For RPOs & MSPs: white-label Muster's CMMC drafting under your brand, with premier terms locked before the Nov 10 deadline. See the program →
Skip to main content

CMMC scoping · primary sources

Do you need GCC High for CMMC?

Not necessarily. DFARS 252.204-7012 requires any cloud that stores, processes, or transmits CUI to meet the FedRAMP Moderate baseline (or equivalent) — it never names GCC High. GCC High is the usual answer when your CUI includes ITAR/EAR export-controlled data, for its US-person access controls. For other CUI, scope a tight enclave first; cheaper compliant paths may exist.

The rule never says “GCC High”

The most expensive mistake in CMMC scoping is buying a high-side cloud before you know you need it. The regulation that actually governs cloud is DFARS 252.204-7012: when a contractor uses an external cloud service provider to store, process, or transmit CUI (covered defense information), the clause requires the provider to meet security requirements equivalent to the FedRAMP Moderate baseline. That is the bar. Microsoft 365 GCC High is one product built to clear it — but the clause names a security standard, not a brand.

So “do I need GCC High?” is the wrong first question. The right ones are: do I handle CUI at all, and is any of it export-controlled? The answers decide everything downstream.

CMMC certifies systems, not companies — so build an enclave

The DoD program office put it plainly in its May 2026 scoping guidance: “CMMC certifies systems, not companies.” You do not have to drag your whole business into a high-side environment. You can architect a CUI enclave — a deliberately small set of systems, users, and applications where CUI is allowed to live — and apply the stronger cloud only there. Everything outside the enclave stays out of scope.

This is the single biggest cost lever in the GCC High decision. Licensing and managing a high-side tenant for five people in a scoped enclave is a different budget than doing it for your entire fifty-person company. Scope down first; license second.

GCC High vs. the alternatives

A simplified map of the common Microsoft environments. Treat it as a starting point, not a compliance attestation — and always confirm a provider’s current commitments for your data in writing, because cloud offerings and their authorizations change.

EnvironmentBuilt forCUI (FedRAMP Moderate equiv.)ITAR / export-controlled
Commercial Microsoft 365 / Google WorkspaceGeneral business productivityGenerally not positioned to meet the FedRAMP Moderate equivalent for CUI on its ownNo — not designed for US-person / sovereignty controls
Microsoft 365 GCC ("Government Community Cloud")US public-sector workloads at a moderate levelPositioned for some CUI workloads — confirm the specific commitments for your data in writingNot the export-controlled answer — GCC is not the ITAR environment
Microsoft 365 GCC HighDIB / defense contractors handling CUI and export-controlled dataBuilt to support the FedRAMP Moderate equivalent and DFARS 7012 cloud requirementsYes — US-sovereign, US-person-screened operations (the usual ITAR/EAR answer)
Microsoft 365 DoDDepartment of Defense itself (not the typical contractor)Higher impact level than most contractors needYes, but generally over-scoped for a small contractor

Sources: DFARS 252.204-7012(b)(2)(ii)(D) (FedRAMP Moderate equivalent for external cloud handling CUI); 32 CFR 170 (CMMC program). Microsoft environment positioning is generalized — verify the specific compliance commitments for your data directly with the provider. Export-control conclusions (ITAR/EAR) are legal determinations; see counsel.

When you actually need GCC High

The honest decision comes down to what is in your CUI scope:

  • FCI only, no CUI — this is a CMMC Level 1 situation. The FedRAMP Moderate cloud requirement does not apply, and GCC High is almost always unnecessary. (See Level 1 vs Level 2.)
  • CUI that is not export-controlled — you need a cloud meeting the FedRAMP Moderate equivalent for the systems in your CUI enclave. GCC High can do that, but it is not the only path; weigh it against other FedRAMP-Moderate-equivalent options and the cost of a tightly scoped enclave.
  • CUI that includes ITAR/EAR export-controlled technical data — this is where GCC High (or an equivalent US-sovereign, US-person-controlled environment) is the usual answer, because export law restricts who may access the data and where it may live. Because the trigger is export law, confirm the determination with export-control counsel.

How to decide, in order

The sequence matters: each step narrows the next. Most contractors who think they have a cloud problem actually have a scoping problem.

  1. 1

    Scope your CUI first

    Find what Controlled Unclassified Information you actually hold and where it flows. The cloud question is downstream of scope: until you know what CUI you handle, "GCC High or not" is unanswerable. If you handle no CUI — only Federal Contract Information — this is a Level 1 question and the FedRAMP-Moderate cloud requirement does not apply to you.

  2. 2

    Check export-control status

    Determine whether any of your CUI is ITAR or EAR export-controlled technical data. This is the single biggest driver of the GCC High decision — and it is a legal question. Export law restricts who may access the data (US persons) and where it may live (US sovereignty), which most commercial environments cannot satisfy. Get export-control counsel before you conclude.

  3. 3

    Decide enclave vs. whole tenant

    CMMC certifies systems, not companies. You do not have to put your entire business in a high-side environment — you can build a scoped enclave so CUI touches as few systems, users, and apps as possible, and apply the stronger cloud only there. A tight enclave is the difference between licensing GCC High for five people and for fifty.

  4. 4

    Match the environment to the requirement

    For CUI generally, the cloud must meet the FedRAMP Moderate baseline (or equivalent) under DFARS 252.204-7012. For ITAR/EAR export-controlled data, that practically means GCC High or another US-sovereign, US-person-controlled environment. Verify a vendor’s current compliance commitments in writing — cloud offerings and their authorizations change.

