Many business and IT leaders in the Defense Industrial Base (DIB) are exploring the benefits of migrating to Microsoft 365 GCC High (GCC High) - or Office 365 GCC High - and in the process have many questions about licensing. One of the most common questions arising in initial exploratory conversations is around price. GCC High is undoubtedly more expensive than other 'versions' of the platform, but there are common misconceptions around why.
This blog and accompanying video explain the differences between the US-sovereign cloud version of the Microsoft 365 platform vs commercial and more.
Reason 1 - Additional Security
As you would suspect, it costs Microsoft more money to run data centers that have higher levels of security. Businesses opt for a cloud approach because resiliency measures for on premises systems can be costly. Microsoft takes the brunt of those costs for GCC High consumers (PaaS and SaaS) by addressing the light blue components shown in their shared responsibility model below.
Microsoft's GCC High datacenters meet DISA Impact Level 4 and FedRAMP High standards. This includes a high degree of physical security as well as increased access control measures (i.e. no standing access) and much more.
Reason 2 - Additional Licensing
Reason 2 is more of a fallacy than a reason. Often times organizations move to GCC High for security and compliance reasons - namely DFARS 7012, ITAR, and CMMC. These security and compliance goals also require additional products and features not included in less expensive license types. An Office 365 E1 license or Exchange Online Plan 1 will not meet the requirements of CMMC Level 3 or DFARS 7012/NIST 800-171 for example.
Therefore, part of the increased expense is coming from the need for additional features found in the Enterprise Mobility + Security (EM+S) suite and Microsoft Defender for Office 365 licenses. (The Microsoft Defender suite has underwent a name change. Read more here.) More capability often means more costs. To meet the security and compliance requirements, you simply need more of the native Microsoft security products (or some other third party tools you will need to integrate).
Reason 3 - Additional Compliance
To meet ITAR and other export controlled data requirements, Microsoft has invested heavily to ensure all aspects of GCC High is US based. All data residency is within the continental US, and all Microsoft personnel staffed for these data centers are US persons and pass rigorous background checks. Some of the expenses associated with standing up physically and logically segregated infrastructure (from other content in Microsoft's commercial Office 365 offerings) is likely associated with license costs.
Also, DFARS 7012 and other federal regulations require organizations to provide full reporting capabilities in the event of an incident or cyberattack/event. Microsoft supports this requirement in GCC High only. This liability and SLA comes at an expense to any cloud provider.
CMMC also further establishes the need for cloud vendors to meet similar requirements as government contractors (GovCon) in contractual flowdown. Microsoft already meets requirements found in NIST 800-171 and 800-53 in how it handles customer data.
Microsoft has become the tip of the spear in providing cloud offerings to meet the needs of the DoD and its supply chain. As such, the company continues to put forth great efforts to defend US data and keep the Warfighter secure.
The reasons for the price difference mentioned above are not all encompassing, but they are primary drivers. Be aware that if you are exploring SaaS or PaaS alternatives in the cloud space you will need to assess the offering based upon the aforementioned capabilities or characteristics.
One last thing that has been commonly misinterpreted: when receiving your initial GCC High quote, the pricing will reflect annual payments, unlike the monthly model you may be familiar with in Commercial Office 365/Microsoft 365.