Everything You Need to Know Plus Answers to FAQs
Between constant national-security compliance updates, the increase in cybersecurity incidents, and the need for cleared personnel to remotely access network resources such as applications or sensitive data, there had to be a solution available that balances user accessibility with security and compliance.
Those demands prompted the creation of Microsoft 365 Government Community Cloud (GCC) just a few years back — a Platform as a Service (PaaS) that runs Microsoft Office applications while meeting certain compliance and security requirements needed by government agencies and their respective contractors. Some of the GCC compliance frameworks include Defense Federal Acquisition Regulation Supplement (DFARS) 7012, Federal Risk and Authorization Management Program (FedRAMP) High, and even recently — the Cybersecurity Maturity Model Certification (CMMC) 2.0.
A short time later, however, to provide expanded compliance capabilities, more stringent areas such as International Traffic in Arms Regulation (ITAR) and Export Administration Regulation (EAR) data, and Department of Defense (DoD) Controlled Unclassified Information (CUI), Microsoft released a more robust solution — Microsoft 365 Government Community Cloud High (GCC High).
This in-depth guide covers the GCC High platform, how the system operates, the benefits of investing in it, and the types of Microsoft applications you can run in its cloud. We also will dive into essential MathCraft Security Technologies product updates, in which users will be able to run their applications in GCC High environments.
What is GCC High?
GCC High is a platform built on the Microsoft Azure Government cloud that runs productivity applications and web services for its users to operate. In particular, it enables secure access to cleared personnel and contractors within the DoD. Furthermore, GCC High meets the compliance requirements of the original GCC platform, such as DFARS, FedRAMP High, and CMCC 2.0 — while extending them to ITAR, EAR, and CUI.
How Does GCC High Work?
GCC High satisfies many compliance frameworks and requirements because of the elaborate security system for storing and processing data. Built on the Azure Government environment, the platform is entirely managed by cleared United States citizens who’ve undergone comprehensive background checks. It’s also hosted exclusively on eight dedicated data centers, all located in the continental United States — allowing it to handle ITAR and EAR information while ensuring only U.S. citizens ever have access to the data.
The design of GCC High’s environment is essentially a copy of the Microsoft 365 DoD in terms of functional capabilities. Rather than only being accessible by DoD and agencies within it, however, GCC High is available to private organizations that would contract with the DoD.
These are stark contrasts to the standard GCC platform, which replicates Microsoft 365 Commercial environments but is stored in a separate government-specific cloud within the same data center. This could prompt certain GCC services to be run and supported by global Microsoft personnel, who may not be U.S. citizens or have the clearance to view certain types of data temporarily.
GCC High Licensing Requirements
To be eligible for a GCC High license from Microsoft, the entity must complete a validation application confirming they are either a United States federal agency, state agency or department, local government entity, or tribal entity recognized by the federal government. Additionally, private commercial businesses subject to regulation due to their work or data management also meet eligibility.
Benefits of Moving to GCC High
Aside from the value of cost-scalability from investing in any cloud platform, GCC High provides organizations numerous benefits from an operational and risk management point of view. Whether you’re upgrading from standard GCC or transitioning directly into Microsoft’s GCC High, here are some benefits you can enjoy:
GCC High was designed to be a powerful productivity system that meets numerous federal and information-security compliance demands. In addition to the primary regulatory frameworks fulfilled by GCC, such as DFARS, FedRAMP, and CMMC, GCC High can also meet ITAR and EAR data requirements. Additionally, GCC High has a Defense Information Systems Agency (DISA) Impact Level (IL) 5 rating, meeting the CUI requirements that need an IL 4 minimum rating.
The security mechanisms of GCC High include hosting its cloud data only on eight specific United States data centers while receiving IT and product support entirely from cleared U.S. citizens. The platform also deploys tons of cloud computing security measures that award it a FedRAMP High certification, such as a system for user access control, awareness training for developers and maintenance teams, and platform incident response procedures — to name a few.
Simple Cross Collaboration
One of the things that keeps GCC High compliant is that it removes built-in features, integrations, and data access that are ordinarily available to enterprise or regular GCC users. The positive result is that because of these detailed configurations that go into developing GCC High, there aren’t any additional steps its users need to take to collaborate within a team or across an organization. In other words, GCC High users can easily share data and files and communicate with other GCC High or Microsoft DoD users without any restrictions.
Constant Domestic Support and Accountability
Purchasing licenses and administering the GCC High platform requires contractors to go directly through Microsoft or a limited number of approved outside vendors — all of which provide professional and domestic product support. With that also comes a contractual guarantee from Microsoft that the platform’s infrastructure meets current DoD demands and new and evolving compliance requirements as they develop.
Available GCC High Applications for DoD Contractors
The GCC High applications for DoD contractors run on Microsoft’s Government cloud. While these tools and systems are available to GCC High users, some have modular restrictions or feature limitations to maintain data-security compliance. A common one, for instance, is not being able to share a file with anyone outside a GCC High or DoD environment. The leading cloud-based Microsoft apps available for GCC High include:
- Azure Active Directory: Used to manage user access to resources and objects within a network, such as apps, online services, devices, and databases.
