How to get Microsoft Validation for GCC High
Beginning your move from Microsoft 365 Commercial to GCC High starts with the validation process, a fairly straight-forward three step process.
- Requesting Validation – Contact Microsoft to request validation as a Category 3 entity
- Providing Documentation – Provide a signed contract or sponsor letter to prove eligibility
- Licensing GCC High – Work with an AOS-G Partner like Agile IT to submit a GCC High licensing request
Although it may seem a simple process, we have had to step in to help many of our clients navigate the finer nuances of validation. Below is more in-depth guidance to help you navigate getting validated by Microsoft as a Category 3 entity.
Who Can Qualify for GCC High?
Prior to January 5, 2020, defense contractors wanting a GCC High environment had to provide a signed contract calling out one of the applicable controlled data types (See below) or provide a signed sponsorship letter from an existing Category 3 entity. This created a Catch 22 where new contractors expecting CUI requirements in upcoming contracts were unable to easily get validated. With the new DFARs rules initiating CMMC going into effect on November 30th and requiring self-assessments be entered into the DOD’s Supplier Performance Risk System in order to be considered for new contracts, Microsoft has changed the way they validate and grant access to GCC High and Azure Government making the process more inclusive.
The GCC High Validation Process
If you think you need GCC High, go start the validation process right now. It is not a long process, but the 3-7 business days can seem like forever if it is done wrong, and it stalls your efforts to meet compliance requirements. When applying for GCC High, it is important that you receive validation at a category 3 entity. Category 2 entities are only allowed into Azure Government, not GCC High.
Begin by filling out the general validation form here: https://azuregov.microsoft.com/general
Unless you are a government organization, make sure you select “My Organization is: Customers handling government-controlled data”. You may think you are a solution provider, but that only applies to non-government solutions providers such as CSPs. Trust us, your validation will be declined if you select solution provider and you will have to start the entire process over from scratch.
Documentation Needed for GCC High Validation
Depending on their workload, within a few hours or days of submitting for validation, you will get an email from Microsoft US Government Cloud Eligibility Team requesting one of the following pieces of documentation:
- A signed contract (ink or certified electronic) indicating the regulated data requirement as part of the delivery (direct or indirect). Please note, the data owner entity name must be visible.
- A sponsor letter specifying the regulated data requirements and the duration of the requirement, which has been signed within the last 12 months. This must be from a valid US Government entity or previously approved Category 3 entity holding the same data type, on the sponsor entity letterhead, signed by sponsor (ink or certified electronic), and specify the controlled data type (CUI, ITAR, CJIS, UCNI, ect).
- A Valid CAGE Code or SAM registration with DUNS. Your SAMS registration MUST be for “All Awards” and you will not receive validation if the purpose is only for Federal Assistance Awards.
Types of Controlled Information Acceptable for Microsoft GCC High Validation
- ITAR: International Traffic in Arms Regulations
- CUI: Controlled Unclassified Information (including all of the CUI sub-categories)
- DoD UCNI: Dept of Defense Unclassified Controlled Nuclear Information
- DoE UCNI: Dept of Energy Unclassified Controlled Nuclear Information
- CJI / CJIS: Criminal Justice Information
- DoD IL: Dept of Defense, Impact Level
- NERC: North American Electric Reliability Corporation
- CDI: Covered Defense Information
- IRS 1075 Information – Safeguards for Protecting Federal Tax Returns and Return Information
At this time, they will also request any additional clarifications, such as phone number or address issues.
Important Considerations When Applying for GCC High Validation:
- The contract you submit must include the controlled data type you will be handling. Once RFIs and RFPs start including CMMC level requirements, these will also be accepted.
- If your government contracts are managed through a subsidiary, you MUST apply using the business name that manages the contracts, you cannot gain GCC High validation unless your company name is on the contracts you submit to the eligibility team.
- If you are a multi-national organization, YOU MUST use a US address when applying.
- DO NOT apply for an Azure Government Trial unless you really need it. If you already have an Azure Government tenant, be sure to inform your Microsoft AOS-G partner as early as possible. GCC High uses Azure Gov for hosting your Azure Active Directory, and if you have an existing Azure Gov tenant, this must be proclaimed during licensing to assure that your tenants are connected. Failure to do so can add unnecessary complexity to your implementation.
What GCC High Validation Looks like:
Previously, ONLY Category 1 and Category 3 entities were able to purchase GCC High. This changed on January 5th, 2021, and now ALL categories are able to purchase GCC, GCC High and Azure Gov.
Within a few days of submitting your documentation, you will get confirmation from Microsoft either requesting different documentation or letting you know you have been validated.
Thank you for providing the needed documentation. Please find your approval below.
Your Company has been found eligible for Microsoft Azure, O365 GCC/GCC High, and CRM Government services as a Category 3 entity. Please work with your Microsoft Account Teams or chosen resale partner.
Additional product and purchasing information can be found here:
Microsoft 365 Government How to Buy
We look forward to working with you as you use the most trusted and compliant cloud for U.S. government workloads.
GCC High Sponsorship Letter
Big thanks to the Microsoft US Government Cloud Eligibility team for providing this sample sponsor letter. Note that if you are using the sponsor letter to apply for Category 3 Validation,. The letter must be coming from a recognized federal agency or an organization that is already validated as a level 3 entity. If you have multiple contractors, we suggest going for the largest one available; Raytheon is going to be much easier to clear than John’s House of Aerospace Washers.
Sample Sponsorship Letter
To Whom It May Concern:
I am writing this letter at the request of <Company Name>, who is applying to access Microsoft’s Government Cloud. <Company Name> has been involved with my agency for <x amount of time> and regularly processes, handles and controls US Government Controlled data. This data is bound to US Government Regulation <Name Regulation, Example ITAR, CUI, UCNI, etc.>
Please accept this letter as formal notification that <Agency> understands your commitment to upholding a valid government community and <Company> should be allowed into this community based upon their work with our agency and the data in which they are required to process and maintain.
Help with GCC High Validation
If you need help getting validated as a category 3 entity, we can help. As one of the top Microsoft AOS-G partners, we not only have the experience to help guide you through the process, we have the relationships at Microsoft to help remove roadblocks and clarify issues. For more information, contact us!