Defense and Munitions Online Exclusive - The GCC High Trap

The confusion around CMMC 2.0 compliance has never been greater. In conversations with CISOs and IT directors across the defense industrial base, the same question comes up again and again: does the entire organization really need to move to GCC High?

To answer that, we first need to be clear about what that question actually means.

A quick clarification: Commercial, GCC, and GCC High

Most companies run on commercial Microsoft 365, the standard cloud environment with the fastest access to new collaboration and AI features. For U.S. government agencies and contractors handling controlled information, Microsoft offers the Government Community Cloud (GCC)—a restricted environment designed to meet federal compliance requirements such as FedRAMP Moderate.

GCC High is the most restrictive of these environments. The “High” doesn’t mean generically safer—it refers to FedRAMP High impact systems, environments designed for data whose compromise could cause severe or catastrophic harm. GCC High is built for Department of Defense and intelligence workloads, meets FedRAMP High requirements, enforces U.S.-only data residency and access, and imposes significant limits on external collaboration. It also comes with higher licensing costs and slower access to new features.

GCC High is powerful—but it was built for a very specific use case. And that’s where many organizations have gone wrong.

© Kiteworks | https://www.kiteworks.com/
Frank Balonis, chief information security officer and senior VP of operations and support at Kiteworks

The total-migration mindset
When Microsoft built GCC High, they built it for organizations where nearly every employee handles controlled information daily. Think intelligence agencies. Think defense primes where classified and controlled data flows through every department.

That’s not most defense contractors.

The typical mid-sized company in the defense industrial base has engineers and program managers who work with CUI regularly, surrounded by a much larger workforce—HR, finance, marketing, facilities, administrative staff—who never touch controlled data in the normal course of their jobs.

Yet GCC High pushes organizations toward total migration. Everyone moves. Everyone pays the premium. Everyone lives with the limitations.

This approach made sense when GCC High was seen as the only defensible compliance option. It makes far less sense now.

What the industry got wrong about compliance boundaries
Somewhere along the way, compliance boundaries started being treated as organizational boundaries. If a company handles CUI, the thinking went, the entire company must operate inside a compliant cloud.

But that’s not what the regulations require.

CMMC doesn’t mandate wrapping an entire organization in a FedRAMP High boundary. It requires protecting CUI wherever it’s stored, processed, or transmitted. That distinction matters.

If the marketing team never touches CUI, they don’t need to operate in a controlled environment. They need to be prevented from accidentally accessing controlled data—a different problem with different solutions.

This is where the enclave model comes in: keep the general workforce on commercial tools while isolating sensitive data and workflows inside a purpose-built compliant environment.

That isn’t a compromise. It’s a more accurate interpretation of how the regulations are written and how data actually flows.

The hidden costs nobody talks about
When organizations evaluate GCC High, they tend to focus on licensing costs. The roughly 50% premium is real, but it’s often the smallest part of the problem.

The bigger costs show up later.

Migration projects balloon because SharePoint dependencies and line-of-business integrations were never fully mapped. Productivity drops as employees lose access to tools and features they rely on. IT teams spend months recreating workflows that worked fine in commercial Microsoft 365.

External collaboration becomes especially painful.

Defense contracting is inherently collaborative. Primes work with subs. Subs work with suppliers. Technical data, specifications, schedules, and reports move constantly between organizations.

GCC High treats this collaboration as an exception to be controlled rather than a workflow to be enabled. Tenant federation requirements introduce delays for basic file sharing. Partners on commercial Microsoft 365 often can’t connect at all.

When organizations deploy a security platform and immediately start looking for workarounds to share files, that’s a warning sign. The risk hasn’t been eliminated—it’s been pushed into shadow IT.

Feature lag becomes a talent problem
There’s another cost rarely appearing in compliance ROI models: hiring and retention.

The engineers and analysts defense contractors are trying to recruit have used modern collaboration tools. They know what current-generation features and AI assistants can do. When they join an organization and discover they’re working with permanently lagging software—because government cloud certification trails the commercial ecosystem—some percentage of them start planning their exit.

This isn’t hypothetical. Hiring managers across the defense industrial base report the same pattern. The sector already struggles to compete with commercial tech firms for talent. Outdated tooling only widens that gap.

A different way to think about compliance architecture
Consider a defense contractor with 500 to 2,000 employees, where perhaps 15–20% regularly handle CUI.

For an organization like this, total migration to GCC High often delivers the worst of both worlds: higher costs and reduced usability, without proportional risk reduction.

A more precise architecture keeps the general workforce on commercial Microsoft 365, with all its integrations and features intact. Sensitive workflows live in a dedicated secure environment—FedRAMP authorized and designed specifically for CUI handling. Employees who work with controlled data move it into that environment intentionally, collaborate with authorized partners, and maintain the audit trails compliance requires.

This model targets protection where it’s actually needed instead of applying it indiscriminately.

Weighing the real risks
Critics of the enclave approach often raise a valid concern: the risk of CUI leaking into the commercial environment.

That risk is real and must be managed through data loss prevention, access controls, training, and clear architectural guardrails.

But total migration carries its own risks—often larger ones. It creates incentives for workarounds when collaboration becomes too difficult. It increases configuration complexity across an entire organization, raising the likelihood of drift. And it encourages shadow IT when official tools can’t meet operational needs.

Every architecture involves tradeoffs. The question is which risks an organization is best positioned to manage.

Making the decision deliberately
CMMC deadlines are real, and compliance decisions matter. But “move everything to GCC High” shouldn’t be treated as the default answer. It’s one option among several—and one chosen intentionally, not reflexively.

For organizations where CUI is truly pervasive, external collaboration is limited, and budgets can absorb the cost without crowding out other security investments, GCC High may be appropriate.

For most of the defense industrial base, however, a more targeted approach deserves serious consideration. Lower costs, better usability, functional collaboration, and compliance focusing on what actually needs protection.

The safest choice isn’t always the smartest one. In security architecture, precision often beats blanket coverage.

That’s not cutting corners. That’s designing for reality.

Kiteworks
https://www.kiteworks.com

About the author: Frank Balonis is the chief information security officer and senior VP of operations and support at Kiteworks, with more than 20 years of experience in IT support and services. Since joining Kiteworks in 2003, Frank has overseen technical support, customer success, corporate IT, security and compliance, and collaborating with product and engineering teams. He holds a Certified Information Systems Security Professional (CISSP) certification and served in the U.S. Navy. He can be reached at fbalonis@kiteworks.com.