MS 365 & Security Compliance – What You Need To Know

Microsoft’s 365 suite is one of the biggest and most successful software options for professionals and personal users alike. The suite gives the user access to a wide range of software, including Word, Powerpoint, Excel, Access, Outlook, and more.

The latest addition, MS 365, offers enhanced features, an affordable subscription plan, and much more. More than 730,000 businesses in the United States take advantage of the standard office suite.

When talking about Office, people generally think of Microsoft Word being used to set up a project for school or perhaps an Excel spreadsheet that is used to compile financial sheets for a business. While these are standard usage cases, there are more advanced options from the company, offering superior security and features that ensure confidential data remains private.

The MS 365 Commercial Solution

Apart from the standard offerings that form part of the Office Suite, Microsoft has a number of solutions that are targeting a more precise audience. There are three commercial solutions available from the company, each with specific purposes and tailored to a very narrow audience.

Currently, the most popular among these would be the Microsoft 365 Commercial Suite. This is a standard cloud-based solution that can be used by small businesses, as well as larger enterprises. Academic users often also rely on the software and services that form part of the Microsoft 365 Commercial spectrum.

There are several cases where these solutions are an ideal fit for a business that requires a secure cloud computing system. For example, the cloud platform provided by Microsoft 365 Commercial is known to fall within the compliance frameworks for the following:

There are several solutions that can be implemented as part of this particular commercial system. For example, Microsoft 365 Commercial can comprise of the following solutions and software:

  • Azure Information Protection
  • Cloud App Security
  • Enterprise Mobility and Security
  • Compliance Center
  • Intune
  • Advanced Threat Protection Tools

Microsoft GCC And GCC High

When it comes to CMMC MS 365 compliance’s, most authorities will turn to the GCC and GCC High offerings. An important factor to understand is that certain sectors, especially those in governmental departments, have stricter regulations and compliance’s to adhere to. This also accounts for situations where a cloud system is developed and implemented for the department. In such a scenario, the standard options provided by Microsoft 365 Commercial no longer provide adequate compliance with the requirements of these frameworks.

This is where Microsoft Office 365 GCC and GCC High come in. These are the most advanced offerings from the Microsoft brand and are specifically targeted at governmental departments that require advanced compliance and security in their cloud computing system.

The suite is also known as Microsoft Government Community Cloud. As suggested, this is a cloud-based system. There are some shared features when compared to the suite of solutions available with Microsoft 365 Commercial. One of the biggest differences, however, is that data centers are only located within the United States. To be more precise, within the Continental United States, also referred to as the CONUS. The FedRAMP Moderate mandates this particular rule when local government authorities establish cloud computing systems to be utilized internally.

The Microsoft GCC provides cooperation for specific compliance frameworks. These include:

  • DFARS 252.204-7012
  • DoD SRG Level 2
  • FedRAMP Moderate

It should be noted that Microsoft does not provide attesting to the compliance of DFARS 252.204-7012 when flow downs are used in the process. Furthermore, it should be noted that no provisional authority is provided when it comes to DoD SRG Level 2 compliance frameworks. This is something to be noted if the specific department is affected by the compliance framework. The cloud system is fully accredited by the FedRAMP Moderate.

There are several strict regulations often put into place when it comes to the Microsoft GCC system. Employee background checks, for example, have become very common recently. This ensures local, state, and federal government requirements can be met and problems do not arise later on once the employee has been taken on by the department.

Some of the GCC employee background checks currently in place include:

  • U.S. Citizenship verification
  • Social Security Number verification
  • Education and employment history verification
  • Criminal history lookup
  • Fingerprint checks
  • CJIS Background screenings

What Is Different About GCC High And DoD?

When it comes to the use of the GCC system from Microsoft, three options are generally presented. This includes the original Microsoft Government Community Cloud, or Microsoft GCC. In some cases, Microsoft DoD or GCC High are used instead. A thorough understanding of these alternatives is important, as it allows departments to choose the appropriate option to ensure compliance and that all cloud-based solutions used internally meet the appropriate regulations.

