Microsoft 365 Commercial vs GCC vs GCC High: Which Tenant Does Your DoD Contract Actually Require?

Microsoft 365 Commercial vs GCC vs GCC High: Which Tenant Does Your DoD Contract Actually Require?

If you support the Department of Defense, someone has probably told you to "get on GCC High." Sometimes that advice is correct. Sometimes it costs your company $40–60 per user per month more than necessary for no compliance benefit. And sometimes the opposite is true: contractors running on commercial Microsoft 365 are sitting on a DFARS 252.204-7012 violation they haven't noticed yet.

This post cuts through the noise. Here is a decision framework based on your contract language, the type of Controlled Unclassified Information (CUI) you handle, and your target CMMC level.

Why the Tenant Choice Matters for CMMC

CMMC (Cybersecurity Maturity Model Certification) Level 2 requires compliance with all 110 practices in NIST SP 800-171. Fourteen of those practices live inside the Access Control (AC) and System and Communications Protection (SC) families and have direct implications for where your data lives and how it is logically separated from other tenants.

Three specific controls are the forcing function here:

• SC.3.177 — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
• AC.2.006 — Use non-privileged accounts or roles when accessing non-security functions.
• SC.3.187 — Establish and manage cryptographic keys for required cryptography employed within organizational systems.

Commercial Microsoft 365 does not meet FIPS 140-2 validated cryptography requirements at the infrastructure level by default. GCC and GCC High do. That single fact drives most of the decision tree below.

The Three Tiers Explained in Plain Terms

Microsoft 365 Commercial

This is the standard product most businesses buy. Data lives in Microsoft's global infrastructure. It is not FedRAMP authorized. It does not carry a FedRAMP Moderate or High authorization. It cannot store CUI that falls under DFARS 252.204-7012.

When it is appropriate:

• Your contract contains no DFARS 252.204-7012 clause.
• You handle no CUI of any category.
• You are a commercial subcontractor with a narrow, isolated scope that never touches the DoD supply chain.

When it is not appropriate: virtually any time you are a DoD prime or subcontractor handling technical data, drawings, specifications, or any information marked CUI.

Microsoft 365 GCC (Government Community Cloud)

GCC is FedRAMP Moderate authorized. Data is stored in US datacenters. Access is screened to US persons. It satisfies the baseline data residency and personnel screening requirements in DFARS 252.204-7012.

GCC was designed for state, local, and federal civilian agencies. Many DoD subcontractors land here appropriately when:

• Their CUI is not Export Controlled (EAR/ITAR).
• Their contracts do not reference DFARS 252.204-7021 (CMMC) at Level 3 or above requirements.
• They handle general CUI categories like Privacy (PII) or procurement-sensitive information.

The gap to understand: GCC does not meet all of the requirements DCSA (Defense Counterintelligence and Security Agency) and the Defense Contract Management Agency (DCMA) expect for CUI that is also Controlled Technical Information (CTI) or export-controlled data.

Microsoft 365 GCC High

GCC High is FedRAMP High authorized and meets the requirements of the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) for data storage. It runs on infrastructure physically and logically separate from GCC. Only vetted US persons can administer the environment. Microsoft government employees, not commercial employees, support GCC High tenants.

GCC High is appropriate when:

• Your contract references DFARS 252.204-7012 and you handle CTI or ITAR-controlled technical data.
• You are pursuing CMMC Level 2 certification and your Controlled Technical Information sits in Microsoft 365.
• You support programs under DCSA oversight where the Program Office has specified GCC High in the contract or DD Form 254 (the DoD Contract Security Classification Specification).
• Your company works on programs with export-controlled hardware or software specifications.

Ready to ship CMMC?

L1 for subcontractors, L2 for primes, L3 for enterprise. Same tenant, transparent pricing.

See plans

The Decision Tree

Work through these questions in order. Stop at the first "yes" that applies.

1. Does your contract contain DFARS 252.204-7012? If no: Commercial may be acceptable. Verify with your contracts team that no CUI flows. If yes: Continue to question 2.

2. Does the CUI you handle fall under an export control category (EAR, ITAR, or CTI as defined in DFARS 252.204-7012)? If no: GCC is likely your floor. If yes: GCC High is required.

3. Does your DD Form 254 specify a classification level or reference specific program requirements? If your DD Form 254 references NIST SP 800-171 or CMMC Level 2 and you handle any technical data: GCC High is the safe and defensible choice.

