Field notes · 10 min read ·
ShareGCC High Before CMMC Phase 2 (Nov 2026)
CMMC Phase 2 enforcement begins November 10, 2026 — when DoD solicitations require third-party C3PAO Level 2 certification at award, not self-attestation.
If your company is a defense contractor handling Controlled Unclassified Information (CUI), the deadline that matters is November 10, 2026 — when CMMC Phase 2 enforcement begins. After that date, contracts that require CMMC Level 2 or higher will require a documented assessment, not a self-attestation. Companies that aren't ready won't bid. Companies that bid without certification won't win.
This post is for defense contractors who haven't started GCC High migration yet — or who started and stalled. The realistic timeline for an unprepared 100–500-user organization is 6–12 months. That puts the start-by date at May–November 2026. We're at the start of that window now, and it closes fast.
What GCC High actually is
GCC High is Microsoft's purpose-built Microsoft 365 environment for organizations handling CUI, ITAR data, and DoD contracts that require US-sovereign cloud infrastructure. The technical underpinnings:
- Hosted in physically separated US-only datacenters
- Operated by US-citizen personnel only
- Background-screened operators per DoD requirements
- FedRAMP High, DoD IL2/IL4/IL5 authorized
- Aligned to NIST 800-171 and NIST 800-172 controls
- FIPS 140-2 validated cryptography end-to-end
From a user-experience perspective, GCC High looks like Microsoft 365. From a compliance perspective, it's a fundamentally different tenant — separate licensing, separate authentication, separate datacenter footprint, and no automatic interop with commercial M365.
Why CMMC Phase 2 changes the calculus
CMMC (Cybersecurity Maturity Model Certification) is the DoD's framework for validating that defense-industrial-base contractors are actually implementing the cybersecurity controls they've been claiming to implement under DFARS 252.204-7012. The three levels:
| Level | Practices | Assessment |
|---|---|---|
| Level 1 (Foundational) | 15 practices | Annual self-assessment |
| Level 2 (Advanced) | 110 practices (NIST 800-171 r2) | Triennial third-party assessment by a C3PAO |
| Level 3 (Expert) | NIST 800-172 — defense-priority requirements | Triennial government assessment |
Why GCC High is the typical answer
Technically, you can implement CMMC L2 in commercial Microsoft 365 with the right configurations — Conditional Access, sensitivity labels, Purview, Defender, etc. In practice, GCC High simplifies the compliance story enormously because:
- The shared-responsibility model is clearer (Microsoft handles the FedRAMP-High infrastructure piece)
- Documentation and audit packages are pre-built for CUI handling
- The "where does the data live" question has a single, defensible answer
- FIPS-validated cryptography is the default rather than something you have to enable per-component
For organizations that are pure DoD contractors, GCC High is almost always the right path. For organizations that have a mix of DoD and commercial work, the calculus is harder — running both tenants is operationally expensive but sometimes the right answer.
Realistic timelines
The numbers we see in the field, by organization size:
| Org size | Realistic timeline | Emergency timeline (3x cost) |
|---|---|---|
| 50–100 users | 4–6 months | 2 months |
| 100–500 users | 6–9 months | 3 months |
| 500–1,000 users | 9–12 months | 4–6 months |
| 1,000+ users | 12–18 months | Not realistic |
These timelines assume you start with at least a partial commercial M365 baseline. Greenfield environments take longer. Heavily customized commercial environments — especially with deeply integrated Power Platform or third-party apps — take longer because every integration has to be evaluated for GCC High availability.
What's actually in scope
Tenant provisioning
The GCC High licensing flow is more involved than commercial. Eligibility validation, sponsorship, and contract paperwork add 30–60 days before you can even start technical work.
Identity migration
Users, groups, and devices migrated from commercial Entra ID to GCC High Entra ID. This is not an in-place upgrade — it's a parallel build with a coordinated cutover. Plan for hybrid identity coexistence during the migration.
Email and collaboration migration
Mailboxes, OneDrive content, SharePoint sites, Teams chats and channels — all migrated from commercial to GCC High. Tools and tooling differ from commercial-to-commercial migration; expect tooling costs.
Endpoint baseline
Intune-managed devices configured to GCC High security baseline. FIPS-validated cryptography enforced. Defender for Endpoint connected to the GCC High Defender tenant.
Application portfolio review
Every line-of-business app, every integration, every Power Platform flow — evaluated for GCC High availability and re-architected if necessary. This is where most projects either find their critical-path or their rabbit-hole.
