Do Cloud Better.

What are GCC High, GCC, DOD, and Commercial Microsoft 365?

Posted by Carter Howell on Aug 3, 2021 2:27:44 PM
Carter Howell

Are you an IT leader in your organization, needing to choose the right Microsoft cloud platform for your company? Your security and compliance requirements play a key part here. Which of the available options, Microsoft 365 Commercial, Microsoft GCC, Microsoft 365 DOD, and Microsoft GCC High— meet your requirements? How do the security and compliance requirements vary for them? How can Observian help you to choose the right platform to get started? Read on, as we answer these questions below.


Microsoft 365 Commercial: An Overview

Most of the users of the Microsoft Cloud Platform know about Microsoft 365 Commercial. Not only is this Cloud Platform used by enterprises, but small and medium businesses use it as well. This platform is also applicable for a variety of other entities, such as academics, individual users of Office 365, and more.

Microsoft 365 Commercial offers the largest number of features and tools among all of the cloud platforms offered by the company. It’s been around for the longest. This platform uses the Azure commercial stack.  

Microsoft 365 Commercial has near-global availability. It has the lowest price points among all of the Microsoft cloud platforms. Microsoft uses data centers in various countries to offer this platform, and furthermore, offshore teams also support it. 

All kinds of organizations and individual users can buy a Microsoft 365 Commercial plan. You don’t undergo any validation concerning the type of organization you’re a part of. That’s a key difference from the other Microsoft cloud platforms that we will shortly talk about.

Security and compliance requirements supported by Microsoft 365 Commercial

Microsoft 365 Commercial supports several common regulatory and compliance frameworks like:

  • HIPAA (Health Insurance Portability and Accountability Act)/HITech (Health Information Technology for Economic and Clinical Health act)
  • NIST 800-53 (National Institute of Standards and Technology Special Publication 800-53)
  • PCI-DSS (Payment Card Industry Data Security Standard)
  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)

Microsoft 365 Commercial offers commonly-known tools to manage compliance and security such as.:

  • Enterprise Mobility and Security
  • Intune
  • Compliance Center
  • Cloud App Security
  • Azure Information Protection
  • ATP (Advanced Threat Protection) tools

Do you plan to meet FedRAMP (Federal Risk and Authorization Management Program) requirements using Microsoft 365 Commercial? Consider the following:

  • You can meet FedRAMP only up to the “moderate impact” stage
  • You need to use several additional tools
  • This exercise will likely be a costly, complex, and high-risk one

What if Microsoft modifies this commercial cloud platform after you undertake this complex exercise? This will require you to assess any gaps and create/apply patches.   


Microsoft GCC: An Overview

You can think of Microsoft GCC (Government Community Cloud) as a copy of Microsoft 365 Commercial, however, there’s a key difference. GCC uses data centers that are physically located within the continental United States. FedRAMP Moderate controls mandate this. 

GCC has some similarities with Microsoft 365 Commercial in terms of tools and features

  • Microsoft Teams Commercial Cloud
  • Skype for Business Online
  • Exchange Online and Exchange Online Protection
  • SharePoint Online and OneDrive for Business Online
  • Office 365 GCC, which is similar to Office 365


Team members supporting GCC need to meet several employee background check requirements:

  • US citizenship
  • Verification of 7 years of employment history
  • Education verification
  • Verification of the SSN (Social Security Number)
  • Criminal history check

Who needs GCC, and who is eligible for it?

You need GCC only if you have specific compliance requirements— FedRAMP Moderate for example. Consider using GCC only if your organization is classified as a US-based government organization. 

Your organization must be authorized to handle data that meets these compliance requirements. Confirm with Microsoft whether your organization is eligible for GCC.


Which security and compliance frameworks can GCC support?

In addition to the compliance frameworks supported by Microsoft 365 Commercial, GCC supports the following:

  • DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012
  • DoD SRG (Department of Defense Security Requirements Guide) level 2
  • FBI CJIS (Criminal Justice Information Services)
  • FedRAMP Moderate, for which GCC has an accreditation

Note: GCC doesn’t support the DFARS flow-down requirements. Microsoft doesn’t contractually agree to support DFARS on GCC. Microsoft won’t demonstrate DFARS compliance with your customers, vendors, or business partners.  