4. Are you a subcontractor receiving technical drawings, specifications, or CAD files from a prime? If those files carry CUI markings or are described as CTI: GCC High applies regardless of whether you generated the data.

5. Do you have employees or subcontractors who are not US persons accessing the environment? If yes: You likely have an ITAR problem independent of your tenant selection. Resolve that first, then GCC High is required for the US-person controlled environment.

Common Misconceptions

"We're just a small sub. This doesn't apply to us."

DFARS 252.204-7012 clause 252.204-7012(c) requires primes to flow down the clause to subcontractors that will process, store, or transmit CUI. If you receive technical data from the prime, the clause flows to you. Tenant selection is not optional.

"GCC is the same as GCC High for ITAR."

It is not. GCC achieves FedRAMP Moderate. ITAR requires that data be accessible only to US persons and that the infrastructure provider can contractually commit to restricting access to US persons only. Microsoft's GCC High agreement includes that commitment. GCC does not.

"We store files on SharePoint. That's not a system that processes CUI."

SharePoint is part of your Microsoft 365 environment and is in scope for your CMMC boundary. If CUI flows through email, Teams, or SharePoint, the entire tenant is part of your assessment scope under the CMMC Assessment Process (CAP) methodology.

"Our IT provider manages everything, so it's their problem."

Managed Service Providers (MSPs) that touch your CUI environment are themselves in scope for CMMC. If your MSP runs on commercial Microsoft 365 and has administrative access to your tenant, that is a finding. The right question to ask your MSP: "What tenant are your administrative tools running on, and are you a CMMC-registered or certified provider?"

Licensing Cost Reality Check

The price delta is real and worth quantifying before you make a decision.

The GCC High premium runs roughly $15–20 per user per month compared to commercial. For a 50-person company, that is $9,000–12,000 per year. That cost is real. But a CMMC assessment failure for inadequate boundary controls, or a DCSA finding during a facility clearance review, carries consequences that dwarf licensing costs.

The calculus is simple: if your contract language requires GCC High, pay for GCC High. If it does not, do not pay for it unnecessarily. The framework above tells you which situation you are in.

How This Maps Into Your System Security Plan

Your SSP (System Security Plan) under NIST SP 800-171 requires you to document your system boundary in Section 1 and identify which components are CUI-scoped. Your Microsoft 365 tenant selection directly determines what you write in several places:

• Control 3.13.8 (SC.3.187 in CMMC notation): Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission. Your tenant must support FIPS 140-2 compliant TLS for this to be documentable.
• Control 3.1.3 (AC.2.005): Control the flow of CUI in accordance with approved authorizations. If CUI can leak to commercial Microsoft infrastructure, your access control narrative is broken.
• Control 3.13.5 (SC.3.177): Implement subnetworks for publicly accessible system components. Tenant-level logical separation addresses this partially, but only if the tenant itself is FedRAMP High authorized.

When a C3PAO (CMMC Third-Party Assessment Organization) reviews your SSP, one of the first artifact requests will be your FedRAMP authorization documentation for any cloud service provider in your boundary. GCC High's FedRAMP High authorization is a documented, verifiable artifact. Commercial Microsoft 365 has no such authorization to provide.

Quick Reference Summary

Before You Migrate, Document Your Current State

If you are currently on Commercial and need to move to GCC or GCC High, the migration is a project, not a configuration change. Plan for:

1. Tenant-to-tenant migration of SharePoint, OneDrive, and Exchange data.
2. Re-enrollment of all devices in the new tenant's Intune instance.
3. Re-issuance of any Azure AD (now Entra ID) app registrations.
4. Updated SSP boundary documentation reflecting the new environment.
5. Notification to your Contracting Officer if your plan of action and milestones (POA&M) referenced the old environment.

Starting that process with your current compliance posture documented saves significant time. A gap assessment against NIST SP 800-171 in your current environment gives you a baseline before the migration and helps you avoid carrying old gaps into the new tenant.

The tenant decision is a contract compliance question first and a technology question second. Read the clause language, look at your DD Form 254, and classify your CUI before selecting a licensing tier. Getting this wrong in either direction costs money: one direction costs you in unnecessary licensing, the other direction costs you in assessment findings and potential contract risk.