The High Cost of Living on GCC High

Do defense contractors really need Microsoft GCC High for CMMC or ITAR compliance? The answer is no: There are several other paths to compliance, including other Microsoft SKUs with added FedRAMP-authorized security tools like Virtru, as well as Google Workspace.

Even Microsoft Commercial Cloud can be made CMMC-compliant when paired with proper cryptographic controls that protect CUI in accordance with DFARS requirements.

At Virtru, we have dozens of customers in the defense industrial base who have evaluated Microsoft GCC High for CMMC and ITAR — many of whom found it both cost-prohibitive and resource-intensive to procure, configure, and deploy. 

Now that the CMMC final rule is approved for DoD contracts, many organizations are sprinting to the finish line to demonstrate compliance. While an upgrade to Microsoft GCC High is a straightforward option for some, there are many other organizations that have chosen GCC High alternatives. Here’s why. 

GCC High Procurement Can Be Slow 

Time is money, and this is especially true when you’re on a deadline. The defense industrial base is facing multiple hard deadlines: CMMC comes into effect for DoD contracts starting November 10, 2025, and each contract opportunity also comes with its own RFP deadline. 

Not being CMMC or ITAR compliant can put your future contracts in jeopardy. If you are not yet CMMC compliant, you don’t have any time to lose, and unfortunately, the work and time to get set up on Microsoft GCC High could be a make-or-break issue. Slow procurement processes, along with the cost and resources needed to maintain a GCC High tenant, led SHE BASH to pursue Google Client-Side Encryption with Virtru Private Keystore for their organization, as they share in the video below. 

“The contracting portion on the Microsoft side was somewhat arduous from a business standpoint,” said Bunny Banowsky, CEO of SHE BASH. When working with the government, “the timing aligning is very, very important — as well as the cost,” she said. “We're a really small shop, and so every literal dollar, every cent, counts. So, we're always looking for cost optimization opportunities.” 

This leads us to the next significant hurdle for defense contractors. 

GCC High is Expensive. 

This is probably obvious to anyone reading this, but GCC High is an expensive SKU: Defense contractors are up against steep price increases when they upgrade to GCC High.  Many Microsoft-friendly consultants push GCC High as the only path to compliance, but this single-solution approach can be prohibitively expensive for smaller DIB organizations.

Here’s some of the feedback we have heard directly from our CMMC and ITAR customers. (Note that licensing costs can vary across organizations for a variety of reasons, and each customer’s experience is unique.) 

For one customer, migrating from Microsoft 365 to GCC High would be “five times the cost.”

For one defense contractor focused on CMMC and ITAR compliance, migrating their environment to GCC High would have been a Herculean effort. 

“We have to be compliant for CMMC with the government,” he said. “Virtru is the tool we have, so we can continue to be on the environment that we're on, without having to go to the GCC High environment for the government — because that's five times the cost. And it's not something we can afford to do. We're at that size where we're big enough that we have a lot of contracts with [the DoD], but we're too big to go to GCC High as an organization. Our costs would go from $70,000 per year today for MS365, to $360,000 for GCC High."

This customer is not alone — there are several others who have chosen to layer Virtru FedRAMP-authorized encryption onto Microsoft Commercial or Government Cloud, or Azure for a more nimble, cost-effective solution for sharing CUI (controlled unclassified information) externally via end-to-end encrypted emails and files. 

One large, global engineering firm saved over $1 million using Virtru and Microsoft Commercial Cloud instead of GCC High. Not only did this save them a considerable amount of money, but it also allowed them to leverage the collaborative benefits of the cloud and ultimately shut down their last on-prem server.

Limited functionality means “paying twice as much for half the value.” 

For another CMMC customer, migrating from their current Microsoft Government Cloud plan to GCC High would incur significant labor and deployment resources, plus a 40-50% uplift in annual licensing costs. “All in, you're talking between $500,000 to $750,000" for 2,500 users, he said. "In other words, the price doubles.”

But that doesn’t include the opportunity cost: “Now, the other side of that is the value decreases, right? So you pay more for less,” he said. “If you go to GCC High, your team's capabilities are deprecated. You lose all the AI benefits, you lose a lot of different things, right? So, I'm paying twice as much for half as much value."

GCC High Is Designed (and Priced) for Larger Enterprises 

For small and midsize defense contractors, the cost of GCC High can be prohibitively expensive, especially for startups with lean teams. In one customer’s experience, Microsoft’s enterprise packages started at 500 users, but they only had 150 employees. 

"I've explored the whole GCC High thing with Microsoft and looked at it, but, you know, we're only like 150 people at this location,” he said. “So, the problem is, the enterprise agreement with Microsoft requires a minimum of 500 licenses to get an Office 365 tenant for GCC High. I can't use just regular, everyday Microsoft licenses that you would buy, and then [upgrade] those licenses to GCC High. They require 500 licenses, and then you can add it on. So, by the time you're done, it's exponentially more expensive at that point."

Microsoft GCC High Alternatives for CMMC and ITAR

So, given these hurdles, what are defense contractors doing to enable CMMC and ITAR compliance without GCC High? 

Microsoft 365 Government Cloud and Virtru  

As mentioned above, many organizations choose to continue on Microsoft’s more economical packages (such as Microsoft 365 Government Cloud - different than GCC High) and layer in additional security solutions to protect CUI, such as Virtru.

