Giga-Green Giga-Green

CMMC Consulting

Microsoft 365 GCC and GCC High Migration

End-to-end migration from Microsoft 365 Commercial to Government Community Cloud (GCC) or GCC High — the tiers Microsoft designed to house CUI under DFARS 252.204-7012 and CMMC. We help you pick the right tier and get there cleanly.

Microsoft 365 GCC and GCC High Migration

If your DoD contract handles Controlled Unclassified Information, commercial Microsoft 365 is not a compliant home for that data. Microsoft offers two government cloud tiers that are — and picking between them is one of the highest-leverage decisions you’ll make in your CMMC journey.

GCC vs GCC High — which tier do you need?

GCCGCC High
FedRAMP authorizationModerateHigh
DoD Impact LevelIL2IL5
CUI category supportedCUI Basic (unmarked, no specified categories)CUI Basic, CUI Specified, ITAR
Guest collaborationWith commercial M365 usersOnly with other GCC High tenants
Third-party app ecosystemBroaderNarrower
Licensing costModerate premium over commercialHigher premium — often 30–50% above commercial
Typical customerState/local gov, federal civilian contractors, CUI Basic-only DIB suppliersDoD contractors with ITAR / CUI Specified / IL5 requirements

Read your contract flowdowns. If they cite ITAR, EAR, CUI Specified categories, or explicitly require FedRAMP High / DoD IL5, you need GCC High. If they cite CUI Basic and DFARS 252.204-7012 without those additional flags, GCC is usually sufficient — and cheaper.

Picking the wrong tier is expensive to undo. Get the decision right up front.

What we deliver

  • Tier decision — a documented recommendation with contract-clause mapping so leadership can sign off with confidence.
  • Tenant readiness — eligibility verification, licensing procurement through an authorized Microsoft partner, and clean tenant provisioning.
  • Data migration — Exchange, SharePoint, OneDrive, and Teams migrated with retention, permissions, and metadata intact.
  • Identity migration — Entra ID Government provisioning, conditional access re-baselining, MFA enforcement, and hybrid identity if you’re keeping on-prem AD.
  • Application review — every third-party integration mapped, categorized as available / replaceable / decommission, with a remediation plan.
  • Post-migration hardening — security baselines aligned to NIST SP 800-171 and CMMC Level 2 control expectations, with the configuration evidence packaged for your assessor.
  • User enablement — communications, training, and cutover playbook so your users can find what changed and where.

Where GCC / GCC High fits in your CMMC path

For most DIB suppliers handling CUI, the chosen government tenant becomes the assessment boundary for the vast majority of Level 2 controls. Getting the environment right up front makes SSP authoring, POA&M work, and C3PAO prep significantly easier downstream.

If you’re not sure whether you need a full migration or a smaller enclave to house only CUI-handling users, we’ll help you scope it in the initial engagement.

Frequently asked questions

What's the difference between GCC and GCC High?

GCC is FedRAMP Moderate — authorized to hold CUI Basic (unmarked CUI without dissemination controls or specified categories). GCC High is FedRAMP High plus DoD Impact Level 5 controls — required for CUI Specified, ITAR-controlled data, and DoD programs that demand FedRAMP High. GCC also allows guest access with commercial Microsoft 365 users, which GCC High does not. Licensing, third-party ecosystem, and pricing all differ.

How do I know which tier my organization needs?

Read your contract flowdowns. If they cite ITAR, EAR, CUI Specified categories, or explicitly require FedRAMP High or DoD IL5, you need GCC High. If they cite CUI Basic and DFARS 252.204-7012 without those additional flags, GCC is usually sufficient — and cheaper. We help you make this call as part of the engagement.

Do I actually need GCC or GCC High for CMMC?

If you handle CUI, yes — commercial Microsoft 365 does not meet FedRAMP Moderate/High requirements for hosting CUI under DFARS 252.204-7012. Which tier depends on the sensitivity of the CUI you handle (see above).

How long does a GCC or GCC High migration take?

Most engagements run 3 to 6 months from kickoff to assessor-ready. Complex identity environments, heavy Teams usage, and unusual third-party integrations extend the timeline. Data volume is usually not the bottleneck — dependencies and licensing procurement are.

What breaks when you move to GCC or GCC High?

Many third-party Microsoft 365 add-ons don't exist in the government marketplaces. Some Microsoft features lag commercial by months. Guest access rules change (GCC allows commercial guests; GCC High does not). We map every dependency before the cutover so nothing surprises you at go-live.

Can we migrate only part of our environment?

Yes — many organizations run a hybrid model where CUI-handling personnel work in GCC or GCC High while non-CUI functions stay in commercial. This is called "enclaving" and can significantly reduce licensing costs and scope. We'll help you decide whether an enclave or a full migration is right for your organization.

What licensing do we need?

GCC and GCC High require specific SKUs — typically Microsoft 365 GCC E3/E5 or GCC High E3/E5 depending on your tier and control requirements. Licenses are only sold through authorized Microsoft partners after eligibility verification. We handle the procurement flow as part of the engagement.

Ready to talk?

Tell us where you are in your CMMC journey and we'll follow up within one business day.