s cloud architecture. Those who use it must be cleared and usually are individuals working for government agencies or government-approved contractors in positions where they are handling sensitive or government-controlled data.

Microsoft GCC vs GCC High

While they sound similar, there is a significant difference between GCC vs. GCC High. Both are stored in compliant and secure environments, but there are some distinctions. Microsoft personnel across the globe have access to GCC, but not GCC High. Other ways GCCH differs from standard GCC and DoD environments include the following:

Features of GCC

  • Operates as a part of the commercial cloud and can be accessed by Microsoft employees worldwide
  • Ideal for agencies with standard government requirements (federal, state, local, tribal and territorial) and certain government contractors
  • Sought by public educational institutions, government-linked healthcare entities and nonprofits working with government agencies
  • It is cost-effective for agencies without as stringent security and compliance needs
  • Complies with IL2, DFARS 252.204-7012, FedRAMP Moderate and DoD SRG Level 2

Features of GCC High

  • GCC High is stored in a separate, U.S.-based location called Microsoft’s US Sovereign Cloud
  • Individuals able to access GCC High must possess specific high-level security clearances
  • Microsoft personnel accessing GCC High must be a U.S. citizen and have the right clearances
  • GCCH is designed for managing highly sensitive data and offers stricter security measures
  • GCC High goes above and beyond DoD CC SRG Level IL4 and ITAR (International Traffic in Arms Regulations)
  • Meets DoD regulatory standards and is compliant with FedRAMP High, CMMC (Cybersecurity Maturity Model Certification) and DFARS (Defense Federal Acquisition Regulation Supplement) requirements
  • GCC High is utilized by government organizations with stringent compliance needs

Essentially, federal, state and local governments may use GCC High, along with specific defense contractors or other businesses or contractors who process or hold DoD-controlled unclassified information (CUI).

Why Do Agencies Use GCC High?

Aside from its superior attributes of adhering to security and compliance requirements, government agencies often leverage GCC High because it offers administrative benefits, along with easing collaborative abilities between GCC High users, government entities and the businesses working with them. It also ensures a much higher level of security and compliance to safeguard sensitive data types.

What are GCC High Eligibility Requirements?

What are GCC High Eligibility Requirements?

Agencies, businesses and individuals who want to use GCC High must meet specific eligibility requirements.

  • Belong to a group eligible to use GCC High
  • Provide necessary documentation for eligibility
  • Demonstrate U.S. control or location
  • Possess a valid requirement for handling sensitive data as a Category 3 entity (e.g., CUI)
  • Obtain GCC High licenses for the organization using GCCH
  • Be in receipt of validation from Microsoft

Microsoft employees who work with GCC High must also pass DoD’s stringent background checks for government-related individuals using this cloud platform.

How GCC Helps Organizations Meet Compliance Requirements

GCC is specifically developed and designed by Microsoft to meet security and compliance requirements set by the U.S. government. It helps organizations meet compliance standards like ITAR, EAR, DFARS and FedRAMP High.

Risks of Non-Compliance Without GCC High

If a company isn’t in compliance with GCC High, this means it isn’t likely to meet the high-level standards for security and compliance required to handle sensitive government data. Contracting companies that do not comply with the parameters set by GCC High for regulated industries may suffer financial losses, reputational damage, data breaches and other problems.

For instance, a business may lose a lucrative government contract or be ineligible to compete for contracts if they violate or do not meet compliance standards. They may also face legal issues, including but not limited to contractual breaches, resulting in fines and penalties.

How to Rectify Non-Compliance of GCC High

Businesses not compliant with GCC High should assess their needs and evaluate the type of data they handle; if necessary, consult with experts who are well-versed from the perspectives of IT and legal. If your business is not currently approved for GCC High, begin the process to obtain validation from Microsoft, so your company can achieve compliance by migrating to the more secure GCC High cloud option. Additionally, you’ll want to evaluate existing security controls and implement stronger ones where necessary.

Frequently Asked Questions

What Does GCC High Stand For?

GCC High is a cloud platform developed by Microsoft that stands for “Government Community Cloud High.” It is designed for those cleared to support DoD initiatives, missions and operational tasks.

