What is GCC High, GCC, DOD, and Commercial Microsoft 365? - Agile IT (2022)

One of the most common questions we receive is “Which cloud is right for us?”. Understanding the differences between Commercial, GCC and GCC High Microsoft 365 environments is important, and almost directly aligns to your compliance needs. Before making the decision, it is important to understand the differences between these environments. Check out our video focused on Compliance in GCC High.

What is Microsoft 365 Commercial?

Commercial Microsoft 365 is the standard Microsoft 365 cloud. It is where Enterprise, Business Essentials, and Academic and even home Office 365 tenants reside. It has the most features and tools, nearly global availability, and the lowest prices. Everyone qualifies and no validations are needed. In many cases, security and compliance needs such as can be met in commercial through tools like Enterprise Mobility and Security, Intune, Compliance Center, Cloud App Security, Azure Information Protection and the various Advanced Threat Protection (ATP) tools.

(Video) Understanding GCC High, GCC and Commercial Microsoft 365

Compliance frameworks that can reside in commercial include HIPAA/HITech, NIST 800-53, PCI-CSS, GDPR, CCPA, etc. It is not meant for government or defense compliance and should not be used for such as it shares a global infrastructure and workforce. There is the possibility that an organization could meet FedRAMP moderate impact in Microsoft 365 Commercial, but it would need to be heavily augmented with additional tools. The expense, complexity, and risk involved makes this an undesirable state, which would be impacted by any changes Microsoft makes to the environment, while leaving you on the hook to patch any gaps. Although it is not officially asserted yet, it is expected that Microsoft 365 commercial meets CMMC Level 1 and 2 requirements.

What is Microsoft GCC?

GCC, Government Community Cloud, can essentially be thought of as a government focused copy of the commercial environment. It has many of the same features, but features data centers ONLY in the continental United States (CONUS), as mandated by FedRAMP Moderate. Compliance frameworks that can be met in GCC include:

(Video) Microsoft 365 GCC vs GCC High

  • DFARS 252.204-7012 (As of February 2021 Microsoft will now attest to compliance)
  • DoD SRG Level 2 (with no provisional authority)
  • FBI CJIS (Criminal Justice Information Services)
  • FedRAMP High

It is important to note that GCC is 100% insufficient for ITAR, EAR and most Controlled Unclassified Information (CUI) and Controlled Defense Information (CDI) handling. The reason behind this is that the identity component and network that GCC resides on is Azure Commercial and does not meet import/export controls since it is global and access is not limited to U.S Citizens.

GCC Employee Background Checks

Additionally, with GCC we begin to see additional employee background checks to meet various federal, state, and local government requirements.

(Video) Microsoft 365 GCC High Cross-Cloud (B2B) Collaboration Update

U.S. CitizenshipVerification of U.S. citizenship
Employment History CheckVerification of seven (7) year employment history
Education VerificationVerification of highest degree attained
Social Security Number (SSN) SearchVerification that the provided SSN is valid
Criminal History CheckA seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level
Office of Foreign Assets Control List (OFAC)Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions
Bureau of Industry and Security List (BIS)Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities
Office of Defense Trade Controls Debarred Persons List (DDTC)Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry
Fingerprinting CheckFingerprint background check against FBI databases
CJIS Background ScreeningState-adjudicated review of federal and state criminal history by state CSA appointed authority within each state that has signed up for the Microsoft CJIS IA program

What is Microsoft 365 DOD? (Department of Defense Only)

We are only mentioning the DoD enclave here for completeness sake. You don’t qualify… unless you are DoD. The DoD cloud was purpose built for the Department of Defense and the DoD only. No contractors, no outside personnel, no exceptions. One thing to mention is that the DoD enclave is the ONLY of the four clouds to meet DoD SRG Levels 5 and 6.

What is GCC High? (A Copy of DOD)

GCC High was created to meet the needs of DoD and Federal contractors that needed to meet the stringent cybersecurity and compliance requirements of NIST 800-171, FedRAMP High, and ITAR, or who need to manage CUI/CDI. GCC High is technically a copy of the DoD cloud but exists in its own sovereign environment.

