When it comes to choosing a cloud provider for your business, there are a lot of factors to consider. One of the most important decisions you’ll have to make is whether to go with a public cloud provider like Microsoft Azure, or a private cloud provider like Google Cloud Platform or Amazon Web Services. In this blog post, we’ll be comparing two of Microsoft’s cloud offerings: Microsoft GCC vs. GCC High.

Microsoft 365 GCC (Government Community Cloud) and Microsoft 365 GCC High (Microsoft 365 Government Community Cloud High) are two versions of Microsoft’s cloud computing platform designed specifically for government organizations. Microsoft GCC is a more basic version of the platform that offers lower-cost subscription options and is ideal for small- to medium-sized government organizations. Microsoft GCC High is a more robust version of the platform that offers higher-performing virtual machines and is better suited for large government organizations. Both versions of Microsoft GCC offer compliance with government standards, such as the Federal Risk and Authorization Management Program (FedRAMP). Microsoft GCC High also offers additional security features, such as encrypted data at rest and in transit, and multi-factor authentication.

Microsoft GCC

Microsoft GCC (Government Community Cloud) is a copy of Microsoft 365 Commercial, however, there’s a key difference. GCC uses only data centers that are physically located within the continental United States. FedRAMP Moderate controls mandate that these servers be located within CONUS.

Team members that utilize GCC must fulfill the following background requirements:

  • Must be a US citizen
  • Show seven years of verified employment history
  • Verification of Education
  • Verification of the SSN (Social Security Number)
  • Criminal history check

GCC should be utilized if you need to support the following compliance requirements:

  • DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012
  • DoD SRG (Department of Defense Security Requirements Guide) level 2
  • FBI CJIS (Criminal Justice Information Services)
  • FedRAMP Moderate, for which GCC has an accreditation

Microsoft GCC High

Microsoft GCC High is only necessary for organizations who deal with Defense, Department of Defense Contractors and government agencies with very specific security and compliance requirements. The GCC High servers are in a separate environment from GCC and these servers reside only within the CONUS. The organizations’ eligibility for GCC High must be submitted and confirmed by Microsoft.

GCC High should be utilized if you need to support the following compliance requirements:

  • FedRAMP, with an accreditation level “High”
  • DFARS 252.204-7012 with flow-down requirements
  • ITAR
  • EAR
  • Handling CUI
  • Handling CDI
  • DoD SRG Level 4
  • NIST 800-171
  • GCC High does not support FBI CJIS requirements

Contact Us

Both Microsoft GCC and GCC High have their pros and cons. Contact Withum’s Digital and Technology Transformation Services Team to learn which option is best suited for your business.