Quick Answer: Can You Use Microsoft 365 for CMMC?
It depends on which version of Microsoft 365 you use and what level of CMMC you need:
- M365 Commercial: Not approved for CUI. Generally not sufficient for CMMC Level 2.
- M365 GCC (Government Community Cloud): Suitable for CMMC Level 1 and some Level 2 scenarios involving only FCI.
- M365 GCC High: The standard for CMMC Level 2 organizations handling CUI. FedRAMP High authorized, ITAR-capable, DoD-isolated.
Using the wrong Microsoft 365 tier is one of the most common — and costly — compliance mistakes defense contractors make.
Microsoft 365 is the most widely used productivity suite among defense contractors. And one of the most common questions we hear at CISPOINT — right alongside "how much does CMMC compliance cost" — is: "Can I just use the Microsoft 365 we already have?"
The short answer is: maybe — but probably not the version you're currently running. The version of Microsoft 365 you use has a direct, material impact on your CMMC compliance posture. Using the wrong tier means your cloud environment may not be authorized to store or process Controlled Unclassified Information (CUI), which can derail your entire certification effort.
This guide breaks down the three tiers of Microsoft 365 — Commercial, GCC, and GCC High — explains what each one supports from a CMMC compliance perspective, and helps you determine which one your organization actually needs.
The Three Tiers of Microsoft 365: What's the Difference?
Microsoft offers three cloud environments for Microsoft 365, each designed for different compliance needs. They are not interchangeable — data stored in one cannot simply be moved to another without a formal migration, and the compliance boundaries are meaningfully different.
Microsoft 365 Commercial
This is the standard Microsoft 365 most businesses use. It runs on Microsoft's shared global infrastructure, meaning data may be stored or processed in data centers outside the United States. It is not authorized under FedRAMP, does not meet ITAR/EAR requirements, and is not approved for storing or processing CUI.
If your organization handles CUI and is currently using M365 Commercial, this is a compliance gap that needs to be addressed before your CMMC assessment.
Microsoft 365 GCC (Government Community Cloud)
Microsoft 365 GCC is a government-specific cloud environment designed for US federal, state, local, and tribal government customers — and the contractors that support them. Key characteristics:
- Data is stored exclusively in the United States
- Authorized at FedRAMP Moderate
- Access is restricted to US persons
- Logically separated from the commercial cloud (but not physically isolated)
- Supports most Microsoft 365 apps: Exchange, SharePoint, Teams, OneDrive
GCC is generally appropriate for organizations handling Federal Contract Information (FCI) and pursuing CMMC Level 1. For CMMC Level 2 with CUI, GCC's suitability depends on the specific nature of your contract and data — and you should get a formal assessment before assuming it qualifies.
Microsoft 365 GCC High
GCC High is Microsoft's most secure commercial cloud environment, purpose-built for Department of Defense contractors, defense industrial base (DIB) organizations, and entities subject to ITAR and EAR export control regulations. Key characteristics:
- Physically and logically isolated from both commercial and GCC environments
- Authorized at FedRAMP High
- ITAR and EAR compliant by design
- Support staff are US persons subject to additional screening
- DoD Impact Level 4 and 5 capable (with additional configuration)
- Fully isolated tenant — your data never touches commercial infrastructure
GCC High is the standard environment for organizations pursuing CMMC Level 2 certification where CUI is involved. For most defense contractors in the DIB handling technical data, drawings, or sensitive program information, GCC High is not optional — it is the required baseline.
Microsoft 365 Comparison: Commercial vs GCC vs GCC High
| Feature | M365 Commercial | M365 GCC | M365 GCC High |
|---|---|---|---|
| Data residency | US & international | US only | US only (isolated) |
| FedRAMP authorization | No | FedRAMP Moderate | FedRAMP High |
| ITAR/EAR compliant | No | Partial | Yes |
| CUI storage allowed | No | Limited / case-by-case | Yes |
| CMMC Level 1 support | Generally No | Generally Yes | Yes |
| CMMC Level 2 support | No | Depends on contract | Yes |
| Support staff cleared | No | US persons only | US persons, screened |
| Tenant isolation | Shared commercial | Gov community cloud | Fully isolated gov |
| Price vs Commercial | Baseline | ~$4–6 more/user/mo | ~$10–16 more/user/mo |
| Best for | General business | FCI / low-risk CUI | CUI / CMMC Level 2 |
Note: Pricing shown reflects approximate per-user per-month premium over comparable Commercial plans. Actual pricing varies by plan tier and licensing agreement. Contact CISPOINT or your Microsoft licensing partner for current quotes.
