Forum Discussion
Solved
GCC High Costs
Costs for GCC High O365 licenses are roughly double commercial. What is Microsoft doing to lower these costs? They are crippling small businesses that need to comply with CMMC & DFARS compliance requirements.
M_Titcombe Howdy! Thank you for your interest in GCC High. GCC High was purpose built to meet the specific needs of customers who have strict requirements for US export control and desire a contractual commitment from their CSP for the same. Microsoft only offers a contractual commitment to ITAR in O365 GCC High & Azure Government. US Does your customer have such a requirement? If no then they may be able to use GCC or perhaps even Commercial services (depending on requirements). If they do have an ITAR requirement but don't need a contractual commitment from their CSP then there may be multiple ways to satisfy the requirement outside of GCC High. They may be able to use compensating controls and manage their risk Here are a few examples of compensating controls:
- segregate the export controlled data and maintain it on-premises
- create a "data enclave" to house export control data in GCC High or Azure Government
- use client-side end-2-end encryption like AIP HYOK and/or S/MIME
This said, there may be significant cost (financial, utility or performance) to using compensating controls so please weigh them accordingly.
I hope this helps! Please feel free to reach out to me privately for any clarifications 🙂
- Anupam_K_Gupta
Microsoft
Let me also point you to this great article written by @RichardWakeman - The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In (This One) https://aka.ms/AA6frar 
Paul MeachamM_Titcombe Howdy! Thank you for your interest in GCC High. GCC High was purpose built to meet the specific needs of customers who have strict requirements for US export control and desire a contractual commitment from their CSP for the same. Microsoft only offers a contractual commitment to ITAR in O365 GCC High & Azure Government. US Does your customer have such a requirement? If no then they may be able to use GCC or perhaps even Commercial services (depending on requirements). If they do have an ITAR requirement but don't need a contractual commitment from their CSP then there may be multiple ways to satisfy the requirement outside of GCC High. They may be able to use compensating controls and manage their risk Here are a few examples of compensating controls:
- segregate the export controlled data and maintain it on-premises
- create a "data enclave" to house export control data in GCC High or Azure Government
- use client-side end-2-end encryption like AIP HYOK and/or S/MIME
This said, there may be significant cost (financial, utility or performance) to using compensating controls so please weigh them accordingly.
I hope this helps! Please feel free to reach out to me privately for any clarifications 🙂
- Anupam_K_Gupta
Paul Meacham - I would also add that pros and cons to compensating controls should be weighed in addition to cost.
With compensating controls, administration complexity and security practice complexity also increase. In addition to complexity in design and management, you may be losing cloud service capabilities.
