CMMC Consulting
Microsoft 365 GCC and GCC High Migration
End-to-end migration from Microsoft 365 Commercial to Government Community Cloud (GCC) or GCC High — the tiers Microsoft designed to house CUI under DFARS 252.204-7012 and CMMC. We help you pick the right tier and get there cleanly.
- Tier decision — GCC (CUI Basic) vs GCC High (CUI Specified, ITAR, higher-sensitivity CUI)
- Tenant procurement, licensing selection, and provisioning
- Data migration (SharePoint, OneDrive, Exchange, Teams)
- Identity migration to Entra ID Government
- Application compatibility review and third-party remediation
- Post-migration security hardening aligned to NIST SP 800-171
- CMMC-ready evidence and documentation for the new tenant
Microsoft 365 GCC and GCC High Migration
If your DoD contract handles Controlled Unclassified Information, commercial Microsoft 365 is not a compliant home for that data. Microsoft offers two government cloud tiers that are — and picking between them is one of the highest-leverage decisions you’ll make in your CMMC journey.
GCC vs GCC High — which tier do you need?
| GCC | GCC High | |
|---|---|---|
| FedRAMP authorization | Moderate | High |
| DoD Impact Level | IL2 | IL5 |
| CUI category supported | CUI Basic (unmarked, no specified categories) | CUI Basic, CUI Specified, ITAR |
| Guest collaboration | With commercial M365 users | Only with other GCC High tenants |
| Third-party app ecosystem | Broader | Narrower |
| Licensing cost | Moderate premium over commercial | Higher premium — often 30–50% above commercial |
| Typical customer | State/local gov, federal civilian contractors, CUI Basic-only DIB suppliers | DoD contractors with ITAR / CUI Specified / IL5 requirements |
Read your contract flowdowns. If they cite ITAR, EAR, CUI Specified categories, or explicitly require FedRAMP High / DoD IL5, you need GCC High. If they cite CUI Basic and DFARS 252.204-7012 without those additional flags, GCC is usually sufficient — and cheaper.
Picking the wrong tier is expensive to undo. Get the decision right up front.
What we deliver
- Tier decision — a documented recommendation with contract-clause mapping so leadership can sign off with confidence.
- Tenant readiness — eligibility verification, licensing procurement through an authorized Microsoft partner, and clean tenant provisioning.
- Data migration — Exchange, SharePoint, OneDrive, and Teams migrated with retention, permissions, and metadata intact.
- Identity migration — Entra ID Government provisioning, conditional access re-baselining, MFA enforcement, and hybrid identity if you’re keeping on-prem AD.
- Application review — every third-party integration mapped, categorized as available / replaceable / decommission, with a remediation plan.
- Post-migration hardening — security baselines aligned to NIST SP 800-171 and CMMC Level 2 control expectations, with the configuration evidence packaged for your assessor.
- User enablement — communications, training, and cutover playbook so your users can find what changed and where.
Where GCC / GCC High fits in your CMMC path
For most DIB suppliers handling CUI, the chosen government tenant becomes the assessment boundary for the vast majority of Level 2 controls. Getting the environment right up front makes SSP authoring, POA&M work, and C3PAO prep significantly easier downstream.
If you’re not sure whether you need a full migration or a smaller enclave to house only CUI-handling users, we’ll help you scope it in the initial engagement.
Frequently asked questions
What's the difference between GCC and GCC High?
GCC is FedRAMP Moderate — authorized to hold CUI Basic (unmarked CUI without dissemination controls or specified categories). GCC High is FedRAMP High plus DoD Impact Level 5 controls — required for CUI Specified, ITAR-controlled data, and DoD programs that demand FedRAMP High. GCC also allows guest access with commercial Microsoft 365 users, which GCC High does not. Licensing, third-party ecosystem, and pricing all differ.
How do I know which tier my organization needs?
Read your contract flowdowns. If they cite ITAR, EAR, CUI Specified categories, or explicitly require FedRAMP High or DoD IL5, you need GCC High. If they cite CUI Basic and DFARS 252.204-7012 without those additional flags, GCC is usually sufficient — and cheaper. We help you make this call as part of the engagement.
Do I actually need GCC or GCC High for CMMC?
If you handle CUI, yes — commercial Microsoft 365 does not meet FedRAMP Moderate/High requirements for hosting CUI under DFARS 252.204-7012. Which tier depends on the sensitivity of the CUI you handle (see above).
How long does a GCC or GCC High migration take?
Most engagements run 3 to 6 months from kickoff to assessor-ready. Complex identity environments, heavy Teams usage, and unusual third-party integrations extend the timeline. Data volume is usually not the bottleneck — dependencies and licensing procurement are.
What breaks when you move to GCC or GCC High?
Many third-party Microsoft 365 add-ons don't exist in the government marketplaces. Some Microsoft features lag commercial by months. Guest access rules change (GCC allows commercial guests; GCC High does not). We map every dependency before the cutover so nothing surprises you at go-live.
Can we migrate only part of our environment?
Yes — many organizations run a hybrid model where CUI-handling personnel work in GCC or GCC High while non-CUI functions stay in commercial. This is called "enclaving" and can significantly reduce licensing costs and scope. We'll help you decide whether an enclave or a full migration is right for your organization.
What licensing do we need?
GCC and GCC High require specific SKUs — typically Microsoft 365 GCC E3/E5 or GCC High E3/E5 depending on your tier and control requirements. Licenses are only sold through authorized Microsoft partners after eligibility verification. We handle the procurement flow as part of the engagement.
Related services
CMMC Consulting
CAPE — CMMC Level 2 Assessment Preparation Engagement
A fixed-price engagement that takes you from system inventory to a defensible System Security Plan, POA&M, and SPRS score — with a clear go / no-go call on whether you're ready for a CMMC Level 2 assessment.
Learn more
CMMC Consulting
Network & Endpoint Hardening
Technical implementation of the CMMC controls that assessors touch first — segmentation, MFA, encryption, endpoint detection, and configuration baselines aligned to NIST SP 800-171 SC, AC, CM, and SI control families.
Learn more
CMMC Consulting
CMMC Tabletop Exercises
Facilitated tabletop exercises that satisfy the CMMC Level 2 incident response testing requirement (IR.L2-3.6.3) — and produce the evidence artifacts your assessor will ask for.
Learn more
Ready to talk?
Tell us where you are in your CMMC journey and we'll follow up within one business day.