Does CMMC Require GCC High? What the Rule Actually Requires for Defense Contractors
Does CMMC require GCC High? For a defense contractor reading the contract clauses for the first time, it is the question that decides a six-figure cloud commitment, and the honest answer is more useful than the one most vendors give. i3solutions has delivered Microsoft platform and compliance work for regulated organizations across aerospace and defense, financial services, and healthcare, and the same delivery discipline that protects those engagements governs how we scope a CUI boundary. As a Microsoft Solutions Partner since 1997, with 600+ Microsoft platform implementations across nearly 30 years, i3solutions treats the GCC High decision as an Enterprise Delivery Assurance problem: get the scoping right, and the migration lands on-time, in-scope, and in-production. This is the borrowed expertise a VP of IT brings in when the cost of choosing the wrong tenant is a failed CMMC assessment and a second migration.
Quick answer: does CMMC require GCC High?
Does CMMC require GCC High? No. CMMC is a controls-and-assessment framework and names no cloud. What requires a FedRAMP-authorized environment is DFARS 252.204-7012, and whether that means GCC, GCC High, or Commercial depends on your CUI type. Export-controlled data under ITAR or EAR is what makes GCC High the only Microsoft option.
Key Takeaways
- CMMC itself names no cloud environment. DFARS 252.204-7012 is the clause that actually drives the GCC, GCC High, or Commercial decision, based on the type of CUI you handle.
- GCC High becomes the required Microsoft environment when you handle ITAR or EAR export-controlled technical data, because it is the only Microsoft 365 environment with a contractual ITAR commitment and screened United-States-person operations.
- GCC is genuinely enough for many contractors whose CUI is standard and not export controlled, which means defaulting everyone to GCC High is often wasted spend.
- The two expensive failure modes are over-scoping (paying the GCC High premium you did not need) and under-scoping (leaving export-controlled data in GCC or Commercial and failing the assessment).
- Scope the CUI first, design an enclave so spend matches the real footprint, and document the justification in your System Security Plan before you choose the tenant.
Does CMMC Require GCC High? The Direct Answer
Defense contractors keep asking whether CMMC forces them into GCC High, and the question carries real money because the wrong answer is expensive in both directions. Buy GCC High you do not need and you have overspent and slowed your own program; keep export-controlled data in GCC or Commercial and you fail the assessment and re-migrate under deadline. The honest answer is that CMMC itself names no cloud at all. What decides your tenant is the kind of controlled unclassified information you handle and the contract clauses that travel with it.
The Cybersecurity Maturity Model Certification is a framework: it defines security practices and how they are assessed, not which products or cloud environments you must buy. Its program rule, 32 CFR Part 170, took effect in December 2024, and the acquisition rule that puts CMMC into contracts, the 48 CFR rule, took effect on November 10, 2025, inserting the DFARS clause 252.204-7021 that makes certification a condition of award. Level 2, which applies to most contractors handling controlled unclassified information, requires all 110 controls of NIST Special Publication 800-171. None of that text names GCC High, or any cloud. The DoD’s CMMC program documentation describes the levels and the assessment, and leaves the environment choice to you and your System Security Plan.
So the real question is not whether CMMC requires GCC High. It is whether your contracts and your data require a FedRAMP-authorized cloud for CUI, and whether GCC High is the most defensible way to meet that requirement. For many contractors the answer lands on GCC High, but for a meaningful number it does not, and the difference is worth real money. The rest of this guide is the decision behind the answer.
The timing is why this decision is urgent rather than theoretical. The 48 CFR rule began a four-phase rollout on November 10, 2025. In Phase 1, contracting officers insert Level 1 and Level 2 self-assessment requirements into new contracts, with discretion to require a third-party Level 2 assessment on select awards. Phase 2 begins on November 10, 2026, when third-party Level 2 certification through an accredited assessor becomes the requirement for most contracts that involve CUI. Certification is valid for three years, must be maintained for the life of the contract, and carries an annual senior-official affirmation in the Supplier Performance Risk System, with the requirement flowing down to subcontractors who handle CUI. Because a Level 2 program commonly takes nine to twelve months to implement and assess, the tenant decision cannot wait for a solicitation to land.
What GCC High for CMMC Actually Requires: DFARS 7012 and Your CUI Type
The clause that actually drives the cloud decision is DFARS 252.204-7012, which appears in most DoD contracts that involve CUI. It requires that any cloud service used to store, process, or transmit covered defense information meet the FedRAMP Moderate baseline at a minimum, or demonstrate equivalency. That single requirement is what separates the three Microsoft environments, and our Microsoft 365 Compliance Consulting practice starts every CMMC scoping conversation there. Microsoft’s own CMMC compliance guidance documents how each government cloud maps to the requirement.