What Does CMMC Actually Require From Your Cloud Environment?
CMMC does not specify that you must use Microsoft 365 GCC High. What CMMC requires is that any system processing, storing, or transmitting CUI meets the security requirements in NIST SP 800-171 — all 110 of them for Level 2. Your cloud environment must support the implementation of those controls.
The reason GCC High has become the de facto standard for CMMC Level 2 is that it is the lowest-cost Microsoft cloud option that provides the technical foundation to implement all required controls without workarounds or compensating controls. Commercial and GCC can leave gaps that require complex, expensive compensating measures — and assessors may still find them insufficient.
The CUI Boundary Question
The most important question about your Microsoft 365 environment is: does CUI flow through it?
If the answer is yes — and for most defense contractors it is — then your Microsoft 365 environment is inside your CMMC assessment boundary. That means every control in NIST SP 800-171 must be implemented in that environment. And M365 Commercial simply does not provide the technical underpinnings to make that possible.
For a deeper look at how system boundaries are defined and documented, see our CMMC Documentation Checklist — specifically the sections on System Security Plans and CUI data flow diagrams.
The Shared Responsibility Model
This is where many defense contractors get tripped up. Microsoft's authorization (FedRAMP, ITAR, etc.) covers the platform infrastructure — the data centers, the network, the servers. It does not automatically make your organization CMMC compliant.
You are still responsible for configuring and implementing the security controls within that environment. Think of it like renting an armored truck: the truck meets certain security standards, but you still have to lock it properly, control who has keys, and log where it goes.
Shared Responsibility: What Microsoft Covers vs. What You Must Do
| CMMC Control Area | Microsoft Handles | You Must Handle |
|---|---|---|
| Physical security of data centers | Yes — fully Microsoft | Nothing additional |
| FedRAMP authorization maintenance | Yes — Microsoft maintains | Nothing additional |
| MFA for user accounts | Microsoft provides capability | You must configure and enforce it |
| Conditional Access policies | Microsoft provides capability | You must design and implement policies |
| Data Loss Prevention (DLP) | Microsoft provides capability | You must configure rules for CUI |
| Audit logging | Microsoft provides logs | You must review logs and retain per policy |
| User access reviews | Not Microsoft's role | You must conduct periodic reviews |
| Incident response | Microsoft handles platform incidents | You must handle your own IR plan and execution |
| System Security Plan (SSP) | Not Microsoft's role | You must write and maintain the SSP |
| Employee security training | Not Microsoft's role | You must conduct and document training |
Key takeaway: GCC High gives you the platform. CMMC compliance requires you to properly configure, manage, and document everything built on top of it.
Which Microsoft 365 Tier Does Your Organization Need?
The right answer depends on your contract type, the data you handle, and your target CMMC level. Here is a practical decision framework:
| Your Situation | Recommended Tier | Why |
|---|---|---|
| Handle only FCI, no CUI, CMMC Level 1 | M365 GCC | FedRAMP Moderate, US-only data, adequate for FAR 52.204-21 |
| Handle CUI, pursuing CMMC Level 2 | M365 GCC High | FedRAMP High, ITAR-capable, DoD-isolated tenant |
| Handle ITAR-controlled technical data | M365 GCC High | Only tier with ITAR/EAR compliance built in |
| Currently on Commercial, contract awarded with CUI | Migrate to GCC High | Commercial is not approved for CUI storage or processing |
| Subcontractor receiving CUI from prime | M365 GCC High | You inherit the prime's CUI obligations — same standard applies |
| Small business, cost is a concern | GCC (Level 1) or GCC High with enclave | GCC High enclave strategy can reduce licensed seat count |
A Note on the GCC High Enclave Strategy
One cost-reduction strategy that has emerged for smaller defense contractors is the GCC High enclave approach: rather than migrating your entire organization to GCC High, you create a smaller, isolated GCC High environment used only by personnel who touch CUI. Everyone else stays on Commercial or GCC.
