CMMC Compliance Without the GCC High Price Tag: Know Your Options

If you're part of the Defense Industrial Base (DIB) and working toward CMMC compliance, you've probably heard the same advice repeatedly: Migrate to Microsoft GCC High. While this FedRAMP-authorized cloud environment is certainly one path to compliance, it's not the only one—and for many organizations, it's prohibitively expensive.

The good news? There's a smarter, more affordable alternative that lets you stay on Microsoft Office 365 commercial cloud while still achieving CMMC compliance. But to understand why this matters, we first need to understand how CMMC assessments work.

The Tale of Two Scenarios: What Gets Assessed?

When it comes to CMMC assessments, not all cloud architectures are created equal. The key difference lies in a critical question: Can your cloud provider decrypt your CUI (Controlled Unclassified Information)?

Scenario A: Traditional Cloud (Provider CAN Decrypt)

In a traditional cloud setup—think Box, Dropbox, or standard Microsoft Office 365—your cloud provider controls the encryption keys. This means they can decrypt your data.

Here's the problem: When your provider can access your CUI, both your systems and the cloud provider fall within the CMMC assessment boundary. This means:

• Your customer systems must meet all 110 CMMC Level 2 requirements.
• Your cloud provider must also meet all 110 requirements.
• The provider must be either FedRAMP authorized or undergo their own CMMC assessment.
• You're essentially responsible for ensuring your vendor's compliance.

This is why many consultants push DIB organizations toward GCC High—it's a FedRAMP authorized environment that checks these boxes. But it comes at a steep cost, both in migration expenses and ongoing subscription fees.

Scenario B: Zero-Knowledge Encryption (Provider CANNOT Decrypt)

Now imagine a different architecture: One where you control the encryption keys, and your cloud provider stores only encrypted data they cannot access. This is the "zero-knowledge" model.

In this scenario, something remarkable happens. Only your customer systems need to be assessed. The cloud provider may fall outside the CMMC assessment boundary entirely because:

• Encryption happens on your devices before data ever touches the cloud
• You control the encryption keys, not the provider
• The solution uses FIPS 140-2 validated encryption
• The provider stores only encrypted blobs they cannot decrypt
• Keys remain separated from the encrypted data

This is precisely how Virtru works—and it's a game-changer for CMMC compliance.

How Virtru Enables CMMC Compliance on Microsoft 365 Commercial Cloud

Virtru wraps each CUI file in a secure container using the Trusted Data Format (TDF), an open standard embraced by the DoD, Intelligence Community, and NATO. This container binds access controls directly to the data itself, then encrypts everything with FIPS 140-2 validated encryption.

Here's what happens when you share CUI using Virtru:

For Email Attachments

When you send a Virtru-protected file as an Outlook attachment, what looks like an attachment is actually a link to the file. The actual file is stored in Virtru's FedRAMP Moderate Authorized environment—not in Microsoft Commercial Cloud. Microsoft never has access to your unencrypted CUI.

For Email Content

Email body text is converted to ciphertext when protected by Virtru. Many organizations adopt a best practice of sharing CUI only as file attachments (not in email body text) to create a clear separation between Microsoft Commercial Cloud and CUI data.

For File Sharing

Files shared via Virtru Secure Share are hosted in Virtru's FedRAMP environment with full cryptographic controls. You maintain complete control over who can access the data, for how long, and under what conditions—even after it's been shared.

The Bottom Line: Compliance Without Breaking the Bank

Virtru supports 27 of the 110 CMMC Level 2 controls, addressing a significant portion of requirements around proper protection and access control for CUI. When combined with your other security measures, Virtru provides:

• DFARS 7012 compliance for secure file sharing
• FedRAMP Moderate Authorized storage environment
• Zero-knowledge architecture that keeps providers out of scope
• FIPS 140-2 validated encryption
• Seamless integration with your existing Microsoft 365 commercial cloud
• No costly migration to GCC High required

Staying on Commercial Cloud: What You Need to Know

Microsoft Office 365 Commercial Cloud is not FedRAMP authorized and should never be used to store or share CUI unprotected. However, when CUI is properly contained within cryptographic controls — like Virtru's TDF containers — that data remains adequately protected and inaccessible to Microsoft.

This distinction is crucial.  With Virtru, encrypted CUI is stored only in FedRAMP-authorized environments, and with the Virtru Private Keystore, only you hold the keys.

Preparing for Your C3PAO Assessment

According to the CyberAB's October 2025 Town Hall, there are just 83 accredited C3PAOs to assess a total of 200,000 to 300,000 defense organizations across the DIB. Some assessors may need additional clarification about how Virtru-encrypted CUI is protected when used with Microsoft Commercial Cloud.

If your assessor has questions, Virtru is ready to provide:

• Additional technical resources
• Precedent from other successful assessments
• Supplementary DFARS and DoD guidance
• Direct engagement with your Customer Success Manager

The Path Forward

For hundreds of DIB organizations, Virtru has proven that CMMC compliance doesn't require abandoning your existing Microsoft 365 commercial cloud environment. By implementing zero-knowledge encryption that keeps your cloud provider out of the assessment boundary, you can achieve compliance at a fraction of the cost of migrating to GCC High.

Ready to explore a more affordable path to CMMC compliance? Contact Virtru to learn how we can help you protect CUI, satisfy CMMC requirements, and stay on your current Microsoft 365 commercial cloud environment.