benefits of managed it services for business

Why Small Businesses in San Diego Need Managed IT Services

September 4, 2024

What is Microsoft GCC: In-Depth Guide

Office 365 For Government Agencies & Contractors Explained: Main Features, GCC vs. GCC High, Compliance Framework & Licensing Requirements

August 2024

Microsoft Office 365 offers a wide range of cloud instances for various industries with different security and compliance requirements. If your organization is part of, or contracted by the United States Government Public Sector (federal, state, municipal, or tribal), and needs to switch to a cloud platform designed specifically for the government, there are several “sovereign clouds”, such as Microsoft 365 Government Community Cloud (GCC), Government Community Cloud High (GCC High), and Microsoft 365 Department of Defense (DoD).

In order to migrate to one of these platforms, you must first complete a considerable number of steps, depending on the type of data you hold and process. You have to meet specific compliance criteria in order to become a Microsoft Government tenant. You can achieve this by applying and getting validated for the sovereign cloud tenant. Secondly, since this sector has different choices for license agreements, it is crucial to thoroughly understand specific features, security capabilities, and requirements for each one, in order to be able to select the right service for your organization. Before making a decision, it is highly recommended to speak to Microsoft GCC migration experts who will help you determine which license plan suits your needs best.

What Is Microsoft GCC?

Microsoft Government Community Cloud, also referred to as GCC or Microsoft 365 GCC, is a type of PaaS (Platform as a Service) designed specifically for government and entities that are subject to government regulations. It is built on Azure Cloud infrastructure and enables public sector agencies from large federal customers to small town governments to choose from a wide array of cloud computing services and better serve and protect their citizens while remaining compliant with sensitive data protection.

Special features

This cloud hosting is very similar to commercial Office 365, however, there are a few key differences, such as:

Full Windows experience, each user provided with personalized Cloud PC
Designed only for the US government public sector
Data centers located physically across continental US
Advanced compliance with federal requirements for cloud services, including: The Federal Risk and Authorization Management Program (FedRAMP), Defense Federal Acquisition Regulation Supplement (DFARS), Criminal Justice Information Services (CJIS), Federal Tax Information (FTI), and Department of Defense’s Security Requirements Guide (DoD SRG) Level 2
Special features: access restricted to screened personnel, customer content storage within the US, and customer segregation
Aligning with US Public Sector customers certifications and accreditations

Who Is Eligible for Microsoft GCC (Standard)?

Microsoft has a strict validation system that serves to establish eligibility for accessing the Government Cloud platform. In order to qualify, you need to first be enrolled in Cloud Solution Provider (CSP) program for the US Government.

At this phase, you will need to provide proof that you are contracted by the public sector. The proof may include, but is not limited to, letter of sponsorship or government contract number.

After you become a CSP member, you may be eligible for Microsoft GCC, only if you fulfill certain conditions:

You are serving US government entities (federal, state, local, or tribal)
You provide services to US government customers (direct or indirect contracts)
Your services are provided through General Service Administration (GSA) long-term contracts, such as GSA schedule, Federal Supply Schedule (FSS), Multiple Award Schedule (MAS), and other contract vehicles

Government Contract? Need Help with Microsoft GCC Licensing?

Optimize your licensing strategy with professional support tailored for government contractors.

SPEAK WITH AN EXPERT

Criteria for approval

You could be approved if your customer falls into one of these categories:

US government entity (includes customers like bureaus agencies, departments, boroughs, counties, townships of the US government, Federally Funded research and Development Center – FERDC, regional government entities, etc.)
Nongovernment (Commercial private) entity handling government data (International Traffic In Arms – ITAR, Controlled Unclassified Information – CUI, Department of Defense (DoD) Unclassified Controlled Nuclear Information – UCNI, Department of Energy DoE – UCNI, and other data requiring Azure Government)

What Is the Difference Between Microsoft 365 GCC & GCC High

Microsoft 365 distinguishes two tiers of Government Community clouds for the public sector, and they include:

Low Impact (GCC Low)
High Impact (GCC High)

These are two versions of the platform intended for government organizations and their contractors. GCC Low is a more basic, low-cost version ideal for small- and medium-sized organizations that handle sensitive but unclassified data (SBU).

Microsoft GCC High is designed for larger government organizations. It has extra security features, such as encrypted data and multi-factor authentication since it handles sensitive and classified data.

Basic differences between the GCC and GCC High are:

Security and compliance standards – While GCC adheres to FedRAMP (Federal Risk and Authorization Management Program) and NIST (National Institute of Requirements and Technology) standards, GCC High goes beyond and adheres to strict standards of the Defense Federal Acquisition Regulation Supplement (DFARS) and the International Traffic in Arms Regulations (ITAR)
Controlled Unclassified Information (CUI) compliance – GCC High is suitable for those customers who manage CUI (Controlled Unclassified Information), while GCC is suitable for those contractors who meet sensitive data demands of the general government.
Access limitations - GCC allows access to all levels of government (federal, state, municipal, tribal, and territorial ones), while access to GCC High is restricted to U.S. federal entities only.
Suitability – GCC represents a safe cloud environment for plenty of governmental customers. In contrast, GCC High is designed specifically for organizations that deal with extra-sensitive data.

