GCC High exists so you can handle Controlled Unclassified Information in a sovereign, FIPS-validated environment. That only pays off if you actually mark the CUI, stop it from leaking, and prove the cryptography behind it. This work lives in Microsoft Purview and the SharePoint admin center.
Create sensitivity labels for CUI (3.8.1, 3.8.2)
NIST 800-171 3.8.1 and 3.8.2 require marking and protecting CUI. Under Information Protection then Labels, create a CUI label that applies header and footer markings and encryption, then publish a label policy to your users and set a default label for the workloads that carry CUI.
Add DLP policies to stop exfiltration (3.1.3)
Data Loss Prevention enforces 3.1.3, controlling the flow of CUI, by catching risky sharing before it happens. Under Data Loss Prevention, create a policy scoped to the CUI label that blocks or warns on sharing to external recipients across Exchange, SharePoint, OneDrive and Teams.
Confirm FIPS-validated encryption (3.13.8, 3.13.11)
NIST 800-171 3.13.8 and 3.13.11 require FIPS-validated cryptography in transit and at rest, which is a core reason GCC High exists. Confirm that TLS 1.2 or higher is enforced and legacy TLS is disabled, verify service encryption at rest is on, and document that GCC High provides FIPS 140-validated modules.
Lock down external sharing (3.1.3, 3.13.1)
Default open sharing leaks CUI. In the SharePoint and OneDrive admin center, set external sharing to Existing guests or Only people in your organization, and disable anonymous Anyone links tenant-wide.
A note on what "done" means
Configuring these settings hardens your Microsoft 365 GCC High tenant to the NIST 800-171 technical baseline. It is not a CMMC certification. A C3PAO assesses your documented System Security Plan, not your tenant directly, so the configuration above only counts once it is written down with evidence. Our free GCC High Setup Autopilot walks you through every step in order and hands the result to your control set when you move to Readyline Pro.
