Skip to content
Pro IT NW

Field notes · 10 min read ·

Share

GCC High Before CMMC Phase 2 (Nov 2026)

CMMC Phase 2 enforcement begins November 10, 2026 — when DoD solicitations require third-party C3PAO Level 2 certification at award, not self-attestation.

If your company is a defense contractor handling Controlled Unclassified Information (CUI), the deadline that matters is November 10, 2026 — when CMMC Phase 2 enforcement begins. After that date, contracts that require CMMC Level 2 or higher will require a documented assessment, not a self-attestation. Companies that aren't ready won't bid. Companies that bid without certification won't win.

This post is for defense contractors who haven't started GCC High migration yet — or who started and stalled. The realistic timeline for an unprepared 100–500-user organization is 6–12 months. That puts the start-by date at May–November 2026. We're at the start of that window now, and it closes fast.

What GCC High actually is

GCC High is Microsoft's purpose-built Microsoft 365 environment for organizations handling CUI, ITAR data, and DoD contracts that require US-sovereign cloud infrastructure. The technical underpinnings:

  • Hosted in physically separated US-only datacenters
  • Operated by US-citizen personnel only
  • Background-screened operators per DoD requirements
  • FedRAMP High, DoD IL2/IL4/IL5 authorized
  • Aligned to NIST 800-171 and NIST 800-172 controls
  • FIPS 140-2 validated cryptography end-to-end

From a user-experience perspective, GCC High looks like Microsoft 365. From a compliance perspective, it's a fundamentally different tenant — separate licensing, separate authentication, separate datacenter footprint, and no automatic interop with commercial M365.

Why CMMC Phase 2 changes the calculus

CMMC (Cybersecurity Maturity Model Certification) is the DoD's framework for validating that defense-industrial-base contractors are actually implementing the cybersecurity controls they've been claiming to implement under DFARS 252.204-7012. The three levels:

LevelPracticesAssessment
Level 1 (Foundational)15 practicesAnnual self-assessment
Level 2 (Advanced)110 practices (NIST 800-171 r2)Triennial third-party assessment by a C3PAO
Level 3 (Expert)NIST 800-172 — defense-priority requirementsTriennial government assessment
What "Phase 2" means: the rule is rolled out in phases. Phase 1 (currently) requires self-assessment. Phase 2 (begins Nov 10, 2026) requires actual third-party C3PAO assessment for L2 and government assessment for L3. Contracts written after Phase 2 starts will include CMMC requirements as a hard award gate.

Why GCC High is the typical answer

Technically, you can implement CMMC L2 in commercial Microsoft 365 with the right configurations — Conditional Access, sensitivity labels, Purview, Defender, etc. In practice, GCC High simplifies the compliance story enormously because:

  1. The shared-responsibility model is clearer (Microsoft handles the FedRAMP-High infrastructure piece)
  2. Documentation and audit packages are pre-built for CUI handling
  3. The "where does the data live" question has a single, defensible answer
  4. FIPS-validated cryptography is the default rather than something you have to enable per-component

For organizations that are pure DoD contractors, GCC High is almost always the right path. For organizations that have a mix of DoD and commercial work, the calculus is harder — running both tenants is operationally expensive but sometimes the right answer.

Realistic timelines

The numbers we see in the field, by organization size:

Org sizeRealistic timelineEmergency timeline (3x cost)
50–100 users4–6 months2 months
100–500 users6–9 months3 months
500–1,000 users9–12 months4–6 months
1,000+ users12–18 monthsNot realistic

These timelines assume you start with at least a partial commercial M365 baseline. Greenfield environments take longer. Heavily customized commercial environments — especially with deeply integrated Power Platform or third-party apps — take longer because every integration has to be evaluated for GCC High availability.

What's actually in scope

Tenant provisioning

The GCC High licensing flow is more involved than commercial. Eligibility validation, sponsorship, and contract paperwork add 30–60 days before you can even start technical work.

Identity migration

Users, groups, and devices migrated from commercial Entra ID to GCC High Entra ID. This is not an in-place upgrade — it's a parallel build with a coordinated cutover. Plan for hybrid identity coexistence during the migration.

