If you've started working on CMMC readiness, someone has probably told you: "You need to get off commercial Microsoft 365." Maybe they said you need GCC High. Maybe they quoted you a number that made you wince. And maybe you're not even sure what GCC High is or whether you actually need it.
Here's the honest answer: CMMC doesn't explicitly require GCC High — but DFARS 252.204-7012 effectively rules out commercial Microsoft 365 for any workload that touches CUI. The path you choose from there depends on what kind of CUI you handle, how your prime contractor is set up, and your budget. This guide walks through all three real options, without the enterprise consultant pitch.
Why Commercial M365 Doesn't Work for CUI
DFARS 252.204-7012 — the contract clause that's been in most DoD contracts since 2017 — requires that any cloud service you use to store, process, or transmit CUI must meet a FedRAMP Moderate baseline at minimum. Commercial Microsoft 365 is not FedRAMP authorized for CUI workloads. It fails that bar entirely.
That means if CUI is flowing through your commercial M365 email inbox, your Teams channels, or your SharePoint — you have a DFARS 7012 violation. That's true whether you've started CMMC yet or not, and it's been true since before CMMC existed.
CMMC Level 2 enforcement (Phase 2, November 10, 2026) adds a third-party assessment layer — but it doesn't create new cloud requirements. It verifies the ones that already exist.
The Three Paths for Small Contractors
Once you accept that commercial M365 can't hold CUI, you have three realistic options:
Option 1: Microsoft 365 GCC (Government Community Cloud)
GCC is Microsoft's standard government cloud — not to be confused with GCC High. It's FedRAMP Moderate authorized, which satisfies the DFARS 7012 floor for most standard CUI. If your contracts involve Controlled Technical Information (CTI) or other CUI categories that don't carry ITAR or EAR controls, GCC is typically sufficient.
GCC looks and works like commercial M365 — same interface, same apps. The data is stored in US-based datacenters with government-grade access controls. Pricing sits between commercial and GCC High, and it's available in standard Microsoft business licensing tiers.
Option 2: Microsoft 365 GCC High
GCC High is FedRAMP High authorized. It covers everything GCC does, plus it handles ITAR and EAR controlled unclassified information — the kind that comes up in aerospace, defense hardware, and advanced manufacturing contracts. It also has stricter data residency and personnel access rules that some prime contractors require by policy even when your CUI category doesn't technically demand it.
Until recently, GCC High was priced at enterprise tiers (G3 or G5), which put it out of reach for many small contractors. In November 2025, Microsoft introduced GCC High Business Premium — available for organizations with 300 or fewer employees — which significantly reduces the cost barrier for small businesses.
If your prime contractor requires GCC High or your work involves ITAR/EAR obligations, you have no choice. But if you're handling standard CUI on non-export-controlled contracts, GCC (not GCC High) is often sufficient — and meaningfully cheaper.
Option 3: Encrypted Overlay on Commercial M365
A third path that's gained traction for cost-conscious small contractors: keep commercial M365 for everything it's already doing (internal collaboration, calendaring, non-CUI email) and add a FedRAMP High-authorized encrypted overlay solution just for CUI workloads. Products like PreVeil operate at the application layer, encrypting CUI end-to-end before it ever touches Microsoft's commercial infrastructure.
The appeal: you avoid migrating your entire organization to GCC High, which is expensive and disruptive. The tradeoff: your team now has two communication tools — one for regular work, one for CUI — and that creates its own compliance challenges if people start sending CUI through the wrong channel. You'll need policy controls and training to make it work.
Comparing Your Options
| Option | FedRAMP Status | Standard CUI | ITAR / EAR CUI | Relative Cost |
|---|---|---|---|---|
| Commercial M365 | Not authorized for CUI | No | No | Lowest |
| M365 GCC | FedRAMP Moderate | Yes | No | Medium |
| M365 GCC High | FedRAMP High | Yes | Yes | Higher (now: Business Premium tier for ≤300 employees) |
| Overlay (e.g. PreVeil) + Commercial M365 | FedRAMP High (overlay layer) | Yes | Case-by-case | Medium (can be 60–75% less than full GCC High migration) |
How to Decide Which Path Is Right for You
Before you sign anything with a Microsoft partner, answer these three questions:
- Does your work involve ITAR or EAR? If yes, you need GCC High (or an overlay solution with verified ITAR coverage). If no, GCC may be sufficient.
- What does your prime contractor require? Some primes mandate GCC High by policy even when the CUI category alone wouldn't require it. Check your contract's cybersecurity exhibit or ask your DCSA/program office contact before assuming GCC is acceptable.
- How many of your employees actually handle CUI? If it's a small number, the incremental cost of GCC High Business Premium for just those seats may be lower than you expect — and the migration simpler.
Most small contractors handling standard CUI (technical drawings, performance specs, procurement data) on non-ITAR contracts will find that M365 GCC covers their needs. The bigger lift is usually not the licensing — it's the configuration work to actually meet NIST 800-171 controls inside whatever environment you choose.
Cloud Platform Is One Piece — Controls Are the Other
A common mistake: assuming that moving to GCC High means you're CMMC-ready. It doesn't. The cloud platform is the container; the 110 NIST 800-171 controls are what goes inside it. GCC High gives you the FedRAMP-authorized envelope — you still have to configure MFA, conditional access, DLP, audit logging, and the other 100+ requirements inside that envelope.
Your SSP needs to describe how CUI flows through your chosen platform, what controls are met by the platform versus what you've configured yourself, and where your MSP or IT partner shares responsibility. (If you use an MSP, make sure they can provide their own documentation — shared responsibility isn't an excuse for gaps.)
Map your controls against your cloud platform
CMMC Map walks you through all 110 controls and lets you note which are satisfied by your cloud provider and which you've implemented yourself — so your SSP reflects reality, not guesswork.
Start Your Free 14-Day TrialWhat About Microsoft's Built-In CMMC Features?
Microsoft has invested heavily in CMMC-aligned compliance tooling for GCC and GCC High customers — Microsoft Purview for data classification, Microsoft Defender for endpoint protection, and Entra ID for identity management all map to specific NIST 800-171 controls. As of early 2026, Defender for GCC High and Purview for GCC High are generally available, which fills some of the tooling gaps that previously pushed contractors toward third-party solutions.
This doesn't mean you can buy GCC High and check done. Each Microsoft feature still needs to be correctly configured and documented. But it does mean the vendor tooling is more complete than it was two years ago, which reduces the number of point solutions you need to bolt on.
The Bottom Line
The short version: commercial M365 can't hold CUI, full stop. Your choices are M365 GCC (sufficient for most standard CUI), M365 GCC High (required for ITAR/EAR or if your prime demands it), or a FedRAMP-authorized encrypted overlay on your existing commercial tenant.
The decision matters — but it's one piece of a larger picture. The harder work is implementing and documenting the 110 controls that live inside whatever platform you choose. That's where most small contractors actually struggle, and it's independent of which cloud environment you pick.