March 17, 2023

Last Updated on June 17, 2024

Organizations in the US Defense Industrial Base (DIB) that handle Controlled Unclassified Information (CUI) must comply with the NIST 800-171 and/or Cybersecurity Maturity Model Certification (CMMC) standards. For many, that means migrating some or all users from their commercial Microsoft 365 environment to one of Microsoft’s two “government cloud” platforms. For others it means starting a new “gov cloud” tenant from scratch.

Many can move to the Microsoft 365 Government Community Cloud (GCC), which meets compliance requirements for “basic” CUI. But if you handle highly sensitive CUI with special restrictions, such as International Traffic in Arms Regulations (ITAR) data, you’ll need to migrate to GCC High.

This post will give you an overview of key migration considerations, including some of the major   differences between GCC and GCC High.

One: Licensing changes

A big difference between a government cloud and the commercial Microsoft 365 platform is the licensing programs. Between GCC and GCC High there are also significant differences, the biggest perhaps being that most orgs will need to pay licensing costs upfront with GCC High.

Licensing costs aren’t that different between GCC versus a commercial tenant. But they are significantly higher (50%-70%) with GCC High. And licensing GCC High isn’t as simple as opening your checkbook. First you need to request validation from Microsoft that your business should be on GCC High and provide documentation to verify your eligibility. Once approved, you can license GCC High only through Microsoft or one of a limited number of Agreement for Online Services – Government (AOS-G) partners.

Two: Tools and technology

Another concern with migrating to GCC High versus GCC is that your migration tools and process need to support compliance with the security requirements in your DoD contract. Many commercial data migration tools and services do not meet FedRAMP Moderate or CMMC Level 2/NIST 800-171 standards, let alone the FedRAMP High or CMMC Level 3 standards associated with GCC High.

Conrad Agramont, CEO at Agile IT, sums it up: “You might say, ‘Hey, this looks like a nice, cheap migration tool. I think I’ll run it. I don’t know, is that data running through a data center not in the US…? No wonder it’s so cheap. But now the data’s in GCC High, so I’m sure it’s fine.’”

A related concern is that many of the third-party data migration tools that could work in Microsoft 365 or even Microsoft 365 GCC environments won’t work with GCC High, as the APIs involved are completely different.

Three: Migration size and complexity

Many orgs also underestimate the sheer volume and diversity of data in their Microsoft 365 environment that needs to move. This process can be complex, time-consuming, and expensive. Some custom applications and data types, such as forms, can’t be migrated to GCC High and will need to be recreated. You’ll also need to map settings to the new GCC High context and make them by hand; they won’t transfer automatically.

Of course, many companies in the process of figuring out what and how to migrate to a new Microsoft 365 environment decide to “clean house” while they’re at it, which can add further complexity and uncertainty to the process.

The 2 hardest things

In Conrad’s experience, the two hardest things to move in any migration are:

  1. Your custom applications
  2. Your people—the hardest thing of all


“Normally the execs are going to say, ‘I don’t want that MFA! What are all these security hoops? That’s not how it used to be.’ That’s the hardest,” Conrad relates.

What’s next?

For more guidance on this topic, listen to Episode 113 of The Virtual CISO Podcast  with guest Conrad Agramont from Agile IT.

TPRM for SMBs guide

Through our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Download our free TPRM PDF guide now!