GCC vs GCC High for CMMC: Which Microsoft 365 Government Cloud You Actually Need

Quick decision: find your row

Does CMMC actually require GCC High?

No. CMMC does not require Microsoft 365 GCC High at any level. Under 32 CFR Part 170, CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171 Revision 2; the regulation specifies controls and assessment types, not a Microsoft license tier. The cloud decision is driven by your CUI type, your contract, and the evidence you can produce — not by the framework itself.

So why does nearly everyone hear “you need GCC High”? Four reasons, and they’re legitimate: (1) you handle ITAR or other export-controlled data; (2) your CUI is CUI Specified rather than CUI Basic; (3) a prime or solicitation explicitly requires GCC High, DoD Impact Level 4 or 5, or US-person access; or (4) your CUI is sprayed across email, Teams, SharePoint, and OneDrive, and a clean government-cloud cutover is simply easier to defend than trying to contain it. Those are good reasons. A reflexive default to GCC High by a reseller who earns more on the higher SKU is not.

The flip side is just as real. The moment your environment touches anyITAR or EAR data — one export-controlled drawing, one spec sheet, one piece of source code — GCC High (or an equivalent US-sovereign enclave) stops being optional. And because moving between Microsoft’s commercial and government clouds is a one-way, cross-cloud migration, discovering that afteryou’ve built on GCC means doing the whole thing twice. If you already know you have ITAR in your CUI, stop reading this section and jump straight to GCC High or an enclave.

GCC vs GCC High for CMMC: the three questions that decide it

The decision comes down to three separate questions, in order: what CMMC level and assessment type your contract requires; what your cloud must do under DFARS 252.204-7012 if it touches CUI; and which Microsoft environment can produce the evidence, sovereignty, and support boundary your situation demands. Most confusion comes from mashing these three into one.

Layer 1 — The CMMC question.

What level applies (1, 2, or 3), and is Level 2 self-assessed or C3PAO-assessed? This is set by your solicitation and contract: DFARS 252.204-7025 is the solicitation provisionwhere the contracting officer inserts the requirement — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC) — that you must meet before award. DFARS 252.204-7021 is the contract clause requiring you to maintain that CMMC status during performance. Read both before you build anything.

Layer 2 — The DFARS/cloud question.

If your cloud service processes, stores, or transmits CUI, DFARS 252.204-7012 attaches obligations: the cloud must meet security requirements equivalent to the FedRAMP Moderate baseline, and it must support specific incident-reporting and forensic duties. This is the layer that quietly eliminates plain commercial Microsoft 365 as a stand-alone CUI environment — and it’s where GCC earns its keep, because GCC already clears the FedRAMP Moderate bar.

Layer 3 — The Microsoft environment question.

Given Layers 1 and 2, which environment — Commercial, GCC, or GCC High — gives you the data sovereignty, support boundary, and documentable evidence your CUI type and contract require? This is the only layer where “GCC vs GCC High” is actually answered. The deciding factor is whether your data is CUI Specified or export-controlled (which points to GCC High) or ordinary CUI Basic (where GCC can work).

Walk the decision in five steps:

1. Do you handle CUI at all? No → you’re likely a Level 1 / FCI shop; neither government cloud is required. Yes → continue.
2. Is any of it ITAR, EAR, nuclear, NOFORN, or otherwise CUI Specified? Yes → GCC High or a qualified US-sovereign enclave. No or unsure → continue.
3. Does your contract or prime require GCC High, IL4, IL5, or US persons? Yes → follow it, or get written clarification. No → continue.
4. Does CUI live broadly across Outlook, Teams, SharePoint, and OneDrive? Yes → GCC High often reduces spillage headaches. No → GCC or a scoped enclave may fit.
5. Can you produce the evidence — FedRAMP package, CRM, data-flow map, SSP entries? Yes → compare GCC vs GCC High on cost and risk. No → get scoped help before you buy anything.

What’s the real difference between GCC and GCC High?

The difference is not branding. GCC and GCC High differ in their FedRAMP authorization, DoD Impact Level, ability to hold export-controlled data, US-sovereignty posture, external sharing, support boundary, and how you buy them. Microsoft’s own CMMC guidance states plainly that GCC is not suitable for CUI Specified such as ITAR or nuclear information, and that the US sovereignty those data types require is something only GCC High provides.

¹ GCC High can support a Level 3 architecture, but the environment alone does not satisfy Level 3. Level 3 requires Final Level 2 (C3PAO) status for the same scope, a DIBCAC assessment, and the selected NIST SP 800-172 requirements.