What are the Primary Differences of GCC vs GCC High?

The main differences between GCC and GCC High are hosting location (data sovereignty), support personnel clearance levels, types of data centers, compliance stringency and pricing.

What are the Benefits of GCC High?

Agencies, businesses and organizations that have a need for GCC High will find many benefits, including, but not limited to, enhanced security, strong compliance frameworks, operational efficiency, advanced threat protection, secure data storage, data sovereignty (e.g., data remains within the U.S.) and compartmented access management.

Who is Eligible to use GCC High?

Only a handful of groups are eligible to utilize GCC High. These include:

  • Federal government entities
  • State or local government entities
  • Tribal entities
  • Regional or interstate government entities (cannot be international)
  • Federally Funded Research and Development Center
  • Contractors or individuals working with the above

Do I Need GCC High?

If your company is pursuing contracts with the Department of Defense or other agencies utilizing GCC High or have workers with specific high-level security clearances, then you will want to be approved to use this specialized cloud product. Without validation, you will not qualify under Department of Defense regulations. Determine whether your company will be handling the following data types. If so, your company will likely be eligible to obtain validation to use GCC High:

  • DoD Impact Level Data
  • Controlled Unclassified Information (CUI)
  • DoD Unclassified Controlled Nuclear Information (UCNI)
  • Department of Energy UCNI
  • International Traffic in Arms (ITAR)
  • Criminal Justice Information (CJI)
  • Other types of data requiring Azure Government

How Much Does GCC High Cost?

GCC High is more costly than other cloud solutions, roughly 50% or more than the retail price of an equivalent enterprise-level license. The higher price tag is due to the additional security and compliance features, along with the overhead needed to comply with ITAR and DFARS 7012. Microsoft also needs to keep GCC High completely separate from other government and commercial operations located in the cloud.

What Is an AOS-G Partner?

An AOS-G Partner (Agreement for Online Services – Government) is a vetted partner company authorized by Microsoft to sell licenses for GCC High.

How Can I Receive Validation for GCC High?

To receive validation for GCC High, you must request it, and provide Microsoft with the required documentation, including a signed contract, sponsor letter and CAGE Code or Sam registration with DUNS. To do this, you must also align your company with an AOS-G Partner that can submit your license request to use GCC High.

How Long Does Validation Take?

Assembling all the necessary documentation to be submitted should take a few days, up to a week. Before submitting, double-check to ensure everything is in proper order.  Microsoft typically validates eligibility within 10 business days. Any omissions or mistakes can cause a postponement of approval. Your AOS-G Partner will assist to help the process go smoothly without delays.

Summary

Microsoft’s GCC High is a specialized and powerful cloud solution designed to accommodate the stringent compliance requirements of the U.S. government, especially for those entities handling sensitive data. It provides groups and individuals with the security clearances needed the ability to enjoy Microsoft’s tools, such as Teams, Office 365 and Azure, but in a more secure environment.

While it is a part of the broader GCC option offered by Microsoft, GCC High is structured as a separate cloud environment to provide the high-level security necessary for many governmental entities. GCC High data centers can only operate in the United States and only cleared personnel may have access to them, including Microsoft employees.

Migrating to GCC High requires approval, along with in-depth planning and execution. To successfully accomplish this, companies need to connect with an AOS-G partner who can help get validation and provide assistance and knowledge to complete a smooth transition.

Need Assistance Obtaining GCC High Approval? Red River is an AOS-G Partner

If you are a government contracting company and need to elevate your security and compliance practices to fulfill the terms of a current or potentially future contract, Red River can help. As an approved AOS-G Partner for Microsoft, our team of experts has the in-depth knowledge and experience your company needs to assist your business in obtaining validation and making the transition to GCC High.

Red River has over 25 years of experience serving customers in the commercial, federal and SLED markets. As a leading company with technical expertise, along with a personal touch, we fully understand your mission and can offer the right technology solution suited to meet your needs.

To schedule a consultation, contact Red River today. Let’s get the conversation started. We’re happy to answer any questions or provide more information about GCC, GCC High or any other technology topics.