This guide includes insights from a webinar hosted by GraVoc’s Director of Information Security, Brian Brunelle, alongside Joe Kurlanski of Monarch, a certified C3PAO.
Cloud strategy is one of the most common things defense contractors struggle with when trying to achieve CMMC Level 2 compliance, alongside scoping. Specifically, choosing between Microsoft 365 GCC and GCC High.
A lot of contractors default to GCC High to play it safe. But that can be a costly decision, especially for small to mid-sized defense contractors already navigating the steep cost of CMMC compliance. Others question whether they can maintain compliance on commercial Microsoft 365 licenses.
To put it plainly: if your Department of Defense (DoD) contract requires CMMC Level 2 and you handle Controlled Unclassified Information (CUI), you need either Microsoft 365 GCC or GCC High, not commercial Microsoft 365. The right choice between the two depends on whether your contracts involve ITAR or export-controlled data.
To help contractors navigate this decision, we have two experts who see both sides of the equation: Brian Brunelle, GraVoc’s Director of Information Security and CMMC readiness consultant, and Joe Kurlanski, President of Monarch ISC, a trusted CMMC Certified Lead Assessor (C3PAO). Together, they explain how to decide between GCC and GCC High, including cloud strategies to reduce scope and cost without compromising compliance.
This post is part of our CMMC Level 2 compliance guide, which covers the full scope of what defense contractors need to know to prepare for certification.
Key Takeaways
- Commercial Microsoft 365 doesn't meet CMMC Level 2 requirements. If your contract involves CUI, you need a government cloud environment, such as GCC or GCC High. Here's why.
- GCC is enough for most contractors handling standard CUI. It's FedRAMP Moderate authorized and runs approximately 15% above commercial pricing. See who it's for.
- GCC High is required when contracts involve ITAR or export-controlled data. It runs on physically separated Azure Government infrastructure at 60–70% above commercial pricing. See when it's required.
- The decision starts with your contract language. Look for ITAR references. Jump to the details.
- You don't have to put everyone on GCC High. A split-tenant strategy can reduce costs, but only if the CUI boundary is clearly documented and defensible. See how split-tenants work.
- A gap assessment is the great starting point. The cloud decision doesn't exist in a vacuum; it's one piece of your broader CMMC readiness plan. What to do next.
Can you use Microsoft 365 Commercial for CMMC Level 2?
No, if your contract involves CUI and requires CMMC Level 2, you cannot use commercial Microsoft 365 plans like E3 or E5. Commercial Microsoft 365 does not have the FedRAMP Moderate authorization that the DoD requires for any cloud service storing, processing, or transmitting CUI.
Microsoft 365 Government is designed to support compliance in a way Microsoft 365 Commercial is not. Here’s how:
- Exclusive community: Only available to U.S. government agencies and authorized contractors handling controlled information
- Screened personnel: Customer data access restricted to U.S. citizens who pass required background checks
- Third-party audits: Infrastructure independently audited by certified partners to support federal authorization to operate (ATO)
- U.S.-based data storage: All data stored within the continental United States on compliant infrastructure
If you only handle Federal Contract Information (FCI) at CMMC Level 1, Microsoft 365 for Enterprise plans can support compliance, if configured correctly.
As Joe explained, according to CFR Title 32 for CMMC, any cloud service provider handling CUI has to have a FedRAMP Moderate or higher authorization. This discussion is not restricted to Microsoft. The same FedRAMP requirement applies to Google Cloud, AWS, and any other cloud infrastructure you use to store, process, or transmit CUI.
What is Microsoft 365 GCC?
Microsoft 365 GCC (Government Community Cloud) is designed for U.S. government agencies and the contractors that handle CUI. It's a logically separated instance of Microsoft 365 that sits on Microsoft's commercial Azure network but keeps your data in U.S. data centers.
Key characteristics:
- FedRAMP Moderate authorized
- Data stored in U.S. data centers
- Supports CMMC Level 2 compliance for non-ITAR data
- Pricing runs approximately 15% above commercial licensing
Contractors handling CUI whose contracts do not involve ITAR or export-controlled information can use GCC. For many small to mid-sized defense contractors, GCC provides the compliance foundation they need without the cost premium of GCC High.
What is Microsoft 365 GCC High & who needs it?
GCC High is a physically separate cloud environment built for organizations handling the most sensitive unclassified defense data.