Don’t anchor this decision on the FedRAMP label alone

You’ll read confident statements that “GCC is FedRAMP Moderate and GCC High is FedRAMP High, so CUI needs High.” DFARS 252.204-7012 requires only FedRAMP Moderate (or equivalent) for a cloud holding CUI — and GCC already meets Moderate. FedRAMP level, by itself, does not force you up to GCC High. What people get wrong, side by side:

Two more real-world differences worth your attention. First, the support boundary: Microsoft states that GCC High/DoD support sits outsidethe service accreditation boundary and does not itself carry FedRAMP, DoD SRG, ITAR, or CJIS data-handling assurances — so don’t paste CUI into a support ticket until you’ve confirmed the agent’s authorization. Both GCC and GCC High restrict access to your customer content to screened US-citizen Microsoft personnel and store data in the continental US; GCC High adds export-control list screening and DoD IT-2 adjudication for privileged access — but the support channel is the exception to watch. Second, feature parity: Microsoft notes the government clouds can lag the commercial cloud on some features, so confirm the security, productivity, and AI capabilities you depend on are available before you commit.

How much do GCC and GCC High cost in 2026?

At early-2026 list prices through authorized resellers, expect roughly the mid-to-upper-$60s per user per month for Microsoft 365 G5 in GCC and roughly the mid-to-upper-$80s (around $93) for G5 in GCC High — a premium commonly cited at about 25–50% over commercial. Licensing is the small part: total cost over three to five years typically runs two to three times the annual license once you add migration, dual-environment management, training, and ongoing compliance operations.

For the full licensing-channel and SKU breakdown, see our deeper GCC High cost and licensing guide.

Can you use Microsoft 365 GCC for CMMC Level 2?

Yes — Microsoft 365 GCC can be defensible for CMMC Level 2 when your CUI is CUI Basic, your contract has no sovereignty or export-control requirement, and you can document how the environment meets the applicable controls. The question is never “does GCC have a magic CMMC checkbox?” It’s whether you can show an assessor how your environment satisfies DFARS, FedRAMP, NIST SP 800-171, and CMMC scoping requirements.

Under 32 CFR Part 170, if a Level 2 organization uses a Cloud Service Provider that processes, stores, or transmits CUI, that CSP’s offering must be FedRAMP Authorized at Moderate or higher — or meet FedRAMP Moderate-equivalent requirements — and the Customer Responsibility Matrix (CRM), the document that splits which security controls the provider covers and which you must implement, has to be documented or referenced in your System Security Plan (SSP). An authorization on the platform is not the same as compliance foryou. Your C3PAO assesses your configuration and your evidence, not Microsoft’s certificate.

For GCC to hold up, collect all of this before you spend a dollar:

• The FedRAMP Marketplace listing and package for the exact service you’re relying on.
• Microsoft’s service description and the scope it covers.
• A Customer Responsibility Matrix / shared-responsibility document.
• Your SSP, with the cloud environment referenced.
• A CUI data-flow map — where CUI is created, stored, transmitted.
• An asset inventory.
• A third-party application review.
• A documented incident-reporting process.

When is GCC High the necessary choice?

GCC High becomes the necessary or clearly safer answer when your data is export-controlled or CUI Specified, when a prime or solicitation mandates it, or when CUI is so widespread across your Microsoft 365 environment that containment is impractical. Microsoft’s CMMC guidance is explicit that GCC cannot hold CUI Specified such as ITAR or nuclear data, and that the US sovereignty those categories require is available only in GCC High.

The five triggers that move you to GCC High:

1. ITAR or export-controlled technical data. ITAR (the International Traffic in Arms Regulations) and EAR (the Export Administration Regulations) restrict the export or releaseof controlled technical data, technology, and source code to foreign persons — including release to a foreign person inside the United States (a “deemed export”). For Microsoft 365, Microsoft points these workloads to GCC High; GCC does not provide the required US-person access controls.
2. CUI Specified or nuclear-related CUI. These categories carry handling controls set by law, not just contract.
3. A prime or solicitation that names GCC High, IL4, IL5, or US-person access. Contract language is more specific than any general framework.
4. CUI that lives broadly across Outlook, Teams, SharePoint, and OneDrive. When CUI isn’t confined to a small team, an enclave gets brittle, and an all-in government cloud is easier to defend.
5. A deliberate choice to reduce assessment friction by using the more conservative government-cloud path.

What does DFARS 252.204-7012 require from your cloud?

DFARS 252.204-7012 requires that when you use an external cloud service provider to store, process, or transmit covered defense information, you ensure the provider meets security requirements equivalent to the FedRAMP Moderate baseline and complies with the clause’s incident-reporting, malicious-software, media-preservation, forensic, and damage-assessment obligations. This is a core reason the GCC-versus-GCC-High decision cannot be answered from CMMC alone.