Documentation package
System Security Plan (SSP) mapped to NIST 800-171 controls. Plan of Action & Milestones (POA&M) for residual gaps. Network and data flow diagrams for the assessor. This is the deliverable the C3PAO actually reviews — it's not optional, and it can't be done at the last minute.
Common mistakes
Treating GCC High as a "commercial M365 with extra steps"
It's not. The licensing, the eligibility verification, the operational tooling, the third-party app ecosystem are all different. Plan for it as a separate platform.
Underestimating the application portfolio
The painful surprises in GCC High projects are almost always third-party apps. Some don't have GCC High versions at all. Some have GCC High versions with feature gaps. Some have GCC High versions but the contract negotiation takes months. Inventory this early.
Skipping the SSP work
The technical migration is only half the project. The other half is the documentation package the C3PAO actually reviews. Companies that focus 100% on the technical migration and try to write the SSP at the end consistently fail their first assessment. Build the documentation as you go.
Waiting for "more guidance"
The CMMC rule has been telegraphed for years. The Phase 2 enforcement date is set. Waiting for more guidance is waiting for the deadline to pass. The companies that win contracts after Nov 10, 2026 are the ones that started the work in 2024 and 2025. The companies starting now still have a path; the companies starting in 2027 don't.
What GCC High costs in 2026
Two cost lines matter, and they don't always get separated cleanly in vendor pitches:
- Implementation (one-time, senior-led): $50K–$75K for a 50–100 user environment, $75K–$150K for 100–500 users, $150K–$250K for 500–1,000 users. Includes tenant provisioning, identity migration, content migration, baseline configuration, SSP and POA&M deliverables. Emergency timelines run roughly 3x.
- Ongoing licensing (recurring): GCC High M365 plans typically run 40–70% higher than the commercial M365 equivalent. For a 100-user organization on M365 E5 GCC High, plan for roughly $40K–$50K/year more in Microsoft licensing than the commercial equivalent.
These numbers come from real engagements we've scoped in 2025–2026. They're not vendor list prices — they're what actually lands in the Statement of Work. Anyone quoting "$25K turnkey GCC High in 30 days" is selling a tenant activation, not a CMMC-ready migration.
What we recommend doing this month
- Confirm CUI scope. Which contracts require CMMC L2 vs L3? Which data is in-scope CUI vs out-of-scope? Most organizations have over-scoped or under-scoped this. Get clarity from contracting officers.
- Do the GCC High eligibility paperwork. 30–60 day path. Start it now, in parallel with technical work.
- Application portfolio inventory. Every LOB app, every integration. Categorize: GCC-available, GCC-available-with-gap, GCC-unavailable. Plan accordingly.
- Engage scope. Whether in-house or with a consultancy, get a written scope with fixed-fee milestones tied to the SSP and POA&M deliverables. The CMMC project is judged on the documentation as much as the tenant configuration.
Related reading
- For the fixed-fee CMMC Level 2 pre-assessment scoping, see CMMC L2 pre-assessment: what $15K buys you.
- If you're also dealing with the Exchange Server EOL deadline, see Exchange Server 2019 EOL: your real migration deadline and the SE CU2 coexistence deadline.
- For Copilot readiness inside GCC High specifically, the Copilot readiness post applies — the permission and labeling work is the same.
- Service detail: GCC High Migration & CMMC Level 2 Readiness
Sources and further reading
- DoD CIO — Cybersecurity Maturity Model Certification
- NIST SP 800-171 r2 — Protecting CUI
- NIST SP 800-172 — Enhanced security requirements
- Microsoft — Microsoft 365 government environments overview
The 30-second version
CMMC Phase 2 enforcement starts November 10, 2026. Defense contractors handling CUI need to be on GCC High with documented controls before then. Realistic timeline is 6–12 months for a 100–500-user organization. The contracts written after Nov 2026 will gate on CMMC certification — companies that aren't ready won't bid.
To scope your migration, the project intake form takes about three minutes. Two-business-day response with scope, timeline, and a fixed-fee range.
Pro IT NW handles GCC High migration and CMMC L1 / L2 / L3 readiness. Vendor-neutral, labor-only. We don't resell GCC High licensing — we configure the tenant and document the controls.
Related service
GCC High & CMMC serviceWritten by the team at Pro IT NW · Senior-led Microsoft project consultancy · Seattle / USA-wide.