Get Support
Free Discovery Session

Changes to Microsoft GCC High for DoD Contractors

Protecting sensitive data like Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) has become a top priority for the U.S. Department of Defense (DoD) and its associated contractors.

As technology evolves, security measures concerning sensitive data are constantly adjusting to keep up. New cloud-based solutions require contractors to consider the risk of data ending up in the wrong hands. This includes inadvertent exposure to the public and sophisticated attacks by foreign adversaries.

To protect the confidentiality of DoD and DoD contractors’ sensitive data, companies like Microsoft responded with highly compliant solutions like the Azure Government Community Cloud High (GCC High) cloud platform. Unlike the standard GCC environment that operates in the Azure Commercial cloud with global directory services and global support personnel, GCC High is in the physically segregated Azure Government cloud environment that only operates in the Continental United States (CONUS) with U.S.-based, screened personnel. This is a must to be compliant for current and future DoD contracts that are subject to requirements for Export Control (i.e. ITAR / EAR), CONUS, data sovereignty, U.S. Citizenship, or NOFORN (no foreign nationals). Including contracts with certain CUI data categories (i.e. “CUI Specified”) that are also subject to these requirements.

Qualifying to use GCC High was previously a difficult and time-consuming process that Microsoft has greatly simplified. In this post, we'll explain the recent changes to GCC High, walk through the new GCC High qualification process, and help jumpstart your migration plan.

Who Qualifies for GCC High?

In the past, only U.S. Government entities (Category 1) and contractors processing certain data (Category 3) could purchase GCC High. Excluded were Solutions Providers (Category 2) and all other contractors. The GCC High qualification process was lengthy, in-depth, and required burdensome documentation. Contractors had to provide a signed contract or signed DD Form 254 that specified one of the few eligible controlled data types; or a signed sponsorship letter. This long, difficult process left many contractors anticipating CUI requirements in upcoming contracts, with no way to get qualified for GCC High in time.

Microsoft loosened GCC High restrictions in response to the DFARS Interim Rule, current NIST SP 800-171 requirements, and future CMMC requirements. This makes the platform inclusive of more DoD contractors and greatly speeds up the qualification process.

As of January 2021, all three categories of eligible customers may purchase GCC High through a new, streamlined qualification process that no longer requires validation of contracts or sponsorships.

How Has the GCC High Qualification Process Changed?

In the past...

Contractors had to jump through several hoops, wait out extended delays, and navigate a confusing process to get qualified for GCC High by Microsoft.

First, each contractor had to prove they had a contract that specified the narrow categories of controlled data types accepted by Microsoft. Then, they had to find a sponsor organization to spend hours communicating and coordinating with Microsoft throughout each step in the process. Finally, contractors and their sponsors had to compile and send extensive documentation to Microsoft for approval.


Any DoD contractors with a CAGE Code or DUNS Number via the GSA System for Awards Management (SAM) can migrate to GCC High and leverage its enhanced cybersecurity posture and compliance measures related to NIST SP 800-171, FedRAMP High, ITAR / EAR / Export Control, and more. Contractors now get to skip what was along, tedious qualification process in favor of an automated, online service. Here are the simple steps:

  1. Determine your eligibility status - Verify your CAGE Code and/or DUNS Number on the DLA search page.

  2. Fill out Microsoft’s online validation form - Complete the form carefully, selecting for ‘My organization is’: “Customers handling government-controlled data”. Note that a trial subscription may be available. If not, the general form link can be used.

  3. Provide the requested documentation - Check your email for a documentation request from the Microsoft US Government Cloud Eligibility Team and send just one of the following documents:

    a. [New Option] Valid CAGE Codes or full SAM registration (with DUNS Number).
    Note: Your SAM registration must be for “All Awards.” Microsoft will deny your request if SAM registration is only for “Federal Assistance Awards.”

    b. [Other Option] Evidence of a GSA Schedule contract with the Government (direct or indirect), provided as either documentation or the contract number.

    c. [Other Option] A signed contract, signed purchase order, or signed invoice (ink or certified electronic) from a valid U.S. Government entity or eligible partner doing business with a valid U.S. Government entity. This must indicate the regulated data required as part of contract delivery (direct or indirect), with the data owner entity name visible.

    d. [Other Option] A sponsorship letter from a valid U.S. Government entity, another previously approved government contractor, or a solution provider directly doing business with a valid U.S. Government entity. This must include their signature (ink or certified electronic) and letterhead. It must also support an established business relationship with your business.

  4. Get approval from Microsoft - After sending the requested documents to the Microsoft US Government Cloud Eligibility Team, approval is expected to take 3-7 business days. Keep a close eye on your email to ensure prompt resolution of any problems with your submission.

  5. Start your migration - With your approval in hand, start mapping out your migration to the GCC High cloud platform. Partner with a Managed Security Service Provider (MSSP) like Peerless that has the cybersecurity, DoD contractor compliance, and GCC High cloud migration expertise to streamline the migration process and get your operations running smoothly and securely, with maximum flexibility and minimal downtime.

The GCC High cloud environment represents a strong commitment by Microsoft to enhance cybersecurity and compliance for the DoD and the Defense Industrial Base (DIB) of DoD contractors. Migrating to GCC High provides a secured environment, restricted to DoD / U.S. Government agencies and their contractors, that is the foundation for being able to sufficiently protect sensitive CUI and comply with DFARS 252.204-7012, the DFARS Interim Rule, NIST SP 800-171, and future CMMC requirements.

The numerous Microsoft cybersecurity tools and capabilities available for the GCC High platform and customized for DoD / Government – many of which integrate with Microsoft Office 365, Office Online, Exchange Online, SharePoint, OneDrive, and Teams – can significantly reduce the complexity and costs of implementing your long-term cybersecurity and compliance strategy.

Peerless is a Microsoft partner with the expertise to help your business migrate to GCC High quickly, securely, cost-effectively, and easily. We'll walk you through every step in the migration process, offering clear guidance and success strategies along the way.

Book a Discovery Session to start your GCC High migration.

New call-to-action

Don't Miss an Article!

You May Also Like

These Stories on Compliance

Subscribe by Email

Get The Latest From Peerless Right in Your Inbox