(Video) Everything you want to know about GCC, GCC High, and DOD w/ Blackspoke

With GCC High, you begin to see a noticeable loss of feature parity with commercial environments. Things like Calling Plans and Compliance Manager aren’t available, and several tools like Microsoft Defender ATP, Cloud App Security and Intune are missing a few functions. The reasons for this are threefold. [Update: Agile IT is now able to enable calling and audio conferencing in GCC High]

  • First is the federal approval process. Each feature must be rigorously tested in the DoD and GCC High clouds to assure compliance and security.
  • Secondly, for many of the applications, a dedicated staff that has passed Department of Defense IT-2 adjudication based on an Office of Personnel Management investigation is required for development and support.
  • Finally, some of Microsoft 365 applications will fail to meet compliance requirements by their very nature. Ironically, this happens most frequently with security and governance tools, since they require standing access to data in order to be effective. In some cases, when the tools are critical, such as Azure Sentinel, Cloud App Security and Microsoft Defender the tools are almost completely rebuilt to meet these criteria. For other tools, like Yammer, they are simply left behind with no intent to bring them onto the roadmap.

Feature Parity changes constantly. There are two places where customers can keep up with what is available. The first is the Microsoft Service Description Pages for each product, secondly, you can filter the Office 365 development roadmap for GCC High under the “Cloud Instance” filter.

(Video) What is Microsoft 365 GCC & GCC High Webinar

GCC High Eligibility

GCC High is reserved for the Defense Industrial Base (DIB), DoD contractors, and Federal Agencies. Every customer hoping to move to GCC High must first receive validation from Microsoft, which we cover in our blog, Getting GCC High Validation from Microsoft.

GCC High and DoD Background Checks

Microsoft GCC High and DoD feature the most stringent background checks for employees working in their data centers. It is largely the same as those for GCC with the addition of the DoD IT-2 adjudication. This adjudication is part of an Office of Personnel Management (OPM) level 3 background check.

(Video) Microsoft 365 GCC and GCC High Eligibility - How To

U.S. CitizenshipVerification of U.S. citizenship
Employment History CheckVerification of seven (7) year employment history
Education VerificationVerification of highest degree attained
Social Security Number (SSN) SearchVerification that the provided SSN is valid
Criminal History CheckA seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level
Office of Foreign Assets Control List (OFAC)Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions
Bureau of Industry and Security List (BIS)Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities
Office of Defense Trade Controls Debarred Persons List (DDTC)Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry
Fingerprinting CheckFingerprint background check against FBI databases
Department of Defense IT-2Staff requesting elevated permissions to customer data or privileged administrative access to Dept of Defense SRG L5 service capacities must pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation

How to Buy GCC High or GCC?

Agile IT is one of the only AOS-G partners authorized to license GCC High for any size company (Including under 500 seats). We hold over 15 Microsoft Gold Competencies, are a Fast Track Ready Partner, and were also one of the first Microsoft Partners selected to license and manage Azure Government. If you need GCC High for your organization, or need help finding out what cloud is right for you, contact us today.

FAQs

What is GCC and GCC high and DoD? ›

GCC High was created to meet the needs of DoD and Federal contractors that needed to meet the stringent cybersecurity and compliance requirements of NIST 800-171, FedRAMP High, and ITAR, or who need to manage CUI/CDI. GCC High is technically a copy of the DoD cloud but exists in its own sovereign environment.

What is Microsoft Office 365 GCC high? ›

What Is Microsoft (Office) 365 GCC High? "GCC High" stands for Microsoft 365 Government Community Cloud High - Microsoft 365 GCC High is the cloud platform developed by Microsoft for cleared personnel and organizations supporting the Department of Defense.

Does DoD use Office 365? ›

Collaboration in Office 365 for DOD

The DOD has been leveraging Microsoft's solutions for decades and is very familiar with Exchange for email and SharePoint for collaboration, but CVR introduced a new technology with Microsoft Teams that changes the dynamic for how these services are used.

Who can sell Microsoft GCC high? ›

Microsoft 365 Government eligibility and validation

Both GCC and GCC High offerings are available to any customer that is eligible for the Microsoft Government Cloud, and the DoD environment is for the exclusive use of the U.S. Department of Defense.

Do I need GCC high? ›

TLDR; GCC and GCC High are the only environments where Microsoft will contractually agree to meet their customers' requirements for DFARS 7012. If you are subject to DFARS clause 7012, you need GCC. If you have covered information with sovereignty, export control, or US citizenship requirements, you will need GCC High.

