Microsoft 365 GCC High
Also known as: GCC High, M365 GCC High
Microsoft 365 Government Community Cloud High (GCC High) is the Microsoft cloud offering authorized to handle CUI and ITAR data for DoD contractors. GCC High is generally required at CMMC Level 2 when CUI is present; it is not required at Level 1, where standard Microsoft 365 Commercial is sufficient for FCI.
Related terms
- Controlled Unclassified Information
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections — and at the contractual level, CMMC Level 2.
- FedRAMP
FedRAMP is the federal government program that standardizes the security assessment, authorization, and continuous monitoring of cloud service offerings used by federal agencies. Cloud services used by DoD contractors to process or store CUI must be FedRAMP Moderate Equivalent or higher under DFARS 252.204-7012(b)(2)(ii)(D).
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.