Government contractors and the federal customers they support are moving in mass to cloud solutions for meeting their growing security and compliance risks. By and large, these organizations are choosing one of the most secure and robust platforms available - Microsoft 365 Government Community Cloud High (GCC High).
Microsoft has three other environments for Microsoft 365. Here’s a quick explanation of each:
Microsoft 365 Commercial
This environment is built to FedRAMP Moderate standards and can be configured to meet NIST 800-171. However, this offering will not currently meet paragraphs e) and f) of DFARS 7012. It leverages the Azure Commercial stack and is generally available through all licensing outlets from retail to Enterprise Agreement.
Microsoft 365 GCC
This environment is largely equivalent to the Microsoft 365 Commercial environment, except that its data is segregated from commercial organizations. It can be configured, with appropriate licensing, to be 100% NIST 800-171 compliant. It leverages the Azure Commercial stack and is available from Cloud Solution Providers and through an Enterprise Agreement.
This guide to GCC vs GCC High was created to help make business risk decisions regarding the two platforms
Microsoft 365 DoD
The DoD environment is built on Azure Government, within dedicated government data centers. The DoD environment is accessible for DoD organizations and cannot be purchased by private organizations.
GCC High Service Descriptions
Enterprise Mobility + Security for US Government
Microsoft’s Enterprise Mobility + Security, or EMS, offerings for US GCC High and DOD customers are built on the Microsoft Azure Government cloud and are designed to inter-operate with the Microsoft 365 GCC High and DOD environments. The EMS E5 suite is available for both GCC High and DoD customers, however Microsoft Cloud App Security and Azure Advanced Threat Protection are available only to GCC High customers. Azure Active Directory P1/P2, Microsoft Intune, Azure Information Protection P1/P2, Microsoft Cloud App Security, and Microsoft Defender for Identity are certified FedRAMP-High. (The security product previously known as Azure Advanced Threat Protection is now known as Microsoft Defender for Identity. Read more about the name change here.)
Organizations that use EMS for US Government GCC High and DOD offerings benefit from the following features:
Your organization’s customer content is physically segregated from customer content in Microsoft’s commercial services.
Your organization’s customer content is stored within the United States.
Access to your organization’s customer content is restricted to screened Microsoft personnel.
Compliance with certifications and accreditations that are required for US Public Sector customers, including DoD Security - Requirements Guidelines, DFARS, and International Traffic in Arms Regulations (ITAR)