Get Support
Book Discovery Session

Don’t Believe the Rumor, GCC High is Not the Only Solution for CMMC

Brian Seeling
June 18, 2020

There’s been a myth going around that GCC High is required for CMMC. For the most part, this myth has been dispelled by a CMMC-AB member during a May 2020 presentation. There is no requirement for Microsoft’s GCC High to meet any level of CMMC. While itis the only version of the Microsoft 365 platform that meets DFARS 7012 requirements according to paragraphs C-G, GCC High is not the only option for your overall compliance strategy when doing business with the DoD.

Options for CMMC Compliance

GCC High is not the only Microsoft solution that satisfies CMMC compliance. GCC and the Commercial versions of the platform can be configured to NIST 800-171 specifications and most of CMMC’s requirements with native security products/capabilities. For example, CMMC Level 3 security requirements can be met with both GCC and Commercial even if they do not meet DFARS 7012 or ITAR.

The differences that stand out most between Microsoft’s GCC High and GCC and Commercial are:

  • Support personnel
  • Data residency
  • FedRAMP status
  • Forensic information for reporting
  • Defense Information Systems Agency (DISA) Impact Level

Some smaller organizations often take the risk and go with GCC or Commercial until they can justify the investment in GCC High. However, doing so means ignoring the DFARS 7012 reporting requirements and hoping nothing goes wrong in the meantime. If an incident does occur, it could invoke a False Claims Act (FCA) violation.

Because of GCC High’s costs, some businesses are willing to take the risk because they have minimal, if any, interaction with CUI. Moreover,  their business with the DoD is a smaller component of their portfolio. Instead of making an immediate decision, some decide to make the switch from GCC or Commercial within a two to five year timeframe. If you have been considering taking this route, you should ask yourself these three questions:

  • Do you expect that your portfolio of DoD contracts will expand?
  • Are you focusing solely on CMMC preparations and are able to switch to GCC High in one to two years?
  • What is your risk of experiencing a security breach?

PreVeil is a Less Risky Option

If you are unwilling to take the risks of going without CUI protection, but are not ready to go the GCC High route, PreVeil delivers exceptional security and is highly affordable. It is easy to deploy and use while supporting CMMC Level 3 compliance.

Consider PreVeil’s features:

  • PreVeil’s secure email and file sharing service are easy to use and can be seamlessly integrated into a defense  contractor’s existing IT environment.
  • PreVeil email lets users send and receive encrypted email while continuing to use their same email address. The platform integrates with mail clients like OutlookGmail, and MacMail, while also working in the browser and mobile devices.
  • PreVeil Drive allows users to easily store, sync, and share sensitive files that contain DoD CUI both internally and with third parties. All files are protected with end-to-end encryption.
  • All user accounts can be managed from PreVeil’s Admin Console that also allows access to corporate data and log monitoring. This console can be integrated with Active Directory.

Consider these benefits of PreVeil over Microsoft’s GCC High:

preveil vs gcchihg

CUI Protection

  • PreVeil provides end-to-end encryption for email and files. It is designed to protect against modern cyberattacks because:
    • Data stays encrypted even if your servers and networks are breached
    • The platform employs device-based keys for authentication
    • Its patented Approval Groups protect against a catastrophic IT Admin breach by enabling privileged access without giving anyone admin keys
    • Isolates users from phishing and spoofing attacks
    • Creates trusted communities where you can control the flow of CUI and other sensitive information to white-listed domains and email addresses.
    • GCC High is vulnerable to modern attacks. This is because it relies on an antiquated security model.


  • GCC High requires a company-wide implementation. This raises the potential for business disruption during the roll-out.
  • PreVeil only needs to be deployed to users in your organization that handle CUI. No changes to your existing IT infrastructure are required.


  • The cost to implement GCC High is expensive. It requires multiple product suites and between $30-50k for initial setup fees.
  • PreVeil is a fraction of the cost to implement because it has a simple, all-inclusive user license fee for the subset of users dealing with DoD.


  • Out of the box, PreVeil is already enabled for NIST 800-171, DFARS 7012, and ITAR compliance.
  • GCC High does not come preconfigured. It must be custom configured to enable compliance on almost all relevant controls.

PreVeil is the better option for growing organizations that do business with the DoD but are not yet ready to invest the capital needed to move to GCC High.

New call-to-action

You May Also Like

These Stories on Compliance

Subscribe by Email