What does GCC stand for? ›

Gulf Cooperation Council (GCC), political and economic alliance of six Middle Eastern countries—Saudi Arabia, Kuwait, the United Arab Emirates, Qatar, Bahrain, and Oman.

What's the difference between GCC and GCC high? ›

It's called GCC High because it meets the FedRAMP high impact requirements. GCC High sits on the Azure Government infrastructure, making it a more secure cloud environment than normal GCC.

What is GCC Compliance? ›

Certification means the issuance of a written General Certificate of Conformity (GCC) in which the manufacturer or importer certifies that its non-children's (general use) product complies with all applicable consumer product safety rules (or similar rules, bans, standards, or regulations under any law enforced by the ...

Can foreign nationals access GCC high? ›

GCC High supports U.S. Sovereignty requirements:

U.S. Citizens. No Foreign Nationals (NOFORN)

Is Microsoft to do available for GCC? ›

We are excited to announce that the iOS and Android apps for Microsoft To Do (a tool for managing and sharing tasks and lists) is rolling out to GCC (Government Community Cloud) users.

How do I access my DOD 365 email? ›

To access Army Email Login (now ARMY 365 Webmail):

Open a fresh web browser (Microsoft Edge or Chrome; Firefox only if configured with ActivClient) and go to Army 365 Webmail. Enter your @army.mil email. Select SIGN IN WITH CAC/PIV. Select the AUTHENTICATION certificate when prompted.

Can I access DOD teams from home? ›

You can now access DoD365 from your personal computer. Your Outlook email, Teams, OneDrive documents and other collaboration tools are now right at your fingertips, and completely secure, without even logging into VDI or VPN. Reservists and Mac users, this one's for you too!

Is GCC high FedRAMP? ›

Does Microsoft 365 GCC High Meet FedRAMP High Requirements? Microsoft 365 GCC High is best for FedRAMP High Impact data. It supports all the compliance and security requirements supported by Microsoft 365 Commercial. In addition, it also supports NIST 800-171, EAR, and ITAR.

Is GCC high required for Cmmc? ›

GCC High is not required to meet CMMC 2.0 at any Level. However, Microsoft's official recommendation is for organizations planning or required to meet CMMC 2.0 Level 2 and Level 3 should deploy to Microsoft 365 GCC High.

What is AOS G? ›

The Microsoft Agreement for Online Services - Government program, better known as the AOS-G program, was created to enable government and commercial organizations the ability to purchase less than 500 Microsoft Government Cloud Community High (GCC High) licenses from an authorized Microsoft partner.

What is Microsoft 365 apps GCC? ›

The Office 365 GCC environment provides compliance with federal requirements for cloud services, including FedRAMP High, Defense Federal Acquisition Regulations Supplement (DFARS), and requirements for criminal justice and federal tax information systems (CJI and FTI data types).

Why was the GCC formed? ›

The basic objectives of the Co-operation Council are: To effect co-ordination, integration, and interconnection among member states in all fields in order to achieve unity among them. To deepen and strengthen relations, links and areas of co-operation now prevailing among their people in various fields.

What is the difference between GCC specs and US specs? ›

There aren't many major differences between GCC and American specs. It usually varies from one brand to another. Some major differences between US specs vs GCC specs include interior, accessories, trim levels and powertrains.

What is CSP GCC? ›

Office 365 Government GCC for CSP is designed for the unique needs of US government organizations. It provides all the features and capabilities of Office 365 services in a segmented government cloud community that enables organizations to meet US government compliance and security standards.

What is government community cloud? ›

A government community cloud is a comprehensive suite of advanced cloud hosting, cyber security, and information management technologies exclusively arranged for government agencies and their supporting contractors.

What are requirements for GCC? ›

Route 1 - Must have a Bachelor's Degree in mechanical or electrical engineering. You must have at least two years of post-graduate experience in mechanical/electrical machinery maintenance and operation. Route 2 - Must have a National higher Diploma (T4) or National Diploma (S4) in mechanical or electrical engineering.

Who manages GCC? ›

GNU Compiler Collection
Screenshot of GCC 10.2 compiling its own source code
Original author(s)Richard Stallman
Developer(s)GNU Project
Initial releaseMarch 22, 1987
Stable release12.2 / 19 August 2022
12 more rows

What is the GCC test? ›

A GCC, or general certificate of conformity, is required of manufacturers and importers of certain “general use” products, certifying their product has been tested and complies with all applicable consumer safety rules, standards, and regulations.