  5. 5

    Document the boundary in your SSP

    Whatever you choose, your System Security Plan (NIST SP 800-171 requirement 3.12.4) has to describe the system boundary and every external cloud service in scope. The enclave you designed only counts if the SSP draws the boundary around it. No current SSP, no assessment.

A nuance the blogspam misses: not every vendor is a “CSP”

The FedRAMP Moderate expectation attaches to a cloud service provider. Per the DoD program office’s May 2026 scoping guidance, a vendor only qualifies as a CSP when all five NIST SP 800-145 cloud characteristics are present: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. A managed service provider that does not meet all five is scoped as an external service provider under different rules — not held to the CSP’s FedRAMP Moderate bar. The same guidance clarified that FedRAMP Moderate assertions do not require DIBCAC pre-approval before a C3PAO assessment. Knowing which bucket each vendor falls in keeps you from over-buying.

Straight answers

Is GCC High required for CMMC?

No — not by name. Neither the CMMC rule (32 CFR 170) nor DFARS 252.204-7012 names Microsoft GCC High. What the clause requires is that any external cloud service that stores, processes, or transmits CUI meet security requirements equivalent to the FedRAMP Moderate baseline. GCC High is one product built to meet that bar (and the export-control bar), but it is a means, not a mandate. The honest answer to "do I need GCC High?" is "it depends on what CUI you hold, especially whether any of it is export-controlled."

Do I need GCC High for ITAR or export-controlled data?

Usually, yes — but treat this as a legal question, not a CMMC one. ITAR and EAR restrict access to export-controlled technical data to US persons and generally require the data to stay within US-sovereign infrastructure. Commercial and standard government clouds typically cannot satisfy those access and sovereignty controls, which is why contractors handling export-controlled data land on GCC High or an equivalent US-sovereign environment. Because the trigger is export law, confirm your export-control scope with qualified export-control counsel before committing.

What is the difference between GCC and GCC High?

They are different Microsoft government environments at different assurance levels. "GCC" (Government Community Cloud) is positioned for US public-sector workloads at a moderate level; "GCC High" is built for the defense industrial base handling CUI and export-controlled data, with US-sovereign operations and US-person-screened support. GCC High is the environment associated with the FedRAMP Moderate equivalent plus the ITAR/EAR access controls. For your specific data, get the current commitments in writing — cloud authorizations change over time.

Can I use commercial Microsoft 365 for CUI?

Generally not on its own for CUI in scope of a DoD contract. DFARS 252.204-7012 requires a cloud handling CUI to meet the FedRAMP Moderate equivalent, and standard commercial productivity tenants are usually not positioned to meet that bar for CUI — and certainly not the US-person/sovereignty controls export-controlled data needs. The cheaper move is rarely "use commercial anyway"; it is to scope a tight CUI enclave so the high-side environment covers the smallest possible footprint. Confirm any vendor’s specific commitments in writing.

Does moving to GCC High make me CMMC compliant?

No. A compliant cloud is necessary for some controls but it is not the certification. CMMC Level 2 is an assessment against all 110 NIST SP 800-171 Rev 2 requirements — access control, configuration, training, incident response, a current System Security Plan, and more. GCC High helps you meet the subset of controls that depend on a compliant environment; the rest is your policies, procedures, and evidence. CMMC certifies systems, not companies, and not the platform underneath them.

Is my IT vendor a "cloud service provider" I have to hold to FedRAMP Moderate?

Not automatically. Per DoD PMO scoping guidance (May 2026), a vendor only qualifies as a cloud service provider — the role that triggers the FedRAMP Moderate equivalency expectation — when all five NIST SP 800-145 cloud characteristics are present (on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service). A managed service provider that does not meet all five is scoped as an external service provider under different rules, not held to CSP requirements. The same guidance noted FedRAMP Moderate assertions do not require DIBCAC pre-approval before a C3PAO assessment.

Regulatory claims cite DFARS 252.204-7012, 32 CFR part 170, and the DoD program office’s May 2026 scoping guidance; NIST SP 800-145 defines the five cloud characteristics. This is compliance information, not legal advice — and export-control (ITAR/EAR) scope is a legal determination for qualified export counsel. Microsoft environment positioning is generalized; verify current commitments with the provider. Muster never accepts CUI and does not host your environment; only an authorized C3PAO can certify you.

Related guides

NIST 800-171 SSP template

What an SSP must contain per 3.12.4, what assessors flag first, and a free blank template (Markdown or Word) — no email gate.

POA&M template (NIST 800-171)

The 32 CFR 170.21 eligibility rules — 88-point minimum, the never-eligible six, the 180-day clock — plus a worked example and a free blank template.

CMMC Level 2 cost

Real price bands by path — self-serve software, consultant-led, enclave route — with the C3PAO assessment fee separated out honestly.

CMMC Level 1 vs Level 2

The decision rule (FCI → Level 1, CUI → Level 2), a side-by-side comparison table, and a 2-minute quiz that tells you which one you need.

Tools: SPRS score calculator · scoring methodology · CMMC Phase 2 deadline

Scope drives the cloud bill.

The free Muster Score walks all 110 NIST SP 800-171 requirements and shows where your gaps are — the starting point for scoping a CUI enclave instead of over-buying. Exact SPRS math, no signup, about five minutes.

Get your free Muster Score

The free score is live now. Join the waitlist for early access to the done-for-you Level 2 Readiness Sprint and founding-cohort pricing.