Commercial, GCC, and GCC High are not interchangeable
Commercial Microsoft 365 is not built for CUI under DFARS 252.204-7012. Its core services carry a FedRAMP Moderate authorization, so it can support CMMC Level 1 for contractors who handle only Federal Contract Information, but Microsoft does not extend the DFARS 252.204-7012 contractual commitments to Commercial and it lacks the United-States data-residency and personnel controls a CUI boundary depends on, which makes it difficult to justify for CUI. GCC, the Government Community Cloud, holds a FedRAMP Moderate authorization and runs on Azure Commercial infrastructure with United States data residency. Since 2021, Microsoft has included contractual DFARS 252.204-7012 support in GCC for the CUI categories it is authorized to hold, which makes GCC a legitimate Level 2 environment for standard CUI that is not export controlled, when it is configured and documented correctly.
GCC High is the defense-oriented environment. It runs on Azure Government, a physically separate infrastructure with data centers only in the continental United States and operations staff screened as United States persons, and it holds a FedRAMP High authorization. The distinction that matters most is contractual: GCC High is the only Microsoft 365 environment where Microsoft will commit to ITAR contract language. Commercial and standard GCC do not carry that commitment. That single fact, more than the FedRAMP level, is what forces the GCC High decision for contractors who handle export-controlled data.
Two points keep this from becoming a binary, all-or-nothing choice. First, many contractors run two tenants on purpose: a commercial tenant for non-CUI work and a GCC High tenant for the defense work, which is the basis of the enclave approach that keeps cost aligned to the actual CUI footprint. Second, none of these environments is compliant out of the box. GCC and GCC High are platforms, not compliance programs; buying the licenses does not satisfy a single NIST control. CMMC Level 2 readiness is the right environment plus documented policies, configured controls, evidence, and ongoing security operations. The environment decision is the foundation, and getting it right early is what prevents an expensive rebuild later, but it is the beginning of the compliance program, not the end of it.
Is GCC High Required for CMMC Level 2, or Is GCC Enough?
The fork comes down to the type of CUI you handle, and reading it correctly is how a contractor avoids paying for more cloud than the mission requires. GCC High becomes the required answer in a few specific situations, and GCC is genuinely enough in others.
When GCC High is the required environment
If you handle export-controlled technical data governed by ITAR or EAR, such as engineering drawings, CAD files, or source code, GCC High is effectively required within the Microsoft ecosystem. The reason is the ITAR deemed-export rule under 22 CFR 120.50: showing ITAR-controlled technical data to a foreign national, even inside the United States, is an export that requires authorization. Commercial and standard GCC both allow support access by non-United-States persons, which means neither can satisfy the United-States-person requirement regardless of how the data is encrypted. The same logic applies when a contract explicitly requires United States sovereignty or United-States-person-only support. Once GCC High is the answer, the work becomes the migration itself, which our GCC High and Sensitive Data Protection consulting handles, and the underlying Azure Government platform meets DoD Impact Levels 4 and 5 in addition to FedRAMP High, which is why it is also the basis for the most sensitive defense workloads.
When GCC is genuinely enough
If your CUI is standard defense information that is not export controlled, such as project schedules, bidding data, or general technical requirements, GCC usually satisfies DFARS 252.204-7012 and supports CMMC Level 2, provided the environment is properly configured, the justification is documented, and your prime approves GCC in writing where required. GCC holds a FedRAMP Moderate authorization and meets DoD Impact Level 2, which covers most non-export CUI scenarios. A logistics or services subcontractor handling only non-export CUI can often stay in GCC, document the decision in its System Security Plan, and pass assessment, saving the GCC High licensing and provisioning premium. The honest version of this answer is the one most vendors skip: if you do not handle export-controlled data, you may not need GCC High at all, and a partner who tells you so is worth more than one who defaults everyone to the most expensive tier.
Not sure which environment your CUI actually requires? Walk your CUI classification through the decision with an i3solutions principal before you commit to a tenant.
The Two Expensive Ways to Get the GCC High for CMMC Decision Wrong
Most contractors who regret their cloud decision did not misread the framework. They misread their own data, or they trusted a shortcut that an assessor does not accept. Three failure modes account for the bulk of the wasted spend and the failed assessments.
Over-scoping: the wasted-spend gap from buying GCC High you do not need
The first failure mode is paying the GCC High premium for CUI that never required it. A contractor hears that everyone in defense uses GCC High, buys the licenses, provisions the Azure Government tenant, and absorbs the higher per-user cost and the slower feature timeline, all to protect standard CUI that GCC would have held for less. The gap here is a missing CUI classification step: no one confirmed whether the data was actually export controlled before the tier was chosen.