CUI Basic vs CUI Specified: the distinction that flips the answer

CUI is not one flat category. CUI Basic applies where the underlying law sets no specific handling controls, while CUI Specified applies where a law, regulation, or government-wide policy imposes specific controls that differ from the baseline. That single distinction is what flips GCC into a “no” and GCC High into a “yes,” because Microsoft states GCC cannot hold CUI Specified such as ITAR or nuclear data.

• CUI Basic carries the standard handling controls that flow from 32 CFR Part 2002 and the CUI Registry.
• CUI Specified carries extra or different controls written into the underlying authority.
• ITAR / export-controlled technical datais CUI, and it is generally CUI Specified — when ITAR-controlled, it’s typically marked “CUI//SP-EXPT.” Do not treat it like ordinary CUI without checking the source law and your contract.

Before you choose a cloud, get answers to these — ideally in writing from your prime or contracting officer:

• What CUI category appears on the CUI Registry for your data? Is it marked, and how?
• Is it Controlled Technical Information? Is it export-controlled?
• Does the contract mention ITAR, EAR, NOFORN, nuclear, or distribution statements?
• If ITAR or EAR is in play, do you have export-control counsel involved?

See also: FCI vs. CUI: what’s the difference? and CMMC Levels explained.

Move everyone to GCC High, or build a CUI enclave?

A CUI enclave — a tightly scoped environment for just the users and workflows that touch CUI — can cut cost and assessment scope dramatically when CUI is confined to a small group. It fails when CUI spills into ordinary email, Teams, SharePoint, OneDrive, endpoints, or third-party tools. A full GCC High migration is often cleaner when CUI collaboration is broad, but it costs more and adds procurement, sharing, and migration friction.

For detailed provider-by-provider options, see: CUI enclave providers, CMMC secure enclave guide, CMMC managed enclave options, and CMMC enclave cost breakdown.

A GCC High migration is a cross-cloud project — plan in months, not weeks

Microsoft does not offer in-place migration between Azure Commercial and Azure Government, so every GCC High project means a brand-new tenant, re-provisioned users, copied data, re-enrolled endpoints, and re-issued certificates, on top of government eligibility validation that has to clear first.

GCC High requires Microsoft government eligibility validation (your CAGE code or proof of government data handling), and Microsoft’s own channel list routes GCC and GCC High customers under 500 seats through an AOS-G partner(an authorized “Agreement for Online Services for Government” reseller), with larger customers using a Licensing Solution Provider on an Enterprise Agreement. New tenant provisioning commonly takes up to about 30 days — and that’s before you migrate a single mailbox.

The full workstream typically spans: identity and tenant setup, domain and DNS planning, mail migration, Teams/SharePoint/OneDrive migration, endpoint strategy, DLP and labeling, conditional access and MFA, logging, third-party app replacement, CUI data cleanup, SSP and evidence updates, user training, and a validated cutover.

For the full migration checklist, see our Microsoft 365 GCC High migration guide.

Which provider category do you need for GCC vs GCC High?

If you’re still choosing between GCC, GCC High, and an enclave, start with a CMMC-aware Microsoft government-cloud implementer, an RPO, an MSP, an MSSP, or a virtual CISO — not an assessment-only C3PAO. If you’re assessment-ready, then engage a C3PAO, and keep readiness and assessment properly separated.

Frequently asked questions

Is GCC High required for CMMC Level 2?

No. CMMC Level 2 does not universally require GCC High. Level 2 maps to the 110 requirements of NIST SP 800-171 Rev. 2; whether you need GCC or GCC High depends on your CUI type, contract language, assessment scope, and the evidence you can produce. ITAR or CUI Specified data is the most common factor that does require GCC High.

Can Microsoft 365 GCC pass a CMMC Level 2 assessment?

It can be defensible for CUI Basic environments when you can show the relevant FedRAMP, DFARS, and shared-responsibility evidence and keep CUI inside a properly scoped boundary. A C3PAO assesses your actual configuration, controls, and CUI flows — not the Microsoft product name. If you handle export-controlled data, GCC is not the right environment.

Is GCC High required for ITAR?

For ITAR and other export-controlled data, GCC High is the standard Microsoft path, because that data requires US data residency and access restricted to screened US persons — and Microsoft states GCC cannot hold CUI Specified such as ITAR. A documented, equivalent US-sovereign enclave is the other route. Confirm your contract, CUI category, and export-control obligations before deciding.

Does buying GCC High automatically make us CMMC compliant?

No. GCC High can support a CMMC-ready architecture, but you still have to implement and document the NIST SP 800-171 controls, configure the environment, manage endpoints, control CUI flows, maintain your SSP, and produce assessment evidence. The cloud is a foundation, not a certificate.