GCC can’t support the following requirements:

  • ITAR (International Traffic in Arms Regulations)
  • EAR (Export Administration Regulations)
  • Handling CUI (Controlled Unclassified Information)
  • Handling CDI (Controlled Defense Information)

GCC utilizes the identity component and network of Azure Commercial. Azure Commercial has global availability and isn’t limited to US citizens only. Therefore, it can’t satisfy import/export controls, nor can it support the above-mentioned requirements.


Microsoft 365 DOD: An Overview

Microsoft 365 DOD is a cloud platform for the US Department of Defense (DoD) only. The US DoD might approve certain service providers or entities that qualify for Microsoft 365 DOD. There’s no exception to these stringent eligibility criteria. 

Microsoft 365 DOD uses data centers in the continental United States only. Microsoft restricts the administration and support roles for this platform to US-based personnel only. This platform uses the Azure Government network. 

Microsoft 365 DOD follows the employee background verification process. This requires all of the verification criteria of GCC above, however, it’s more stringent. It needs DoD IT-2 adjudication.  

Which security and compliance requirements can Microsoft 365 DOD support?

Microsoft 365 DOD supports all of the compliance and security requirements supported by Microsoft 365 Commercial. Furthermore, it supports the following requirements:

  • FedRAMP, with an accreditation level “High”
  • DFARS 252.204-7012
  • ITAR
  • EAR
  • Handling CUI
  • Handling CD;
  • DoD SRG Level 5 and 6
  • NIST 800-171

This platform does not support FBI CJIS requirements.


Microsoft GCC High: An Overview

Organizations in the Defense Industrial Base (DIB), DoD contractors, and Federal agencies that need to meet specific security and compliance requirements, can use Microsoft GCC High. If you look at it technically, you will find that Microsoft GCC High is a copy of Microsoft 365 DOD. However, Microsoft GCC high exists in a separate environment. GCC High uses data centers in the continental United States only. 

Only US-based government organizations qualify for GCC High. Furthermore, they need to confirm their eligibility with Microsoft.

Microsoft GCC High requires the same level of stringent employee background verification as Microsoft 365 DOD. The features in Microsoft GCC High vary from those in the Microsoft 365 Commercial cloud:

  • Products like Yammer can’t meet the compliance requirements of GCC High, therefore, GCC High doesn’t include them
  • Products like Microsoft Defender ATP, Cloud App Security, and Intune on GCC High don’t have a few of their features
  • Microsoft almost completely rebuilt products like Azure Sentinel to meet the requirements of GCC High


Which security and compliance requirements can Microsoft GCC High support?

In addition to supporting all of the compliance and security requirements supported by Microsoft 365 Commercial, Microsoft GCC High also supports the following requirements:

  • FedRAMP, with an accreditation level “High”
  • DFARS 252.204-7012 with flow-down requirements
  • ITAR
  • EAR
  • Handling CUI
  • Handling CDI
  • DoD SRG Level 4
  • NIST 800-171

GCC High does not support FBI CJIS requirements.


Need help transitioning to Microsoft GCC or Microsoft GCC High? We are here!

We talked about the 4 cloud platforms offered by Microsoft— Microsoft 365 Commercial, Microsoft GCC, Microsoft 365 DOD, and Microsoft GCC High. Now you need to get started, but this can be complex. How can you buy Microsoft GCC or Microsoft GCC High? Here at Observian, we can help.


Observian is an official Microsoft partner in the digital transformation landscape. Our cloud security and compliance services help businesses and small teams to safeguard their data. We help you to meet your compliance requirements and validate your eligibility for GCC or GCC High. Contact Observian today for help with licensing and transition to a suitable Microsoft cloud platform for your organization.

Tags: Security, 365, Microsoft, Microsoft 365, Office 365