Microsoft 365 Commercial, GCC, & GCC High: What are they and how can RSM help?

By - May 9, 2023

RSM provides end-to-end, industry-specific Microsoft solutions for thousands of our clients across the world. We are an award-winning Microsoft Cloud Solution partner with numerous advanced specializations, and our technology advisors offer strategy, development, implementation, and support services for the full suite of Microsoft business solutions. RSM is currently one of the leaders in the middle market with 800 government contracting clients nationally, and we bring a dedicated, client-centric focus to every engagement. We understand that technology is critical to the success of your organization and that you want the confidence of working with a proven partner.

We deliver many services utilizing Microsoft 365 (M365), which is a suite of productivity and collaboration tools offered by Microsoft. It includes popular applications such as Word, Excel, PowerPoint, Outlook, and Teams, as well as cloud-based services such as SharePoint, OneDrive, and Exchange Online. M365 is available in several different editions, including commercial, government community cloud (GCC), and government community cloud high (GCC High). In this article, we will discuss the differences between these editions and how RSM can best serve your needs for each level.

Microsoft 365 Commercial:

Microsoft 365 commercial is designed for businesses of all sizes, from small to large enterprises. This edition is hosted in Microsoft’s global data centers and is compliant with many industry standards, including HIPAA/HITech, NIST 800-53, PCI-CSS, GDPR, CCPA, and more. However, this edition of Microsoft is not meant for government and defense compliance, as tenants are stored globally.

M365 commercial offers a range of features that help organizations increase productivity and collaboration, such as email, file storage, video conferencing, and enterprise social networking. The subscription plans for M365 commercial are based on the number of users and the features required by the organization. Overall, this edition of M365 services is best suited to general commercial use.


GCC is a government community cloud edition of M365 designed for US federal, state, and local government agencies, as well as federal contractors and subcontractors. This edition provides the same productivity and collaboration tools as the commercial edition, but tenants are specifically hosted in datacenters located only within the continental US. Additionally, all employees working at these datacenters must pass a variety of background checks to meet federal, state, and local government requirements.

GCC is compliant with all of the industry standards listed for commercial, while additionally fulfilling the requirements for DFARS 252.204-7012, DoD SRG Level 2, FBI CJIS (Criminal Justice Information Services), and FedRAMP High. This edition of M365 is not sufficient for ITAR, EAR, and the handling of Controlled Unclassified Information (CUI) and Controlled Defense Information (CDI).

GCC High:

GCC High is designed for use by the Defense Industrial Base (DIB), DoD contractors, and federal agencies. It includes advanced threat protection, privileged access management, and enhanced data protection controls. However, this edition of M365 loses some of the features included in its commercial and GCC counterparts due to the rigorous testing, staffing, and compliance requirements inherent to the handling of sensitive data such as controlled unclassified information (CUI). Microsoft has a roadmap detailing the release of upcoming features for GCC High tenants, located here: Microsoft 365 Roadmap | Microsoft 365.

GCC High datacenters are again based only within the continental US, and all staff are required to pass several background checks including DoD IT-2 adjudication. This adjudication is part of an Office of Personnel Management (OPM) level 3 background check. GCC High meets the compliance requirements up to and including NIST 800-171, FedRAMP High, and ITAR, and the management of CUI/CDI.

Customers who want to move to a GCC High tenant must first go through Microsoft’s validation process. To apply for GCC High, you must complete the three-step validation process, which can take 3 – 7 days if done correctly. These steps include first requesting validation by reaching out to Microsoft to be registered as a Category 3 entity, then providing the corresponding documentation that proves you handle at least one of the aforementioned types of sensitive data, and finally working with an AOS-G Partner to submit the GCC High licensing request. Once approved, you can finally purchase GCC High through a trusted information technology solutions provider – such as RSM!

How can RSM help?

RSM’s US-based experts are trained and certified to offer Microsoft services from the commercial level up to the GCC High edition. When providing GCC High support services, we ensure there is no risk of RSM ever ingesting or handling sensitive data into RSM’s network, as we leverage separate, GovCon-approved devices and software.

Leveraging similar controls, RSM also implements D365 Business Applications including CE, Business Central, and Finance & Supply Chain Management in Commercial, GCC and GCC High clouds. RSM is a one-stop shop for Government Contractors looking to safeguard their data and comply with DoD contracting regulations.

Our experts will help guide clients in purchasing the necessary licenses in order to operate a GCC High tenant, and we will then provide support services to help clients best utilize their new environment.


To summarize, the main differences between M365 commercial, GCC, and GCC High are in the level of security and compliance they offer. While M365 commercial is compliant with many industry standards, it does not meet the specific security requirements of US government agencies. GCC provides a dedicated cloud environment that meets the compliance requirements of some US government agencies, but it may not be sufficient for agencies that deal with highly sensitive data. GCC High provides the most stringent level of security and compliance, making it suitable for agencies that deal with sensitive data types.

RSM is here to help you in your Microsoft journey, from the commercial to the GCC High level. For more information, please reach out to:

Julius is a Technical Writer with the RSM Modern Work team. He supports both Modern Work and other teams through content creation and other functions.

Receive Posts by Email

Subscribe and receive notifications of new posts by email.