Even organizations using Microsoft Commercial Cloud can achieve CMMC compliance with Virtru, as Virtru wraps each data object containing CUI in the Trusted Data Format (TDF) - an open standard embraced by the DoD, IC, and NATO - with FIPS 140-2 validated encryption. Files shared via Virtru are actually shared as secure links to files hosted in Virtru's FedRAMP Moderate Authorized environment, not stored in Microsoft Commercial Cloud itself.

Virtru allows you to host your own encryption keys with the Virtru Private Keystore, and its client-side encryption for Microsoft Outlook ensures CUI remains protected with end-to-end encryption and granular access control wherever it’s shared. 

“My approach to this is… to deploy a product that I can layer on top of what I already have today,” said one customer. “My savings is the cost of going to GCC High...I might spend a little bit more to have Virtru, but not a lot more to have Virtru. But I save the deployment costs… it's a kind of a chess game, right?"

For optimal CUI protection and to align with CMMC best practices, many organizations require users to share CUI only as file attachments rather than in email body text. This ensures a clear layer of separation between Microsoft Commercial Cloud and CUI, as email body text is converted to ciphertext when protected by Virtru, while files are shared as links to Virtru's FedRAMP environment.

Google Workspace and Virtru 

Many organizations have chosen Google Workspace as their platform of choice, because Google Workspace is CMMC-ready with the addition of Assured Controls Plus. When CUI needs to be shared with partners or government customers, Virtru adds a seamless layer of security within Google Workspace (both Gmail and Google Drive) for fully encrypted data sharing, and Virtru Private Keystore supports Google CSE. 

 “As opposed to the Microsoft side, Google has built itself out its fabric platform, assured workload, the whole kit and caboodle, in a scalable way that ends up really driving down the bottom line to be more cost efficient, which is always — at least for us — a factor that we take into consideration when making the business decision based on tech factors.”

“Working with the Virtru team for the Virtru Private Keystore and CSE deployments was fantastic,” said the CTO of the same company. “By the nature of what we do for the government on our contracts, we have high competencies in Kubernetes application maintenance. So the fact that Virtru can deploy directly into Kubernetes, you have the engineering resources to answer questions, and you have the deployment materials ready for us to simply just deploy it into Kubernetes, made it extremely easy to get up and running. I would say that the migration from the Virtru hosted keys that we had for a while, cutting that over to our self-hosted key store was seamless, and you guys were highly responsive. We were able to get that really deployed, tested, and into production within days.”

The Outcome: Redirect Your Time and Budget to Other Priorities

In addition to the measurable cost of implementing GCC High, you also have to consider the opportunity cost — what could you do with those resources if they were allocated differently? How might your teams collaborate more quickly and effectively with the right set of tools in place? 

“As a small shop, we have to operate lean — not only in terms of cost savings where we can find it, but as well as saving our time wherever we can, because that is what we can't make more of,” said one defense contractor. “So, the fact that Virtru streamlines a part of work, and now that part of work is no longer consuming the time of, for example, our CTO, he can spend that time doing much more high-value things… So, not only does it reduce overhead, but it actually accelerates our business growth.” 

Another feature of Virtru that resonates well with CMMC and ITAR customers is its ease of use for the recipient: Unlike other CMMC encryption solutions like PreVeil, Virtru does not require recipients to create a new username or password to access the data that’s been shared with them.  

Ready to see how Virtru can support your organization’s CMMC compliance as an alternative to Microsoft GCC High? Contact our team to get started.

GCC High FAQs

Do you need GCC High for CMMC compliance? 

No. Many defense contractors choose alternate routes, including other Microsoft SKUs with layered security tools (such as Virtru) or Google Workspace with Assured Controls Plus.

Microsoft Commercial Cloud can be made CMMC-compliant when CUI is properly protected with cryptographic controls in accordance with DFARS requirements, such as those provided by Virtru's FedRAMP Authorized solution.

Can you meet CMMC compliance with Google Workspace?

Yes. Several Virtru customers use Google Workspace CSE and Assured Controls Plus to protect CUI in Gmail and Google Drive. Virtru Private Keystore enables you to host your own encryption keys, and it also enables you to apply label-based access controls in Google Drive. You can create a label for CUi and govern access permissions to that content based on your own organizational parameters. 

How does Virtru help meet CMMC? 

Virtru is FedRAMP authorized and FIPS 140-2 validated. It supports 27 of the 110 CMMC Level 2 controls aligned with NIST SP 800-171, as outlined in the Virtru CMMC Shared Responsibility Matrix. This spans several domains, including access control; audit and accountability; identification and authentication; media protection; and systems and communication protection. Virtru's cryptographic controls and secure storage location make Virtru-protected file sharing compliant with DFARS 7012 requirements, providing defense contractors an affordable alternative to migrating to Microsoft's FedRAMP authorized GCC High cloud service.

How much does Virtru cost? 

You can view Virtru’s packages on our pricing page. CMMC/ITAR packages start at $399/month for 5 users (billed annually), and you can customize packages depending on your organization’s needs.  

Does Virtru work with Microsoft and Google?

Yes, Virtru is platform-agnostic and supports both Microsoft and Google ecosystems, both for users and recipients. Virtru can work with Microsoft Commercial Cloud, Government Cloud, and Google Workspace to provide CMMC-compliant CUI protection through its FedRAMP Moderate Authorized environment and FIPS 140-2 validated encryption. Regardless of your environment, Virtru integrates smoothly with your email client and recipients are not required to create new accounts or passwords.