Under-scoping: when the wrong tier fails the assessment and forces a re-migration
The second failure mode is the more dangerous one. Export-controlled technical data is left in GCC or Commercial because no one flagged it as ITAR, and the environment cannot meet the United-States-person requirement. The result surfaces at the worst time, during a C3PAO assessment or an audit, and the remedy is a forced tenant migration under deadline, which is far more expensive than choosing correctly the first time. This is why the lowest-risk approach is to scope the CUI before onboarding users, not after.
The encryption misconception: an ungoverned shortcut assessors reject
The third failure mode is believing that encrypting CUI in commercial Microsoft 365 makes it compliant. It does not. The DoD’s CMMC Program FAQ published in November 2025 is explicit that encrypted CUI is still CUI subject to all NIST SP 800-171 protections, and that the platform authorization status is what assessors evaluate, not the encryption layered on top of it. Treating encryption as a substitute for a FedRAMP-authorized environment is an ungoverned shortcut that fails on review.
Need senior, United-States-based delivery for the migration once the decision is made? Bring in consultants who can operate inside the personnel requirements of a CUI boundary.
How to Make a Defensible GCC High for CMMC Decision
A decision an assessor and your prime will accept is built in a specific order, and the order is what keeps the cost down. The goal is not to pick a tenant quickly. It is to scope the data so the tenant choice becomes obvious and the spend matches the actual CUI footprint.
Scope the CUI, then design the enclave
Start by classifying your CUI against the DoD CUI Registry categories, identifying which specifically force GCC High, such as ITAR and export-controlled technical data. Then design an enclave: rather than moving the entire organization into GCC High, segregate the users and workflows that actually touch export-controlled CUI into a dedicated, tightly controlled environment, and keep everything else where it costs less to run. The enclave approach is the cost-control lever most contractors miss, and it is common across the defense industrial base precisely because it aligns spend to the real footprint. Strong identity and access controls are the backbone of that boundary, which is why we treat Microsoft Identity and Access Management Solutions as the first design surface, mapped to the access-control family of NIST SP 800-171.
Document the justification, then choose the tenant
Whichever environment you select, the decision has to be written down in your System Security Plan, with the CUI classification and the cloud provider’s Customer Responsibility Matrix documented before your assessment begins. The Customer Responsibility Matrix matters because it tells you which NIST 800-171 controls the platform inherits for you and which remain your responsibility, and an assessor expects to see those inherited controls reflected accurately in your System Security Plan rather than assumed. i3 runs these programs through four phases, Discovery, Architecture, Build, and Optimize. Discovery scopes the CUI and the enclave boundary. Architecture designs the identity, access, and data-protection controls and the tenant decision. Build provisions and configures the environment and migrates only what belongs inside the boundary. Optimize hardens the controls, assembles the audit evidence, and transfers operational ownership. The sequence is what makes the decision defensible rather than merely fast.
How to Evaluate a Partner for Your GCC High for CMMC Decision
Once you know the decision matters, the risk shifts to the firm you choose to make it with. Evaluating a partner for a GCC High and CMMC engagement is less about Microsoft enthusiasm and more about evidence the firm understands the regulatory boundary the decision lives inside. Six questions separate a credible partner from a risky one.
The six questions a regulated buyer should ask
First, will the firm classify your CUI against the DoD CUI Registry before it recommends a tenant, or does it default everyone to GCC High? Second, can it show how it designs a CUI enclave to control scope and cost, rather than migrating the whole organization? Third, does it map the work to the CMMC and NIST 800-171 controls you are assessed against, and produce audit-ready evidence for your System Security Plan? Fourth, who performs the work, senior United-States-based consultants who can operate inside the personnel requirements of GCC High, or a rotating offshore bench that cannot? Fifth, will it tell you when GCC is enough and GCC High would be wasted spend? Sixth, does it transfer ownership of the environment and the evidence to your team, or engineer a permanent dependency? A partner that answers all six with specifics has earned the right to your CUI boundary.
How i3solutions Helps Defense Contractors Decide GCC High for CMMC
A tenant decision under CMMC is finally a decision about who you trust to scope it. i3solutions approaches GCC High and CMMC the way it approaches every regulated engagement: assessment-led, delivered by senior United-States-based consultants, and governed by Enterprise Delivery Assurance from the first CUI workshop to production handover. We do not staff these programs with rotating offshore benches; the people who scope the CUI boundary are the people accountable for the migration landing on-time, in-scope, and in-production, with the compliance evidence intact.