What is AWS GCC? ›

The Trusted Cloud for Government

AWS provides commercial cloud capability across all classification levels: Unclassified, Sensitive, Secret, and Top Secret making it possible to complete missions with a common set of tools, a constant flow of the latest technology, and the flexibility to rapidly scale with the mission.

Can I use Microsoft To Do without account? ›

As of March 11, 2021, you won't be able to sign in to To Do on any platform if you don't have an Exchange Online account.

Does Microsoft To Do require a license? ›

In addition to an enabled license for Microsoft To Do, users will also need mailboxes in Exchange Online for tasks in Microsoft To Do to sync and store. Since these are crucial functions of the app, users without cloud-based mailboxes through Exchange Online will not be able to use Microsoft To Do .

Can I sync Microsoft To Do with my phone? ›

To get your Microsoft 365 tasks on the go, you can use the Microsoft To Do app for Android or iOS. Just sign in using the same Microsoft account that you use with Outlook and your tasks will automatically sync between To Do and Outlook.

How do I access my DOD email from home? ›

Go to the Outlook Web Access sign-in screen.

Most military users with email addresses ending with @mail.mil can do this by visiting https://web.mail.mil/owa in Microsoft Edge or Google Chrome. You can access this site from home or while connected to your military's network.

How do I log into DOD teams? ›

Log into MST IL5 by visiting https://Dod.teams.microsoft.us. Type your new email address ending in @usa.army.mil as the username (ex. john.doe.mil@usa.army.mil). Click on “Sign in with CAC/PIV”.

Can I use Army 365 on personal computer? ›

U.S. Army Chief Information Officer Raj Iyer confirmed on LinkedIn that the service branch has updated its download policy for Office 365 users to allow for more use of personal devices.

How do I log into a team without a password? ›

Open up Teams (or use a web browser to access the online version) and you should see the login page. Enter your Microsoft account email address, followed by your newly reset password. At this point, you could tick the box that says “keep me signed in” to reduce the chances of you needing to reset your password again.

Can I use Army Teams on my phone? ›

NOTE: The Army has chosen to make Email and Teams ONLY available via web browser on personally owned computers. Meaning no ability to use the Outlook or Teams app on your personal owned computer / phone.

What is my Army email Password? ›

Q: What if I forgot my AKO password? If you forgot your AKO password, click Reset Password (AKO) on the EAMS-A Single Sign-On page, and you will be prompted to enter your username or email address to choose a method to reset your password.

What is the difference between GCC and GCC high? ›

It's called GCC High because it meets the FedRAMP high impact requirements. GCC High sits on the Azure Government infrastructure, making it a more secure cloud environment than normal GCC.

Do you need GCC high for Cmmc? ›

GCC High is not required to meet CMMC 2.0 at any Level.

What is GCC Compliance? ›

Certification means the issuance of a written General Certificate of Conformity (GCC) in which the manufacturer or importer certifies that its non-children's (general use) product complies with all applicable consumer product safety rules (or similar rules, bans, standards, or regulations under any law enforced by the ...

Can foreign nationals access GCC high? ›

GCC High supports U.S. Sovereignty requirements:

U.S. Citizens. No Foreign Nationals (NOFORN)

What is Microsoft Azure government? ›

What is Azure Government? Azure Government is the mission-critical cloud, delivering breakthrough innovation to US government customers and their partners. Only US federal, state, local, and tribal governments and their partners have access to this dedicated instance, with operations controlled by screened US citizens.

Videos

1. Microsoft 365 GCC and GCC High Eligibility - How To
(Summit 7 Systems)
2. NikTips series: Office 365 Commercial vs GCC vs GCC High
(Nikkia T. Carter)
3. How to get GCC High Validation for Microsoft 365
(Agile IT)
4. Office 365 GCC High Migration Secrets Exposed
(On Call Compliance Solutions)
5. Do You Need GCC High for CMMC? (Agile IT)
(Agile IT)
6. Do I need GCC High for CMMC 2.0?
(Summit 7 Systems)

Top Articles

Latest Posts

Article information

Author: Virgilio Hermann JD

Last Updated: 12/07/2022

Views: 5387

Rating: 4 / 5 (41 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.