← Custodia

Does CMMC Require GCC High?

Short answer: not for Level 1. GCC High is a government cloud built for CUI and ITAR. CMMC Level 1 covers Federal Contract Information only, and commercial Microsoft 365 or Google Workspace, configured correctly, is enough. Here is the line, and when it changes.

The answer in 45 words

No, CMMC Level 1 does not require GCC High. Level 1 covers FCI, which needs no government cloud. Correctly configured commercial Microsoft 365 or Google Workspace is enough. GCC High is for CUI, ITAR, and Level 2, not basic FCI safeguarding.

FCI vs CUI decides it, not the tier your vendor sells

The whole GCC High question turns on one thing: the data you handle. CMMC Level 1 is the basic safeguarding of Federal Contract Information, the non-public information the government gives you or you generate under a contract, and it is not marked. Level 2 is for Controlled Unclassified Information, which is marked or categorized and carries data-handling obligations, sometimes including US data residency and screened US-person access. GCC High exists to satisfy those heavier CUI and ITAR obligations. If you never touch CUI, you never trip the requirement that makes GCC High relevant.

Your situationLevelGCC High needed?
You handle FCI onlyLevel 1No, commercial cloud is fine
You handle CUI (marked)Level 2Maybe, depends on the data and contract
You handle ITAR technical dataLevel 2Usually yes (US residency)

Does CMMC require GCC High: FAQ

Does CMMC require GCC High?

Not for Level 1. CMMC Level 1 covers Federal Contract Information (FCI), which does not require a government community cloud. A correctly configured commercial Microsoft 365 or Google Workspace tenant meets the Level 1 technical requirements. GCC High becomes relevant only when you handle Controlled Unclassified Information (CUI) or ITAR-controlled data, which is Level 2 territory, and even then GCC High is one option, not a universal mandate.

Why do people think CMMC needs GCC High?

Because most CMMC marketing is aimed at the CUI and Level 2 buyer, where data residency and US-person access controls make GCC High a common choice. That messaging bleeds down to Level 1 contractors who do not handle CUI at all. If you only handle FCI, you are buying protection you do not need. The question that decides it is what data you handle, not what tier your vendor sells.

When do I actually need GCC High?

When you store, process, or transmit CUI or ITAR-controlled technical data and your contract or the data type requires US data residency and screened US-person administrative access. That is a Level 2 conversation. For a Level 1 contractor handling only FCI, commercial Microsoft 365 or Google Workspace is sufficient.

How do I know if I am Level 1 (FCI) or Level 2 (CUI)?

FCI is non-public information provided by or generated for the government under a contract that is not intended for public release, and it is not marked. CUI is specifically marked or categorized controlled information. Most small contractors handle FCI only. The fastest way to confirm your scope is the 60-second CMMC check, which maps your data and points you to the right level.

Confirm your level, then clear it

Most small contractors are Level 1 and do not need GCC High. Take the 60-second check to be sure, then get to a posted affirmation with Custodia, free for 7 days, no card.

Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)