A logistics subcontractor handling only non-export CUI engaged i3 expecting a GCC High migration, and left with a documented justification to stay in GCC, tightened controls, and a clean assessment, saving the GCC High premium its prior advisor had assumed was mandatory. An aerospace supplier handling ITAR-controlled technical data engaged i3 to scope a CUI enclave and migrate only the affected users and workflows into GCC High, leaving the rest of the organization in a lower-cost environment, so the export-controlled boundary was tight and the spend matched the footprint. In both cases the work was the scoping discipline, not the license.
It is the same discipline behind 600+ Microsoft platform implementations delivered over nearly 30 years as a Microsoft Solutions Partner since 1997. Defense and aerospace organizations have relied on i3 for senior, United-States-based delivery on engagements where the cost of failure is measured in audits and operations. For a defense contractor facing the GCC High decision, that record is the point: the firm has scoped and migrated CUI boundaries long enough to know where these decisions go wrong, and how to keep yours from being one of them.
Ready to scope your CUI and choose the right environment with confidence?
About i3solutions
i3solutions is a Microsoft Solutions Partner since 1997 that has delivered 600+ Microsoft platform implementations across nearly 30 years for regulated enterprises in aerospace and defense, financial services, and healthcare. Our Enterprise Delivery Assurance model exists to make one promise dependable: complex Microsoft work lands on-time, in-scope, and in-production, with the compliance evidence intact. Defense and aerospace organizations have relied on i3 for senior, United-States-based delivery on engagements where the cost of failure is measured in audits and operations, not license fees. For buyers facing a GCC High and CMMC decision, that is the borrowed expertise we bring: the judgment to scope the boundary correctly and get the irreversible choices right the first time.
Frequently Asked Questions
GCC High carries a real per-user premium over GCC, plus a separate setup cost for the dedicated Azure Government tenant, and the most expensive mistake is choosing the wrong tier and re-migrating, not the per-seat difference. Microsoft does not publish standardized public list pricing for its government clouds the way it does for Commercial, and the figures move, so confirm the current per-user cost for your E5 Commercial, G5 GCC, and G5 GCC High plans directly with Microsoft or your licensing partner before you budget. The premium is worth it when your CUI is export controlled, because no cheaper Microsoft environment can satisfy the requirement; it is wasted spend when your CUI is standard and GCC would pass.
No. CMMC is a controls-and-assessment framework and does not name any cloud environment. What drives the cloud decision is DFARS 252.204-7012, which requires a FedRAMP Moderate baseline for any cloud that stores, processes, or transmits CUI. GCC High is one common way to meet that requirement within the Microsoft ecosystem, and the required one when your CUI is export controlled, but it is not a CMMC mandate by name.
GCC is often enough for CMMC Level 2 when your CUI is standard and not export controlled, because GCC holds a FedRAMP Moderate authorization and Microsoft has included contractual DFARS 252.204-7012 support in GCC since 2021. You need GCC High when you handle ITAR or EAR export-controlled technical data, or when a contract requires United-States-person-only support, because GCC High is the only Microsoft 365 environment with a contractual ITAR commitment and screened United-States-person operations. Proper configuration and documented justification are required either way.
No. The DoD’s CMMC Program FAQ published in November 2025 states that encrypted CUI is still CUI subject to all NIST SP 800-171 protections, and that assessors evaluate the platform authorization status, not the encryption layered on top. Commercial Microsoft 365 does not carry Microsoft’s DFARS 252.204-7012 contractual commitments and is not authorized to hold CUI on that basis, so encrypting CUI inside it does not satisfy DFARS 252.204-7012. For CUI under CMMC Level 2, you need a FedRAMP-authorized environment such as GCC or GCC High, configured and documented correctly.
The 48 CFR rule took effect on November 10, 2025, starting a four-phase rollout. In Phase 1, which is underway now, contracting officers add Level 1 and Level 2 self-assessment requirements to new contracts and may require a third-party Level 2 assessment on select awards at their discretion. Phase 2 begins on November 10, 2026, when third-party Level 2 certification becomes the requirement for most contracts that involve CUI. Because a Level 2 program commonly takes nine to twelve months to implement and assess, and certification is valid for three years and must be maintained for the life of the contract, the practical deadline is well ahead of any single solicitation. Scoping your CUI and choosing the right environment now is what keeps you eligible when the requirement appears.
Related Reading
- GCC High and Sensitive Data Protection
- Microsoft 365 Governance Framework
- Microsoft Consulting Services
About the Author
By Michael Branson, Founder/COO, i3solutions
Michael Branson co-founded i3solutions 30 years ago and brings executive, operational, and technical perspective to organizations working in complex, secure, and mission-critical environments. His insights focus on business process consulting, automation, data analytics, collaboration, secure operating models, and the operational discipline required to turn technology investments into practical business systems with measurable value.