Microsoft DoD is also called the Microsoft 365 Department of Defense platform. As the name suggests, this platform was developed specifically to be used by the department of defense within the country. Note that this is not something that anyone can simply apply for – as the regulations are extremely strict and there is no way to access it if the individual in question is not part of the Department of Defense. This is the only option from the Microsoft Cloud system to meet Level 5 and Level 6 of the DoD SRG compliance frameworks. This would, thus, also comply with regulations such as CMMC.

The Office 365 GCC High is basically a more commonly used version of DoD. In fact, many would refer to GCC High as a copy of the Microsoft 365 DoD system – but with slightly more widespread use, since requirements for qualifying are lower.

The Microsoft GCC High platform was built to provide the same level of security as the Department of Defense gain access to – but for companies who find themselves in a different department. This particular system meets several compliance frameworks, including:

  • NIST 800-171
  • FedRAMP High
  • ITAR

Additionally, the GCC High system can be used in the management of CUI and CDI.

One thing that can be noted in the GCC High solution is a lack of certain features – particularly when compared to the standard Microsoft GCC cloud-based platform. The Compliance Manager is not available on this platform and there are no calling plains either. Furthermore, some apps are removed from the Cloud App Security system, as well as from Intune and Microsoft Defender ATP.

Recently, some progress has been made in regards to calling – but this does not work the same way as the original calling plans that could be loaded on Microsoft GCC platforms. Instead, a conferencing system is used in the process – allowing for both video and audio conference calls to be made.

There are several reasons why there is a lack of certain features when looking at the Microsoft GCC High platform. Some of these reasons include:

  • There is a very strict process involved in allowing features to be made part of the GCC High platform. Since this is essentially a copy of the DoD cloud system, the same regulations apply. Federal authorities need to approve any feature. Thus, certain features are removed to allow for approval to be made.
  • There are also very strict requirements set in place for individuals to become part of the development process when developing certain features on the GCC High platform. In particular, these individuals should have passed the Department of Defense IT-2. This test is based on the current Office of Personnel Management Investigation. Finding the right candidates can be exceptionally difficult for the department integrating the GCC High platform.

Similar to the standard Microsoft GCC platform, the GCC High system also demands specific background checks be done on employees. The system will also initiate checks to verify U.S. Citizenship, education, and employment history. The employee’s social security number is verified and a full criminal history check is conducted. Several additional tests are also conducted to verify the authority and trustworthiness of the employee. The employee is only provided access to the system when all of these tests were passed successfully.

How Can Companies Gain Access To GCC And GCC High?

Not every company will qualify for the use of the GCC or GCC High cloud platform. There is a wide range of criteria that should be met. Companies should always first consider whether the standard Microsoft 365 Commercial platform could be the solution for them. If the company or department establishes that GCC or GCC High would be the more suitable option, they need to contact a licensed partner. These partners will be able to assess the company’s structure, their department in the government, and internal operations. Appropriate recommendations can be made. The licensed partner can help the business determine if another solution may be more suitable to their needs. Should GCC or GCC High cloud platforms be the right choice, the licensed partner will be able to help the company or government department get a license reached out for them.


Multiple commercial solutions are available from the Microsoft brand. While standard Office 365 commercial is still a great solution for the average business owner, more secure options are presented to defense and governmental agencies. Turning to the GCC range of tools from Microsoft offers enhanced compliance with several frameworks and can provide these departments better protection for internal data.

Have Questions Regarding MS 365 and Security Compliance? Reach Out Today to Speak with One of Our Cyber Security Experts.

author avatar
Ali Allage CEO
A visionary leader in cybersecurity, with expertise that encompasses a deep understanding of the latest cybersecurity trends, technologies, and best practices, making a significant impact on enhancing organizational security postures in the digital age.