CMMC is a strict certification, but there’s also a lot of variation within its security controls and the demands it makes of agencies looking to achieve that certification. The standards are high, especially at the higher levels of CMMC, but there are also many tools and platforms available to meet those needs appropriately, without reinventing the wheel from base principles.
Businesses need the tools necessary to function in a modern digital world. That often starts with an office suite, and the most common choices are the offerings from Google and Microsoft.
Microsoft’s 365 is immensely popular with modern businesses, but is it suitable for CMMC? Let’s dig into it and see.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontCMMC certification requires strict security standards. Businesses often choose Google or Microsoft's 365 suite for digital needs. Microsoft 365 GCC High offers enhanced security for managing Controlled Unclassified Information, suitable for meeting CMMC, DFARS, and ITAR standards. It uses US-only data centers but may not be necessary for all cases. Alternatives include Google Workspace or enhancing Commercial tiers with third-party tools. On-premises solutions provide control but lack features of cloud-based services.
What is Microsoft 365 GCC High?
Let’s break this one down.
Microsoft is, as we all know, a global technology company and provider of a vast array of software and services, from operating systems to office suites to cloud services via Azure to the Copilot AI.
Microsoft 365 is their current name for what was formerly known as Office 365, their productivity suite. It includes many useful apps for business environments, including Outlook, Word, Excel, SharePoint, Teams, OneDrive, and Copilot.
Microsoft offers all of these apps as stand-alone software, but the 365 branding is specifically their cloud versions, hosted on Microsoft servers and paid for via a subscription fee. While there are many pros and cons between cloud-based subscriptions and on-prem installations, that’s a subject for another time.
GCC is the Government Community Cloud. It is part of Microsoft’s array of government-focused offerings, which are segmented from the standard non-governmental datacenter hosts for 365 cloud apps, and have additional government-focused features like enhanced security, auditing, logging, and segmentation.
High is a particular version of Microsoft GCC, the version aimed at high-standard clients, but not quite to the level of DoD clientele. You can see different comparison charts directly from Microsoft:
Overall, Microsoft 365 GCC High is the suite of productivity tools with added layers of security and accountability features, segmented away from the global Microsoft buckets and hosted in secure facilities in the United States. It’s aimed at helping organizations work with and maintain security on Controlled Unclassified Information.
Do You Need Microsoft 365 GCC High to Meet CMMC Requirements?
No. However, there’s a lot of room for edge cases in this scenario, so let’s explore it a bit more than a one-word answer.
Reviewing the Microsoft 365 Tiers
With so many different options, it’s tricky to even discuss all of what Microsoft has to offer without some level of confusion. It doesn’t help that they often bury the differences in referential PDFs and knowledge base articles rather than in clear bullet points.
Microsoft 365 Commercial is built to achieve standards suitable for FedRAMP. This is underpinned by meeting the security controls laid out in NIST SP 800-171. It’s suitable for any level of FedRAMP, and CMMC level 1, but not DFARS 7012, CMMC Level 2, or any higher-tier standard. At least, not without additional restrictions and security.
Microsoft 365 GCC standard is effectively identical to Commercial, except that they keep their systems and data storage in a secure commercial cloud environment. It is not out-of-the-box ready for higher security standards, but can be configured to meet DFARS 7012 and CMMC level 2 requirements. It does not, however, reach export control levels.
Microsoft 365 GCC High is the step above GCC standard, and is based on the Azure Government Cloud, using data centers exclusively on US soil. It helps you meet higher-level requirements like ITAR both by hosting data within the borders of the country and by ensuring that the employees who work on it are US citizens who have passed background checks.
Microsoft 365 DoD is even a step higher and is aimed specifically at the Department of Defense and its internal organizations, and certain authorized prime subcontractors. It’s not something a business can go buy and use; you have to be preapproved and have governmental authorization to use it.
What is GCC High Aimed At?
Microsoft created GCC High as their almost-highest governmental system. There are at least two tiers above GCC High: the aforementioned DoD system, and the Classified Cloud, which is aimed at standards much higher than those required by frameworks like CMMC.
There are also likely even higher-security versions of Microsoft programs that are in use deeper in the military, though they aren’t publicly documented.
CMMC is a high-standard and expensive certification framework, but at the end of the day, it’s still aimed squarely at civilian businesses looking to become contractors working with the federal government. The bar is high for those kinds of businesses, but on the scale of governmental and national security, it’s still fairly low.
In fact, other relevant frameworks and requirement systems, such as DFARS 7012 or ITAR, can have even higher standards while still being applicable to some small subsection of government contractors in the private sector.
When you actually examine what the requirements are for these frameworks and look at the security and features in different tiers of Microsoft products, you usually find that you might not need as much as you think you do.
Basic level 1 CMMC can be satisfied with the standard commercial Microsoft 365, as long as you properly use its security features. 365 Commercial cannot, however, satisfy the requirements in DFARS or ITAR.
The basic Microsoft GCC, meanwhile, has more stringent security and administration on the back end, and that allows it to satisfy the requirements in most DFARS 7012 clauses.
The step above that, Microsoft GCC High, satisfies ITAR requirements in addition to DFARS and CMMC.
You’ll note along the way here that we said “Basic Level 1 CMMC” above. That’s because CMMC levels 2 and 3 are much more stringent with their requirements.
This is where things can get a little tricky.
Technically speaking, properly configured Microsoft 365 Commercial can satisfy even the CMMC Level 3 requirements.
