Data security is paramount for federal agencies and contractors. This is especially true when it comes to doing business in the cloud. This is why many government teams utilize Government Community Cloud (GCC), a highly secure version of Office 365 built by Microsoft specifically for government entities, vendors, and contractors within the federal ecosystem.
While the GCC is closely related to Microsoft 365 Commercial, GCC and GCC High are quite different from private sector clouds. The Microsoft DOD product is yet another level meant strictly for Department of Defense (DOD) usage. Each has varying levels of security, target user, and use cases. The key for federal agencies and contractors is to understand each model in-depth, and therefore be armed with the information to migrate to the proper Microsoft cloud infrastructure.
- Quick Look: GCC vs GCC High vs DOD
- What is Microsoft GCC?
- What is GCC High?
- What is Microsoft 365 DOD?
- Which Government Cloud Option is Right For You?
- Integrating GCC into Your Cybersecurity Posture
Get a Free Data Risk Assessment
Quick Look: GCC vs GCC High vs DOD
First, let’s take a quick look at the key differences between GCC, GCC High, and Microsoft DOD. Each environment provides varying levels of security and meets various compliance frameworks such as NIST 800-171 or FedRamp.
| GCC | GCC High | DOD | |
| Users | General government and vendor users | High-security clearance users | For federal DOD personnel only |
| Cost | Low Cost | Medium Cost | High Cost |
| Regulations | FedRAMP Moderate
DFARS DoD SRG Level 2 FBI CJIS DFARS |
FedRAMP High
NIST 800-53 NIST-800 171 DFARS ITAR |
United States Department of Defense Cloud Computing Security Requirements Guide (SRG) Level 5 (L5) |
| Cloud infrastructure | Azure Commercial | Azure Government | Azure Government |
What is Microsoft GCC?
Microsoft GCC is essentially a clone of the Microsoft 365 productivity suite, but custom-built for the government environment rather than commercial. The GCC has most of the same features and functionality as Office 365, except that its data centers are located only within the continental United States (CONUS) as mandated by the FedRAMP Moderate standard.
Eligibility
State, local, federal, and tribal governments are eligible for GCC installation and usage. GCC is for screened personnel who can access secure data which resides on CONUS servers. While normal personnel can use GCC cloud, only those who have passed specific background checks can gain access to classified information.
Security Measures
The GCC’s primary security measure in comparison with standard Microsoft 365 is that the servers are located in CONUS per FedRAMP. GCC resides on the Azure Commercial infrastructure and therefore contains fairly standard security features and configurations. Although the servers are only located in North America, access to the data is on a global basis.
Background Check Requirements
Run-of-the-mill staff don’t have automatic access to customer content hosted in the Office 365 GCC environment. Personnel who want temporary permission to access said data need to pass the following background check requirements before they are granted access:
| U.S. citizenship | Verification of U.S. citizenship |
| Employment history check | Verification of seven (7) year employment history |
| Education verification | Verification of highest degree attained |
| Social Security Number (SSN) search | Verification that the provided SSN is valid |
| Criminal history check | A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level |
| Office of Foreign Assets Control List (OFAC) | Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions |
| Bureau of Industry and Security List (BIS) | Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry |
| Fingerprinting Check | Fingerprint background check against FBI databases |
| CJIS background screening | State-adjudicated review of federal and state criminal history by state CSA appointed authority within each state that has signed up for the Microsoft CJIS IA program |
Cost and Barriers to Entry
GCC pricing is done on a custom basis and can be purchased directly through Microsoft or certified GCC partners. Interested organizations do need to complete a validation process before the environment is established, and volume licensing discounts are available. Currently, only US government agencies are eligible for a free trial of Microsoft GCC.
Other Considerations
Microsoft GCC is the most basic infrastructure of government agencies and contractors. It’s important to note that GCC isn’t completely sufficient to comply with most Controlled Unclassified Information (CUI) and Controlled Defense Information (CDI) handling. That also makes it unable to comply with the International Trafficking and Arms Regulation (ITAR) and the Export Administration Regulation (EAR). That’s because Azure Commercial doesn’t meet import/export control standards.
What is GCC High?
GCC High is a copy of the DOD cloud environment, intended for use by DOD contractors, cabinet-level agencies, and other cleared personnel. It’s called GCC High because it meets the FedRAMP high impact requirements. GCC High sits on the Azure Government infrastructure, making it a more secure cloud environment than normal GCC.
Eligibility
GCC High can only be used by organizations within the Defense Industrial Base (DIB), DOD contractors, and federal agencies. Anyone seeking to implement GCC High must go through a rigorous validation process with Microsoft before receiving approval.
Security Measures
Azure Government servers used by GCC high are isolated both physically and virtually for sole use by federal agencies and contractors. Unlike the commercial version, Azure Government has US-only sovereign directory services, a more secure setup than servers with global access. Data transmission and processing occur only in the continental US, adding an extra layer of protection.