- Defender for U.S. Government: Anti-virus software and email filtering system used to protect organizational endpoints from malware and other threats.
- Forms for U.S. Government: Online survey tool used to obtain secure and fast responses, feedback, or information.
- Intune: Device and application management system specifically designed for mobile objects such as phones, tablets, and laptops, as well as mobile applications.
- OneDrive for U.S. Government: Online storage system used to secure, access, and share work files as well as collaborate on documents, slide decks, or spreadsheets.
- Planner for U.S. Government: Task and project management tool to plan, coordinate, and monitor work-related activities.
- Power Apps: Service used to build custom applications connectable to other apps and data within an organization.
- Purview Information Protection: Document management system governing sensitive and classified information and documents across an organization.
- SharePoint or U.S. Government: System used to manage, design, share, and collaborate on websites, web pages, knowledge resources, applications, and content.
- Teams for U.S. Government: Conferencing tool for messaging and conducting collaborative meetings through video or audio calls.
MathCraft Now Offers GCC High
MathCraft Security Technologies is proud to announce that it now offers GCC HIGH for customers who are interested and qualify. GCC High customer applications will run on GCC High environments using the dedicated data centers throughout the continental United States and will receive support from approved U.S. personnel.
Defense contractors can now reap the benefits of using platforms that securely manage and process their cloud data while streamlining facility security operations and auditing procedures. The compliant MathCraft applications include Access Commander for industrial security management, Portal Commander for employee self-service and Facility Security Officer (FSO) oversight, and ViSi Commander for visitor management on cleared facilities.
GCC High: Frequently Asked Questions (FAQs)
What is GCC High?
Microsoft 365 Government Community Cloud High (GCC High) is the platform created for DoD contractors and cleared personnel to run applications and host data securely. It runs on Azure Government’s cloud, replicates the Microsoft 365 DoD environment, and operates entirely in data centers within the United States exclusively by cleared U.S. personnel. These factors make GCC High the industry-standard solution for compliance regulations like DFARS 7012, FedRAMP High, CMMC 2.0, ITAR, EAR, and CUI.
Is GCC High ITAR compliant?
Yes. The stringent and centralized data management of the GCC High platform makes it so that only United States citizens who’ve passed a thorough background check can support the users, maintain the servers, and operate data centers. Additionally, all GCC High data is hosted at one of eight data centers located in the United States. These are specific requirements set forth by ITAR — making GCC High ITAR compliant.
What is available in GCC High?
Many user-favorite platforms, tools, and applications from Microsoft are available in GCC High. Some are limited in capabilities as they are built specifically for U.S. Government customers and contractors managing sensitive information. These include Azure Active Directory, Microsoft Defender, Forms, Intune, OneDrive, Planner, Power Apps, Purview Information Protection, SharePoint, and Teams.
Is GCC High IL5?
Yes. GCC High has the cloud security measures required to meet the Defense Information Systems Agency (DISA) Impact Level (IL) 5 rating. These controls and security mechanisms make it an allowable cloud platform to manage DoD CUI and national security systems (NSS) below “Top Secret” status.
What is the difference between GCC and GCC High?
When looking at Microsoft 365 GCC vs. GCC High, while they each offer a cloud-hosting solution to federal government contractors, their compliance capabilities and data-security mechanisms create some distinct contrasts:
- GCC replicates the Microsoft Commercial environments, while GCC High replicates Microsoft DoD’s environment.
- Though segmented from commercial servers, GCC is hosted in the Azure Commercial data centers, while GCC High has its own dedicated Azure Government data centers.
- While both are hosted in the United States, GCC may use global customer support for specific apps and services. In contrast, GCC High exclusively uses restricted U.S. citizens subject to robust background checks.
- Because of the domestic security systems in place, GCC High complies with the same frameworks as GCC while adding ITAR, EAR, and CUI.
Are there any GCC High limitations?
Yes, there are a few challenges and drawbacks to upgrading to GCC High. For instance, the advanced security and compliance-management controls prevent users from being able to share data with anyone not using the Microsoft 365 DoD or 365 GCC High platforms. These same mechanisms also limit the number of third-party integrations available and restrict specific Microsoft productivity tools from working at total capacity.
Upgrade Your Environment with MathCraft
Today’s cyber threat landscape and new compliance updates on national security require sophisticated cloud solutions for accessing, transmitting, and sharing sensitive data. Microsoft’s GCC High offers a compliance-ready platform available to private defense contractors and cleared personnel with the security and data management benefits of Azure Government environments and Microsoft 365 DoD.
Contact us today to learn how our suite of access, visitor, and portal management software, now managed in GCC High environments, helps FSOs automate and organize their industrial-security compliance needs to support personnel vetting and other NISPOM and DoD requirements.