Do I need Microsoft GCC High for CMMC?

Not always. GCC High is required when you handle ITAR or export-controlled data and is a common safe choice for CUI, but some CUI can be handled in a properly configured commercial or GCC environment as long as it meets the FedRAMP Moderate (or equivalent) baseline that DFARS 252.204-7012 requires. The deciding factors are the type of CUI you handle and your data-sovereignty obligations.

Can I use commercial Microsoft 365 for CUI?

Potentially, if it is properly configured and meets the FedRAMP Moderate baseline or equivalent required for cloud services that store, process, or transmit CUI under DFARS 252.204-7012. However, ITAR and certain export-controlled data generally require GCC High or Azure Government because of US data-residency and US-person access requirements.

What is a CUI enclave?

A CUI enclave is a deliberately small, segmented environment where all CUI is stored, processed, and transmitted. Concentrating CUI in an enclave dramatically reduces how much of your business falls within the CMMC assessment scope, which lowers both cost and assessment risk compared with letting CUI spread across your whole network.

Does my cloud provider need to be FedRAMP authorized for CMMC?

Under DFARS 252.204-7012, a cloud service provider that stores, processes, or transmits CUI on your behalf must meet the FedRAMP Moderate baseline or equivalent, and must comply with the clause’s cyber-incident reporting and forensic requirements. DoD has set a demanding bar for what counts as FedRAMP Moderate "equivalency."

GCC HighCUICMMC Scoping

GCC High, Commercial, or Enclave? Choosing a CUI Environment for CMMC

By Glenn Ballard·CMMC Registered Practitioner·June 20, 2026·8 min read

“Do we need GCC High?” is one of the first — and most expensive — questions a defense contractor asks on the road to CMMC. Get it wrong by over-buying and you saddle a small business with a premium platform it didn't need. Get it wrong by under-buying and you store CUI somewhere that fails the assessment outright. The honest answer is: it depends on what CUI you handle and where it lives.Here's how to decide.

The Rule That Drives the Decision

The starting point isn't a Microsoft license tier — it's DFARS 252.204-7012. When a cloud service stores, processes, or transmits CUI on your behalf, that service must meet the FedRAMP Moderate baseline (or equivalent)and comply with the clause's cyber-incident reporting and forensic requirements. So the real question is which environments clear that bar for the specific data you handle.

DoD has set a deliberately high standard for what counts as FedRAMP Moderate “equivalency.” A vendor simply claiming “800-171 aligned” is not the same as meeting the baseline. Confirm the authorization status — don't assume it.

The Options, Honestly Compared

Commercial Microsoft 365

With the right configuration and add-ons, commercial environments can support many NIST SP 800-171 requirements. The catch is data residency and the FedRAMP-equivalency bar — and commercial generally is not appropriate for ITAR or export-controlled data.

GCC High (and Azure Government)

Built for the defense market: US data residency, US-person operational support, and alignment with DoD requirements up the stack. It's the safe, often necessary choice for ITAR/export-controlleddata — and many contractors choose it for CUI broadly to avoid ambiguity. The trade-off is cost and some feature/integration differences from commercial.

Rule of thumb: ITAR or export-controlled data → GCC High. Other CUI → a properly configured environment that demonstrably meets the FedRAMP Moderate baseline may suffice. When the data type is unclear, scope conservatively.

The Move That Saves the Most: an Enclave

Whatever platform you choose, the highest-leverage decision is how much of your business touches CUI. Build a CUI enclave — a small, segmented environment where all CUI is handled — and only that enclave (plus the assets protecting it) falls under the full 110 requirements. Let CUI sprawl across every laptop, mailbox, and file share, and your entire company is in scope.

For most small and mid-sized contractors, a GCC High enclave for the CUI workload — with the rest of the business kept deliberately out of scope — is the sweet spot of cost, simplicity, and assessment confidence. (See CUI and scoping for how to draw that boundary.)

How to Decide, in Order

Identify your CUI. What categories do you actually handle — and is any of it ITAR or export-controlled?
Map where it lives today. Email, file shares, ERP, endpoints, the shop floor.
Choose the platform that clears the FedRAMP bar for that data (GCC High if ITAR is in play).
Design the enclave to pull CUI out of the rest of the business and shrink scope.

Scope First, Then Choose the Platform

The platform decision is downstream of scoping — and scoping is exactly where the Dragonfli Group CMMC Accelerator starts. We help you identify the CUI you handle, define a tight boundary, and assess against all 110 requirements within it, so you buy the environment you actually need and document it in a draft SSP a CMMC Registered Practitioner reviews.

RIGHT-SIZE YOUR ENVIRONMENT

Don't over-buy or under-buy your CUI cloud.

The free Pulse Check takes about 15 minutes and shows where you stand on your highest-risk CMMC requirements — no credit card, no sales call.

Start Free Pulse Check →

RELATED GUIDES

What Is CUI? CMMC Scoping

Define the boundary before you buy a platform →

The 72-Hour Rule (DFARS 7012)

The reporting duties your cloud must support →