Background Check Requirements
Average Office 365 users don’t have automatic standing access to GCC High. While the background checks needed to grant access are similar to GCC, there are additional steps with regards to the Office of Defense Trade Controls Debarred Persons List (DDTC) and Department of Defense IT-2 regulations.
| U.S. citizenship | Verification of U.S. citizenship |
| Employment history check | Verification of seven (7) year employment history |
| Education verification | Verification of highest degree attained |
| Social Security Number (SSN) search | Verification that the provided SSN is valid |
| Criminal history check | A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level |
| Office of Foreign Assets Control List (OFAC) | Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions |
| Bureau of Industry and Security List (BIS) | Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities |
| Office of Defense Trade Controls Debarred Persons List (DDTC) | Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry |
| Fingerprinting Check | Fingerprint background check against FBI databases |
| Department of Defense IT-2 | Staff requesting elevated permissions to customer data or privileged administrative access to Dept of Defense SRG L5 service capacities must-pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation |
Cost and Barriers to Entry
GCC High is geared towards a more narrow user base than GCC, and organizations will need to complete the Microsoft verification process. This includes presenting a signed contract proving eligibility as well as a GCC High sponsorship letter from the government entity you’ll be working with.
Other Considerations
One of the downsides to GCC High versus normal GCC is that it’s not as feature-rich. That’s because many Microsoft 365 tools like Yammer don’t reach the security standards necessary to operate within GCC High requirements. Other features like Microsoft Defender have to be completely rebuilt and restructured to be used in GCC High. This makes GCC High more expensive to implement — and potentially operate — than GCC.
What is Microsoft 365 DOD?
Microsoft 365 DOD is purpose-built for DOD use exclusively. It’s one of only four clouds to meet the stringent requirements of DOD SRG Levels 5 and 6. This means that the DOD cloud is legally allowed to house and own the most classified of CUI and CDI.
Eligibility
The eligibility requirements for Microsoft DOD are strict and straightforward. If you’re not a team, agency, or department within the DOD then this product is not available to you.
Security Measures
Since GCC High is a copy of Microsoft 365 DOD for vendors and contractors, security measures are nearly identical in the Azure Government cloud. Once again, data storage transmission takes place on a non-global basis within US borders, with mandatory multi-factor authentication for all user access.
Background Check Requirements
Non-DOD personnel will not have access to Microsoft DOD data and content. Those within the DOD will need to pass background checks identical to GCC High.
| U.S. citizenship | Verification of U.S. citizenship |
| Employment history check | Verification of seven (7) year employment history |
| Education verification | Verification of highest degree attained |
| Social Security Number (SSN) search | Verification that the provided SSN is valid |
| Criminal history check | A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level |
| Office of Foreign Assets Control List (OFAC) | Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions |
| Bureau of Industry and Security List (BIS) | Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities |
| Office of Defense Trade Controls Debarred Persons List (DDTC) | Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry |
| Fingerprinting Check | Fingerprint background check against FBI databases |
| Department of Defense IT-2 | Staff requesting elevated permissions to customer data or privileged administrative access to Dept of Defense SRG L5 service capacities must-pass Department of Defense IT-2 adjudication based on a successful OPM Tier 3 investigation |
Cost and Barriers to Entry
To implement Microsoft DOD, you’ll need to submit an application directly with Microsoft prior to being able to purchase the product. Obviously, the main barrier to entry will be whether or not you’re DOD. These deployments are likely to be the most expensive due to the security and customization requirements and are done on a custom basis.
Other Considerations
One important functionality distinction between DOD and normal GCC is the lack of capability to host and conduct live events for security and compliance purposes. Moreover, Microsoft OneNote is not available on DOD, while it can be used in GCC and GCC High.
Which Government Cloud Option is Right for You?
In light of recent government data breaches, it’s critical to select the right Microsoft GCC for optimal data security. With Varonis as a Microsoft Silver Partner, you’ll be able to assess your use case, budget, and security requirements to select GCC, GCC High, or DOD. Moreover, Varonis functions as a cloud data security platform to help you manage and protect data stored in the Azure Commercial or Government clouds, adding critical functionality that isn’t baked into the native Microsoft security and compliance tools.
In general, non-defense-related government agencies and contractors will be best served by the normal GCC. You’ll have access to the full suite of the functionality of Microsoft 365 at a lower cost and fewer headaches as it relates to approvals and background checks.
It’s you work with highly sensitive CDI or CUI, then GCC High is probably the best cloud infrastructure. While you’ll lose a bit of functionality, GCC High will ensure compliance with regulations like FedRAMP High and ITAR.
Integrating GCC into Your Cybersecurity Posture
No matter which Microsoft government cloud you choose, Varonis will help you take a data-first approach to cybersecurity and compliance. This is especially critical in ensuring the data integrity of information used in the defense industrial base. When selecting a government cloud, you’ll also need to familiarize yourself with which regulatory frameworks you need to comply with and have a technology platform to monitor and track compliance.
Productivity in the cloud is the standard operating procedure for all organizations, federal agencies and contractors included. By knowing the ins and outs of GCC, GCC High, and Microsoft DOD, you’ll be able to handle classified information and utilize the Microsoft suite of tools necessary to stay productive and serve the public interest.
