March 23, 2023

Last Updated on January 15, 2024

If your company is among the many SMBs moving from a commercial Microsoft 365 environment to Microsoft 365 Government Community Cloud (GCC) or GCC High to meet US government compliance obligations, you might be experiencing “sticker shock” at the licensing and/or migration costs.


What are some of the factors influencing your costs in a Microsoft 365 “gov cloud”?


Licensing differences

While Microsoft 365 GCC licensing costs are comparable to the commercial version, GCC High costs are like to be 50%-70% more expensive. Another difference is that GCC High licenses can only be purchased from a limited number of partners, or direct from Microsoft. Orgs need to undergo a screen process to ensure they’re eligible to use GCC High, and this is rechecked annually.


Perhaps most onerous, there is no monthly payment option with GCC High; you have to pay for a year of licensing upfront. With GCC you can still pay month-to-month.


Why the extra cost?
GCC High is more expensive than GCC or commercial M365 because it complies with a more stringent set of regulations designed to protect the most sensitive unclassified US government data types like International Traffic in Arms Regulations (ITAR) data, Department of Defense Unclassified Controlled Nuclear Information (DOD UCNI), and Covered Defense Information (CDI).


GCC is based on Microsoft’s commercial data centers and global Azure infrastructure, and data processing for some GCC services occurs outside the US. GCC also uses the same global support framework as M365, so that people performing support and potentially with access to GCC data could be based outside the US.

But GCC High is built on completely separate, dedicated data centers that are all in the continental US and are supported entirely by cleared US persons. With GCC High, Microsoft guarantees that no data will leave the US and no non-US persons will ever have access to it.


Another factor in Microsoft’s costs that reflects on customers is the economy of scale. Operational costs for the commercial infrastructure are shared among over one million accounts. Far fewer orgs are using GCC High.


What’s next?

For more guidance on this topic, listen to Episode 113 of The Virtual CISO Podcast  with guest Conrad Agramont from Agile IT.

TPRM for SMBs guide

Through our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Download our free TPRM PDF guide now!