GCC High

What is GCC High?


The Defense Industrial Base (DIB) consists of highly regulated organizations that require special environments to host their security systems and tools. That’s why Microsoft created the Government Community Cloud (GCC) High. It’s a cloud-based environment designed specifically to meet the stringent cybersecurity needs of the Department of Defense (DoD) and federal contractors.

GCC vs. GCC High

GCC High shouldn’t be confused with the original Government Community Cloud environment. GCC isn’t suitable for handling controlled unclassified information (CUI) or controlled defense information, while GCC-High helps DIB organizations meet DoD-specific compliance requirements such as:

  • CMMC
  • NIST 800-171
  • ITAR, and more

GCC High

GCC High Supports Compliance and Ease of Use for Defense Organizations

Regulations like Cybersecurity Maturity Model Certification (CMMC) mean DIB organizations require highly specialized tools and environments to host sensitive data. On a day-to-day basis, many companies would prefer to use software that’s already been approved, implemented, and familiar to employees.

To compromise, GCC High includes subscriptions to essential Microsoft tools and pairs them with additional security that empowers organizations to meet strict industry requirements. These subscriptions include:

  • Exchange Online
  • One Drive
  • Skype for Business
  • Microsoft Teams

Preparing for the DFARS Interim Rule

As CMMC becomes a requirement for organizations that want to work with the DoD in 2021, companies urgently try to streamline compliance efforts.

To add to the stress, the DFARS Interim Rule requires that DoD government contractors possess at least a basic NIST SP-800-171 DoD assessment that is no more than three years old. This assessment can be done online through the Defense Contract Management Agency and is required by November 30, 2020.

CMMC compliance requires every DoD contractor to have an appropriate cybersecurity maturity level by creating strict, standardized cybersecurity measures. This compliance helps protect sensitive government data, regardless of company size or industry experience.



“CMMC will ensure a more level and fair playing field for companies bidding on DoD contracts.”

“Today, some small businesses bidding on work might self-attest that they meet requirements to handle certain kinds of information, but in fact only are planning to meet those requirements, while another business might actually be meeting the requirements.”

Katie Arrington

DoD Chief Information Security Officer for Acquisition

Levels of Maturity for Cyber Controls


CMMC serves as a verification tool to establish appropriate levels of maturity for cyber controls. The Office of the Under Secretary of Defense for Acquisition & Sustainment elaborates that:

“The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.”

With levels ranging from 1 to 5, the requirements to achieve CMMC compliance increase as each level progresses. For example:

  • Level 1: Examines basic cyber hygiene and everyday controls requiring compliance with FAR 52 controls.
  • Level 5: Requires advanced, state-of-the-art cyber controls. This level includes compliance with all NIST SP 800-171 controls and many enhancements from 800-171b.

For example, according to NIST 800-171 3.5.1 and 3.5.2, organizations must identify all system users, processes acting on behalf of users, and devices. To help meet this requirement, Microsoft’s GCC High has stringent background check capabilities for employees that align with the Office of Personnel Management (OPM) level 3 background check.

Because GCC-High is also reserved for organizations in the DIB sector, DoD contractors, and Federal Agencies, organizations must also be validated by Microsoft to use it. Being CMMC compliant and having a reliable cloud environment to accommodate sensitive data, is critical for organizations to earn high-value DoD contracts.

The Role of Cyber Risk Advisory in Navigating CMMC Compliance


As a Microsoft Gold Competency Partner and FastTrack Ready Partner, Conquest Cyber has the expertise and software to support the unique cybersecurity needs of the defense industrial base. This partnership includes access to award-winning cybersecurity professionals who have an extensive background in the industry and a wide variety of certifications, including:

  • Certified Information Systems Security Officer (CISSO)
  • Certified Information Security Manager (CISM)
  • Certificate of Cloud Security Knowledge (CCSK), and more.



Alongside their team’s 24/7 support, Conquest’s proprietary software, ARMED™, automates cybersecurity procedures, eliminates slow manual processes, and gives valuable time back to security personnel to focus more on business growth initiatives.

Thanks to its unique, patent-pending technology that enhances Microsoft Defender and Azure Sentinel, ARMED™ allows Conquest Cyber’s security professionals to remediate gaps in an organization’s cybersecurity system and meet compliance requirements.

ARMED™ can help DIB organizations achieve 80% of advanced cybersecurity levels of CMMC compliance in just over 90 days. By combining comprehensive cybersecurity features from Microsoft’s GCC High with the ARMED™ software suite, defense contractors can modernize their critical infrastructure and prepare for a higher level of CMMC.

Conquest’s proprietary cyber risk management software, ARMED ATK, allows organizations in highly regulated industries to effectively manage and monitor cybersecurity efforts in accordance with industry compliance requirements.

This enables security professionals to make data-backed decisions based on real-time visibility of security controls, events, and levels of service.

ARMED ATK enables radical operational transparency, providing mission-critical data that is centrally available and easily consumable for key stakeholders and technical teams alike.

Request an