Is FedRAMP High required for CMMC Level 2?

Not as a universal rule. DFARS 252.204-7012 and 32 CFR Part 170 require cloud services handling CUI to be FedRAMP Moderate authorized or meet FedRAMP Moderate-equivalent requirements; GCC meets that bar. Your contract or data type may push you to a higher environment, but FedRAMP High is not a blanket Level 2 requirement.

What if our prime says we need GCC High?

Treat it as a contract and flow-down requirement, not just a technical opinion. Either follow it or get written clarification from the prime or contracting officer before you build something different — a technically sound environment that fails the contract requirement still fails.

Can we use Microsoft 365 Commercial for non-CUI work and GCC High for CUI?

Possibly, if the CUI boundary is real, enforced, documented, and reflected in your SSP and data flows. The risk is spillage: if CUI migrates into the commercial tenant, endpoints, email, or unmanaged apps, those systems can be pulled into your assessment scope.

Can the firm that prepares us also be our C3PAO?

Be careful. 32 CFR Part 170 requires C3PAOs and assessors to follow the Cyber AB’s Conflict of Interest and Code of Professional Conduct policies, and in practice the organization that prepared you for assessment should not perform your certification assessment. Keep readiness and remediation separate from the formal assessment.

Do we still need SPRS if we’re choosing GCC or GCC High?

Yes. If DFARS 252.204-7019 applies, you must verify that a current NIST SP 800-171 DoD Assessment summary score is posted in SPRS for each relevant system. If DFARS 252.204-7025 applies, the solicitation can require a current CMMC status and affirmation in SPRS before award. The cloud you choose does not remove those obligations.

What’s the safest move if we’re not sure what CUI we handle?

Don’t buy GCC High as a substitute for figuring out your CUI. First identify whether you hold FCI, CUI Basic, CUI Specified, ITAR or export-controlled data, or prime-specific handling requirements — then choose the environment and the provider category. Getting the data classification right is what makes every later decision cheaper.

The bottom line

GCC vs GCC High for CMMC isn’t a coin flip between a cheap option and a safe one. It’s a sequence: confirm your level and assessment type, confirm what your cloud must do under DFARS 252.204-7012, then match the environment to your CUI type and contract. Got CUI Basic with no export control and no sovereignty clause? GCC can carry you through Level 2 when it’s configured, scoped, and documented — and you can stop overpaying. Touch ITAR or CUI Specified? GCC High, or a qualified US-sovereign enclave, is the floor — and the migration is one-way, so decide before you build, not after.

We wrote this because the cleanest answer to an expensive question shouldn’t come from the person selling you the license.

Related resources

• GCC High for CMMC: overview and requirements
• GCC High cost and licensing guide (2026)
• Best GCC High providers for CMMC
• Microsoft 365 GCC High migration guide for CMMC
• GCC High Business Premium for CMMC
• CUI enclave providers
• CMMC secure enclave guide
• CMMC enclave cost breakdown
• CMMC managed enclave options
• CMMC Level 2 requirements: the 110 controls
• CMMC Level 2 checklist
• CMMC readiness checklist
• FCI vs. CUI: what’s the difference?
• CMMC Levels explained
• SPRS score guide
• CMMC provider categories
• Find an authorized C3PAO

Sources & primary references

• CMMC Program Rule, 32 CFR Part 170 (eCFR; effective Dec 16, 2024)
• CMMC Program Rule, Federal Register (Oct 15, 2024)
• DFARS CMMC acquisition rule, Federal Register (effective Nov 10, 2025)
• DFARS 252.204-7012 — Safeguarding Covered Defense Information (Acquisition.gov)
• DFARS 252.204-7019 — NIST SP 800-171 DoD Assessment / SPRS (Acquisition.gov)
• DFARS 252.204-7025 — Notice of CMMC Level Requirements (eCFR)
• DFARS 252.204-7021 — Contractor Compliance with CMMC Level Requirements (Acquisition.gov)
• DoD CIO, FedRAMP Moderate Equivalency memo (Dec 21, 2023)
• DoD CIO — About CMMC (levels; Phase 1 timing; NIST SP 800-171 Rev. 2)
• Microsoft & CMMC (Microsoft Learn)
• Microsoft 365 Government — how to buy (Microsoft Learn)
• Office 365 GCC High and DoD service description (Microsoft Learn)
• FedRAMP Marketplace — Microsoft 365 GCC (MSO365MT)
• FedRAMP Marketplace — Microsoft 365 GCC High (FR1824057433)
• National Archives CUI Registry (CUI Basic vs CUI Specified)
• Microsoft 365 2026 pricing and packaging updates (July 1, 2026 government increases)