However, due to the presence of more advanced security tools and more back-end security, Microsoft themselves recommends that anyone seeking Level 2 or Level 3 security while using Microsoft 365 use the GCC High platform.
Why do they recommend this? In part, because it offers more security and easier access and use of the tools necessary to keep CUI, FCI, and other controlled information secured. In part, though, it may just be that it’s a way they can encourage government contractors to pay more for their services.
Why Might Using 365 Commercial Not Work for You?
If Microsoft 365 Commercial is good enough to meet CMMC requirements, why might you still consider using Microsoft 365 GCC High?
There are a few concerns that, for most businesses, aren’t going to be relevant. But if they’re important to you, then investing in GCC High right now instead of upgrading later might be a good idea.
- Interoperability. In particular, if you’re hoping to achieve a higher security standard and work with the DoD later on down the line, you will need to be able to collaborate with the DoD and other DoD contractors. Microsoft 365 Commercial isn’t interoperable with Microsoft 365 for DoD or GCC High.
- Alternative Platforms. While CMMC is a high bar, as we mentioned, it’s still far from the highest standards out there. Doing the bare minimum will present a roadblock (and a lot of additional work in the future) if you wanted to take a step or two up the ladder and achieve even higher levels of security.
- US-Native Hosting. Some security frameworks require that the systems you use, even if they’re secure cloud systems, be hosted on US soil. Microsoft GCC High (and plans above it, like DoD and Classified) are the only options available to you if you have that requirement. Commercial and even standard GCC can make use of datacenters around the world.
It’s all very important that you know what you need and how to satisfy those requirements. Microsoft doesn’t make it easy with their dozens of different, similarly-named versions of the same platforms and the same apps, so talking to an expert may be your best avenue.
Microsoft 365 GCC High Versus On-Premises Microsoft Apps
Another option available to you as a business is to skip the cloud-based services altogether.
After all, you don’t need to worry about where the app is hosted if you just have it installed on your local computers and don’t have it touch a data center at all, right?
There are distinct pros and definite cons to running an on-prem solution for your office and collaboration apps, including the Microsoft suite.
The Benefits of On-Prem Microsoft Office
There are a lot of potential benefits to using your own on-premises solution.
You don’t have to worry about data center hosting or staffing. There’s no need to concern yourself with who staffs a data center or where it’s located if you aren’t using a data center at all.
You aren’t paying the same sort of subscription fee. Microsoft 365 GCC High can cost thousands of dollars per month. On-prem solutions, for the cost of the apps themselves, can knock a zero off that pricing.
You have more total control over what you have, what it can access, and where it can be used. The level of control allowed with something you have hardware-level access to can’t be underestimated. Data centers certainly have their advantages, but being able to fully control everything in your systems is also beneficial, and helps a lot to limit scope.
The Drawbacks of On-Prem Microsoft Office
There are serious drawbacks to using an on-prem solution that make it less attractive for a lot of businesses.
The setup and maintenance burden is high. One of the main advantages of a data center and a cloud app is that tasks like hardware maintenance, software updates, and uptime guarantees are all handled. When you have to spin it all up yourself, it’s a very different level of costs, even if you’re only setting up a few servers. Just the expense of paying for a couple of experts to maintain your systems can invalidate any cost savings.
Some features can’t be easily replicated on-prem. For example, if you want to collaborate within your team using a messenger system like Teams, you can’t do so with on-prem installations.
It can dramatically increase your scope. Scoping is critical, and adding a whole self-hosted miniature data center is a whole new level of scoping you need to manage and secure, with all the burden that entails.
Alternatives to Microsoft 365 GCC High
While you can use Microsoft’s systems for CMMC compliance, there are also alternatives you can discuss and evaluate their own pros and cons.
Google is the nearest direct competitor, and their Workplace for Public Sector is a close equivalent that can maintain CMMC and FedRAMP High security levels.
Often, you can also add more security to any of these systems with third-party tools. Virtru and PreVeil are both commonly cited as options.
Balancing the complexity of your own software with the cost of using someone else’s is a perennial problem with business in a complex and security-focused environment. There won’t be one perfect solution; you just have to find what best suits your needs.
At Ignyte, we can help. We don’t have an office suite or set of tools to replicate what Microsoft does for you, but we do offer a customized, tailored experience for maintaining documentation and collaborating on your security. The Ignyte Platform was designed from the ground up as a secure, centralized, collaborative tool that allows your teams to compile artifacts and proof, monitor compliance efforts, and focus your work where it’s most needed.
Whether you’re looking to use Microsoft 365 GCC High, hammer a Microsoft Commercial installation into shape using third-party tools, or use a different set of platforms altogether, the key is making sure it’s all secure across the board. Ignyte can help you keep track of your position and security posture, so book your demo today to see how it can help you.
Dan Page is a seasoned Cybersecurity and Risk Management Executive known for advancing security programs aligned with complex regulatory frameworks and critical business objectives. With over 12 years in information security, his expertise began in the U.S. Army Signal Corps, where he led global communications and secured classified networks supporting Special Operations missions. Post-military, he specializes in security architecture for CUI, ITAR data, and federal cloud workloads. Currently, as Senior Cybersecurity Manager at Ignyte Assurance Platform, Dan guides organizations through compliance with CMMC, FedRAMP, ISO 27001, PCI, and NIST standards. A CISSP, CRISC, CISM, PMP, and ITIL-certified professional, he is also a cybersecurity lecturer and community volunteer advocating workforce development.