Unlike GCC, GCC High runs on Azure Government, dedicated U.S. sovereign data centers with enhanced background screening requirements for the Microsoft personnel who can access the infrastructure.
Key characteristics:
- FedRAMP High authorized
- Physically separated infrastructure (Azure Government, not commercial Azure)
- Required for ITAR or export-controlled data
Restricted to screened U.S. persons with enhanced background checks - Pricing runs approximately 60–70% above commercial licensing
Contractors whose contracts involve ITAR or export-controlled data need GCC High.
A new licensing option for smaller defense contractors: GCC High Business Premium
In November 2025, Microsoft introduced GCC High Business Premium, a licensing tier built for smaller defense contractors that supports up to 500 seats. At a more affordable cost, it brings GCC High's FedRAMP High environment to organizations that were previously priced out of it.
GCC High Business Premium, however, does not include all the security capabilities required for CMMC Level 2 out of the box. A separate Microsoft Defender and Microsoft Purview add-on is required to meet the compliance requirements for CMMC Level 2.
How do you know if you need GCC or GCC High?
The decision between GCC and GCC High is driven by your contract language. Brian reinforced this, "It all starts with that contract and what the contract stipulates, whether that's CMMC Level 2, Level 3, and if self-assessed versus third party is going to be required."
Here's the framework Brian and Joe recommend:
Step 1: Check your contract for ITAR
If your contract references ITAR or export-controlled data, GCC High is mandatory. This is the single biggest differentiator. But Joe warns against confusing ITAR with CUI, "ITAR does not automatically denote CUI. And CUI does not denote ITAR. The two worlds are very separate." Some contractors over-scope into GCC High because they assume all CUI is ITAR, which can be expensive.
Step 2: Ask your prime contractor
Some prime contractors require GCC High from all subcontractors regardless of what the base contract says. If you're a subcontractor, check with your prime before making a cloud decision.
Step 3: Ask your contracting officer directly
When contract language is ambiguous, and it often is, check with the source if the contract requires a specific cloud environment.
Can you use GCC & GCC High in the same organization? The split-tenant strategy
You don't necessarily have to put your entire organization on GCC High.
Joe described a strategy he's seen work in practice: "We have seen people start to split tenant. They will only use the GCC High environment for the CUI data. They may have a GCC High license, a GCC, or even a commercial tenant. And they have the people that are authorized for CUI only using the GCC High tenant."
If only 5 people in your organization are authorized to handle CUI and the other 250 don’t touch it, licensing all 255 for GCC High is a significant cost you might not need to take on.
But it comes with tradeoffs:
- Managing two environments adds IT complexity. Policies, training, and acceptable use agreements all need to align across tenants.
- Assessors will scrutinize the boundary. A split-tenant approach only works if the CUI boundary is clearly documented and defensible.
Joe put it simply, "It does make sense sometimes, and it's a risk decision you guys need to make." Brian framed it as a strategic question: "This is where it comes into strategy and whether enterprise or enclave approach is going to be appropriate for you. It's all that cost, resource, decisions and determinations that will drive which environment best fits you."
When a split-tenant approach makes sense:
- A small percentage of your workforce handles CUI
- The cost savings are significant enough to justify the management overhead
- You have the IT resources to maintain clear boundary separation
When enterprise-wide GCC High is simpler:
- Most or all employees touch CUI at some point
- Your IT team is small and managing two environments would stretch resources
What should you do next?
If you’ve read this far, you’re already ahead of most contractors who default to a cloud decision without fully understanding what their contracts require. Here's how to move forward:
- Review your contracts: Look for CUI and ITAR references.
- Talk to your contracting officer: If the language is ambiguous, clarify requirements with your officer now to avoid a costly mistake.
- Map your CUI boundary: The cloud decision doesn't exist in a vacuum; it's one piece of your broader CMMC scoping and readiness plan.
- Get a gap assessment: A structured assessment evaluates your current environment and helps determine what type of cloud environment you need.
- Plan your timeline: CMMC Level 2 third-party assessments will be phased in starting November 2026, and C3PAO availability is limited. The longer you wait to start readiness work, the fewer C3PAO scheduling options you'll have. See our step-by-step CMMC Level 2 readiness roadmap, which breaks down what you should be doing over a 6–8 month timeline in structured weekly phases.