Email and collaboration migration

Mailboxes, OneDrive content, SharePoint sites, Teams chats and channels — all migrated from commercial to GCC High. Tools and tooling differ from commercial-to-commercial migration; expect tooling costs.

Endpoint baseline

Intune-managed devices configured to GCC High security baseline. FIPS-validated cryptography enforced. Defender for Endpoint connected to the GCC High Defender tenant.

Application portfolio review

Every line-of-business app, every integration, every Power Platform flow — evaluated for GCC High availability and re-architected if necessary. This is where most projects either find their critical-path or their rabbit-hole.

Documentation package

System Security Plan (SSP) mapped to NIST 800-171 controls. Plan of Action & Milestones (POA&M) for residual gaps. Network and data flow diagrams for the assessor. This is the deliverable the C3PAO actually reviews — it's not optional, and it can't be done at the last minute.

Common mistakes

Treating GCC High as a "commercial M365 with extra steps"

It's not. The licensing, the eligibility verification, the operational tooling, the third-party app ecosystem are all different. Plan for it as a separate platform.

Underestimating the application portfolio

The painful surprises in GCC High projects are almost always third-party apps. Some don't have GCC High versions at all. Some have GCC High versions with feature gaps. Some have GCC High versions but the contract negotiation takes months. Inventory this early.

Skipping the SSP work

The technical migration is only half the project. The other half is the documentation package the C3PAO actually reviews. Companies that focus 100% on the technical migration and try to write the SSP at the end consistently fail their first assessment. Build the documentation as you go.

Waiting for "more guidance"

The CMMC rule has been telegraphed for years. The Phase 2 enforcement date is set. Waiting for more guidance is waiting for the deadline to pass. The companies that win contracts after Nov 10, 2026 are the ones that started the work in 2024 and 2025. The companies starting now still have a path; the companies starting in 2027 don't.

What GCC High costs in 2026

Two cost lines matter, and they don't always get separated cleanly in vendor pitches:

  • Implementation (one-time, senior-led): $50K–$75K for a 50–100 user environment, $75K–$150K for 100–500 users, $150K–$250K for 500–1,000 users. Includes tenant provisioning, identity migration, content migration, baseline configuration, SSP and POA&M deliverables. Emergency timelines run roughly 3x.
  • Ongoing licensing (recurring): GCC High M365 plans typically run 40–70% higher than the commercial M365 equivalent. For a 100-user organization on M365 E5 GCC High, plan for roughly $40K–$50K/year more in Microsoft licensing than the commercial equivalent.

These numbers come from real engagements we've scoped in 2025–2026. They're not vendor list prices — they're what actually lands in the Statement of Work. Anyone quoting "$25K turnkey GCC High in 30 days" is selling a tenant activation, not a CMMC-ready migration.

What we recommend doing this month

  1. Confirm CUI scope. Which contracts require CMMC L2 vs L3? Which data is in-scope CUI vs out-of-scope? Most organizations have over-scoped or under-scoped this. Get clarity from contracting officers.
  2. Do the GCC High eligibility paperwork. 30–60 day path. Start it now, in parallel with technical work.
  3. Application portfolio inventory. Every LOB app, every integration. Categorize: GCC-available, GCC-available-with-gap, GCC-unavailable. Plan accordingly.
  4. Engage scope. Whether in-house or with a consultancy, get a written scope with fixed-fee milestones tied to the SSP and POA&M deliverables. The CMMC project is judged on the documentation as much as the tenant configuration.

Related reading

Sources and further reading

The 30-second version

CMMC Phase 2 enforcement starts November 10, 2026. Defense contractors handling CUI need to be on GCC High with documented controls before then. Realistic timeline is 6–12 months for a 100–500-user organization. The contracts written after Nov 2026 will gate on CMMC certification — companies that aren't ready won't bid.

To scope your migration, the project intake form takes about three minutes. Two-business-day response with scope, timeline, and a fixed-fee range.


Pro IT NW handles GCC High migration and CMMC L1 / L2 / L3 readiness. Vendor-neutral, labor-only. We don't resell GCC High licensing — we configure the tenant and document the controls.

Written by the team at Pro IT NW · Senior-led Microsoft project consultancy · Seattle / USA-wide.

Have a project on the runway?

Tell us the workload, the seat count, and the deadline. We'll come back inside two business days with scope and a fixed-fee range.