Microsoft 365 Government Community Cloud (GCC) environments provide a set of managed online services that comply with data residency requirements for US government and Department of Defense (DoD) contractors and other entities that deal with regulated data. This includes GCC, GCC High, and DoD levels that include isolated Microsoft 365 (formerly Office 365) services such as Exchange and Outlook for email, Teams, OneDrive, and SharePoint for collaboration, and the Microsoft Office suite, including Word, Excel, and PowerPoint.
This guide aims to help IT administrators and managed service providers (MSPs) understand the different Microsoft 365 GCC environments so that they can be better prepared when planning and implementing the IT infrastructure for US public sector entities and federal contractors.
Why choosing the right Microsoft 365 GCC environment matters
Microsoft 365 Government Community Cloud (GCC) environments are hosted in data centers located on US territory and staffed by vetted US citizens. These environments can be physically and logically isolated from other public cloud platforms in the Microsoft 365 ecosystem, ensuring compliance with US data residency and security standards such as FedRAMP, ITAR, NIST 800-171, DFARS, and CJIS.
Compliance with these frameworks is a requirement for many public sector entities or federal contractors that manage controlled unclassified information (CUI), federal contract information (FCI), and other regulated data. This requirement applies to organizations such as:
- US Federal, State, Local, or Tribal entities
- Solution providers (including MSPs) serving any of these entities
- Customers who handle government-controlled data
The GCC, GCC High, and DoD environments available in Microsoft 365 Government Community Cloud differ in their physical infrastructure and security requirements, which leads each to reach different compliance standards, and can lead to some functionality and compatibility differences. All require identity verification and eligibility screening to ensure that all GCC tenants meet the requirements for one of the above categories.
As with all legal and compliance-related matters, you should consult the authoritative source of regulations, as well as legal and domain experts in your industry, to ensure that you fully understand the unique requirements for your organization, and properly implement the required processes and technologies.
Overview of GCC, GCC High, and DoD environments
Before you apply for and begin deploying Microsoft 365 GCC services, your licensing, compliance, and identity infrastructure should be carefully planned, as well as any migration tasks. This is to ensure that all data security requirements are met, with all compliance requirements clearly identified and addressed.
| Environment | Intended use-case | Compliance standards met | Data residency | Hosting model |
| GCC | US state/local government, education, and public agencies | FedRAMP Moderate, CJIS, IRS 1075 | US-only | Commercial infrastructure (US-based) |
| GCC High | DoD contractors, CUI/ITAR data handlers | FedRAMP High, DFARS, NIST 800-171, ITAR | US-only | Physically and logically isolated (US personnel only) |
| DoD | US Department of Defense | DoD IL5/IL6, NIPRNet/SIPRNet | US-only | DoD-owned infrastructure |
Choosing the correct GCC environment for your use case will help you avoid data handling violations that may lead to contract disqualification or legal ramifications. Which GCC environment you can apply for will depend on your eligibility:
| Environment | Eligibility and licensing |
| GCC | Available to public sector entities and their contractors |
| GCC High | Requires Microsoft validation via sponsorship or contract with DoD/defense programs |
| DoD | Access is restricted to actual Department of Defense organizations |
Key differences for IT teams and MSPs
For IT teams and MSPs, the differences between the GCC, GCC High, and DoD Environments have practical implications for planning and implementation, with differences in the availability of support staff, cloud access, and third-party app compatibility.
| Feature | GCC | GCC High | DoD |
| Support personnel | May include global Microsoft support staff | US citizens only | US DoD personnel only |
| Cloud access | Commercial Azure | Azure Government (US sovereign) | Azure Government for DoD |
| App compatibility | Broad third-party ecosystem | Limited. Only FedRAMP High certified apps | Extremely limited |
| Multi-tenant access | Broad support for integrations | Restricted federation and API access | Highly restricted |
For MSPs, reselling and managing tenants in GCC requires a government-qualified status, as well as adherence to personnel screening requirements, including employing only US citizens, and performing background checks.
GCC High deployment considerations
When preparing for your Microsoft 365 GCC High deployment, you should consider any data migration that needs to occur: you cannot upgrade a commercial Microsoft 365 tenant directly to GCC High, so data must be migrated. You should also ensure that you are aware of the limitations of how your identity management will function, as Azure AD in GCC High may limit certain SSO/federation interactions. Third-party app integrations, APIs, and webhooks may also be affected.
Microsoft 365 GCC and AWS GovCloud interoperability
AWS GovCloud also addresses the requirements of US data sovereignty, providing a secondary solution that is compliant with many of the same compliance standards as Microsoft 365 GCC levels. Both platforms are often used in tandem: for example, where one service provides functionality that the other does not, or as a backup destination where compliance parity is required.
When implementing a cross-cloud architecture, data sovereignty and compliance must be maintained with the use of encryption, identity management, and ensuring that traffic is not routed through commercial regions that do not meet security standards.
Backups, security, and support: maintaining compliance across your entire IT infrastructure
Full compliance requires that your entire IT operation meet legally mandated standards – not just your cloud infrastructure. Backup and logging tools, remote support, security integrations, and other third-party tools must also meet the same compliance standards as the GCC tier you assess is appropriate for your use case.
NinjaOne provides a full suite of IT management and support tools that meet an increasing number of US federal regulations, including FedRAMP. This includes SaaS Backup that can back up your Microsoft 365 GCC tenants, and remote monitoring and management (RMM), endpoint security, and automation tools to assist IT teams and MSPs in serving US public-sector companies.