This can significantly reduce licensing costs — instead of paying for GCC High for 50 employees, you might only need it for 8 who actually handle CUI. However, this strategy requires careful implementation:
- The enclave must be properly isolated — no CUI should ever flow outside it
- The enclave becomes your CMMC assessment boundary, and all 110 controls apply within it
- Personnel outside the enclave must have zero access to CUI
- The approach requires thorough documentation in your System Security Plan
If you are exploring this strategy, our CMMC documentation checklist covers the SSP and data flow documentation requirements in detail. CISPOINT can also help you evaluate whether an enclave approach is right for your organization.
Migrating from Commercial or GCC to GCC High: What to Expect
Migration to GCC High is a project, not a flip of a switch. Organizations should factor migration time into their overall CMMC compliance timeline. Here is what the process typically involves:
Step 1: Licensing and Procurement
GCC High requires purchasing through a Microsoft-authorized government licensing partner — you cannot buy it directly through the standard Microsoft portal. Expect procurement to take 2 to 4 weeks. Your existing Commercial or GCC licenses cannot be directly converted; new GCC High licenses must be provisioned.
Step 2: Tenant Setup and Configuration
A new GCC High tenant must be created and configured from scratch. This includes:
- Setting up users, groups, and roles
- Configuring Conditional Access policies and MFA enforcement
- Establishing Data Loss Prevention (DLP) policies to protect CUI
- Configuring audit logging and log retention
- Applying Microsoft Secure Score hardening recommendations
Step 3: Data Migration
Email, SharePoint sites, OneDrive files, and Teams data must all be migrated. This is typically the most time-consuming phase. For organizations with years of data, migration can take 4 to 12 weeks depending on data volume and complexity.
Step 4: Decommissioning the Old Environment
Once migration is complete and verified, the old Commercial or GCC tenant must be properly decommissioned. This includes revoking access, ensuring no CUI residue remains, and documenting the decommission in your security records.
Typical Migration Timeline
| Organization Size | Estimated Migration Duration | Key Variables |
|---|---|---|
| Small (1–25 users) | 4 to 8 weeks | Data volume, complexity of existing config |
| Mid-size (26–100 users) | 8 to 16 weeks | Number of SharePoint sites, Teams channels, email volume |
| Large (100+ users) | 16 to 24+ weeks | Legacy integrations, third-party apps, compliance requirements |
Important: Do not wait until you are under assessment pressure to begin a GCC High migration. Factor migration time into your compliance planning from day one.
GCC High Is Not a Magic Compliance Button
We want to be direct about this because it is one of the most persistent misconceptions we encounter: purchasing GCC High licenses does not make you CMMC compliant. It gives you a platform that can support CMMC compliance — but the work of actually achieving compliance still falls on your organization.
After migrating to GCC High, you still need to:
- Configure and enforce MFA across all accounts
- Set up and maintain Conditional Access policies
- Configure DLP rules that identify and protect CUI
- Enable and review audit logs on a defined schedule
- Complete your System Security Plan documenting how M365 implements each control
- Conduct user security awareness training
- Establish and test your incident response plan
- Conduct regular vulnerability assessments
The platform provides the technical capability. Your organization — and your CMMC advisor — provides the implementation and documentation that turns capability into verified compliance.
What About Other Cloud Providers for CMMC?
Microsoft 365 GCC High is the most commonly used platform among CMMC Level 2 organizations, but it is not the only option. Other FedRAMP High authorized alternatives include:
- Google Workspace for Government (FedRAMP High): Available for DoD use cases but less common in the defense industrial base. Requires careful evaluation of CUI handling capabilities.
- AWS GovCloud: FedRAMP High authorized, widely used for infrastructure workloads. Not a direct M365 replacement but relevant if your organization uses AWS for data storage or processing.
- Azure Government: Microsoft's IaaS/PaaS government cloud, often used alongside M365 GCC High for additional workloads.
Any cloud environment used to process, store, or transmit CUI must meet FedRAMP High authorization or equivalent. If you are evaluating alternatives to Microsoft 365 GCC High, CISPOINT can help you assess whether a given platform meets CMMC requirements before you commit to it.
How CISPOINT Helps Defense Contractors Navigate Microsoft 365 and CMMC
CISPOINT is a Cyber-AB Registered Practitioner Organization (RPO) and MSSP serving defense contractors across Maryland, Virginia, DC, Huntsville Alabama, Kentucky, and Florida. We help organizations make the right Microsoft 365 decisions from the start — avoiding costly migrations and compliance gaps that could delay certification.