Microsoft GCC High – Main Features

Microsoft GCC High raises the bar in security and compliance characteristics and services. This cloud is particularly meant for customers who are handling Controlled Unclassified Information (CUI), as it provides the highest levels of data security and added compliance capabilities for those with stringent security requirements.

Low Impact (GCC Low)
High Impact (GCC High)

GCC High Personnel Background Check

Microsoft GCC High features the most rigorous background checks for individuals who are working in their data centers. It is largely the same as those for GCC cloud with the addition of the Department of Defense (DoD) IT-2 adjudication. The background check includes, but is not limited to:

U.S. Citizenship
Employment history and education verification
Criminal history check
SSN search

OFAC control list
Department of Defense IT-2
BIS security list
DDTC Debarred persons list

Controlled Information Acceptable for GCC High Approval

Microsoft GCC High is DISA IL 5 and is FedRAMP High equivalent. This means that it is an adequate platform to host various types of controlled information, such as ITAR EAR data, and Controlled Unclassified Information (CUI) requiring DISA IL 4 or greater.

International Traffic in Arms Regulations (ITAR)
Controlled Unclassified Information (CUI)
Department of Defense Unclassified Controlled Nuclear Information (DoD UCNI)
Department of Defense, Impact Level (DoD IL)
Covered Defense Information (CDI)
Department of Energy Unclassified Controlled Nuclear Information (DoE UCNI)
Criminal Justice Information (CJI)
North American Electric Reliability Corporation (NERC)
IRS 1075 Information (Federal Tax Returns Information)

How To Get Validation for Microsoft GCC High?

To be able to utilize GCC High, you have to follow these steps:

Step 1 – Request validation as a category 3 entity at Government Community Cloud Eligibility Intake Form
Step 2 – Provide documentation (sponsorship letter or signed contract)
Step 3 – Submit GCC Licensing request

Obtaining GCC High Licenses

After determining that you fit into an eligible category, you must complete an application form. After receipt of validation, you will have to obtain a license, either from the Microsoft team directly or from an authorized and qualified distributor.

Where Is Microsoft GCC High Cloud Located?

365 GCC High is located on Microsoft Azure, in 8 data centers based in the United States. The entire suite of services has FedRAMP High certification, meaning you can safely interact with the most sensitive data within this environment.

If your organization deals with International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR); these cloud instances are exceptionally beneficial because:

Personnel employed at these locations are United States citizens who had to pass strict screening
Data is stored on U.S. soil only

CMMC 2.0 Compliance

If you are wondering whether you need to acquire GCC High for CMMC 2.0, the answer is no. In fact, GCC High is not required to meet CMMC at any level. Regardless, Microsoft still advises those organizations that need to meet CMMC 2.0 Level 2 and Level 3 to obtain GCC High.

Before committing, it is essential to consider your DFARS compliance strategy, especially with continuous improvements and accreditation boundaries changes Microsoft is planning to introduce. Ask yourself:

Are you planning on expanding your DoD contracts portfolio?
Will it include ITAR data?
Do you plan to continue DoD support in the future?
Will you possibly need to switch to GCC High within 1 to 2 years?
How likely are you to experience an incident?

How To Choose the Right Cloud Service?

In order to select the right cloud for your organization’s needs, you have to consider security demands and the type of data you handle.

Select GCC services if:

You are a government agency seeking safe cloud service
You handle the same type of data as the rest of the government
You are looking for increased productivity and communication among team members inside a secure platform

Opt for GCC High if:

You are contracted by a government agency dealing with Controlled Unclassified Information (CUI)
Your demands go beyond standards and you need additional layers of controls and compliance procedures.
Your demands go beyond standards and you need additional layers of controls and compliance procedures.

How Secure Networks ITC Can Help

If you are looking to move to Microsoft Government Community Cloud, IT compliance experts at Secure Networks ITC can change your environment efficiently and seamlessly without disruptions.

Professional advice on selecting the best Microsoft GCC plan for your organization
Smooth integration of Windows 365 Government with minimized downtime
Implementing advanced cybersecurity measures to protect sensitive data
Ensuring you meet strict compliance requirements for government agencies & contractors
24/7 expert support on-site, phone, email, and chat support
Industry-leading expertise in GCC implementation
Serving small and medium-sized businesses in San Diego County

Book An Appointment With Microsoft GCC Experts in San Diego, Call Secure Networks Today

If you are San Diego company that works for the United States government or if you are a partner serving US government entities and need to switch to a Microsoft 365 GCC service, Secure Networks ITC can help you move to these new environments from the platform you currently use. Call us now at (858) 769-5393 and let our experts smoothly introduce new configurations and upgrades while you remain focused on your business goals.