Our Microsoft 365 and CMMC services include:
- CMMC gap assessments that evaluate your current M365 environment
- GCC High tenant setup, configuration, and hardening
- Full migrations from Commercial or GCC to GCC High
- CMMC control implementation within GCC High
- System Security Plan development documenting your M365 configuration
- Ongoing managed security monitoring of your GCC High environment
Not Sure Which Microsoft 365 Tier You Need?
CISPOINT offers a complimentary CMMC readiness consultation. We'll review your current environment, identify whether your Microsoft 365 setup supports your compliance requirements, and give you a clear path forward.
Frequently Asked Questions
Can I use Microsoft 365 Commercial for CMMC compliance?
No. Microsoft 365 Commercial is not authorized for storing or processing CUI and does not meet the FedRAMP, ITAR, or data residency requirements needed for CMMC Level 2. Organizations currently on Commercial that handle CUI need to migrate to GCC High.
What is the difference between GCC and GCC High?
GCC (Government Community Cloud) is FedRAMP Moderate authorized and designed for general government use. GCC High is FedRAMP High authorized, physically isolated from commercial infrastructure, ITAR/EAR compliant, and purpose-built for DoD contractors. GCC High is the required tier for most organizations handling CUI and pursuing CMMC Level 2.
Does Microsoft 365 GCC High make me CMMC compliant?
No. GCC High provides the platform foundation needed to implement CMMC controls, but your organization must still configure those controls, document them in a System Security Plan, conduct training, manage access, and perform all the activities required by NIST SP 800-171. GCC High is a necessary starting point, not a complete solution.
How much does Microsoft 365 GCC High cost compared to regular Microsoft 365?
GCC High typically costs $10 to $16 more per user per month compared to equivalent Commercial plans, depending on the plan tier. For a 25-person organization, this translates to approximately $3,000 to $5,000 in additional annual licensing costs. Organizations should factor in migration costs as well, which vary based on data volume and complexity.
Can I use the GCC High enclave strategy to reduce costs?
Yes, in some cases. The enclave approach involves creating a smaller GCC High environment only for personnel who handle CUI, while the rest of the organization remains on a lower tier. This can reduce licensing costs significantly. However, the enclave must be rigorously isolated, all 110 NIST 800-171 controls apply within the enclave, and the approach requires careful documentation. CISPOINT can help you evaluate whether this strategy is appropriate for your organization.
How long does it take to migrate from Commercial to GCC High?
Migration timelines vary based on organization size and data volume — typically 4 to 8 weeks for small organizations and 16 to 24+ weeks for larger ones. The process includes licensing procurement, tenant setup and configuration, data migration, and decommissioning the old environment. Do not wait until you are under assessment pressure to begin a GCC High migration.
Do subcontractors need GCC High too?
If a subcontractor receives, processes, stores, or transmits CUI — yes. CMMC requirements flow down from prime contractors to subcontractors who touch CUI. Subcontractors cannot use a less compliant environment simply because they are not the prime. For a full breakdown of subcontractor obligations, see our Subcontractor's Guide to CMMC.
Conclusion
Microsoft 365 can absolutely support CMMC compliance — but only if you are using the right version of it. For most defense contractors handling CUI and pursuing CMMC Level 2, that means GCC High. Using Commercial or GCC when GCC High is required is not a minor technicality — it is a fundamental gap in your compliance posture that assessors will catch.
The good news is that GCC High migration is a well-understood process, and with the right partner, it does not have to be disruptive. CISPOINT has helped dozens of defense contractors make the transition cleanly, on schedule, and positioned for assessment success.
If you are unsure where your current Microsoft 365 environment stands relative to your CMMC requirements, contact CISPOINT for a complimentary readiness consultation. We serve defense contractors across Maryland, Virginia, DC, Alabama, Kentucky, and Florida.
Disclaimer: Information in this post reflects Microsoft 365 tier capabilities and CMMC requirements as of the date of publication. Microsoft licensing, product features, and FedRAMP authorizations are subject to change. CMMC assessment standards may also evolve. Organizations should verify current requirements with their CMMC advisor, Microsoft licensing partner, and contracting officer before making platform decisions. This post does not constitute legal or compliance advice.
