CUI Compliant
0 NIST 800-171 gaps detected. FedRAMP authorized at High impact level. Approved for CUI handling in DoD environments.
SharePoint GCC High
by Microsoft
FedRAMP Status
FedRAMP Authorized
Impact Level
High
Category
File Sharing
Authorized: March 20, 2018 | Sponsor: Department of Defense
Overview
SharePoint GCC High provides document management, file sharing, and intranet capabilities on dedicated government infrastructure. It is FedRAMP High authorized and supports CUI and ITAR file sharing.
CUI Risk Assessment
FedRAMP authorized at High impact level. Approved for CUI handling in DoD environments.
Using SharePoint GCC High in a Defense Contractor Environment
SharePoint GCC High operates on Microsoft's dedicated government cloud infrastructure and is specifically designed for defense contractors handling CUI categories including technical data packages (TDP), ITAR-controlled technical drawings, proprietary manufacturing processes, financial performance data, and DoD personnel PII. Within a CMMC Level 2 authorization boundary, SharePoint GCC High typically serves as the primary collaboration platform connecting to Active Directory Federation Services for SSO and integrating with Teams GCC High for secure communications. The platform requires additional compensating controls including DLP policies configured for CUI markings, retention policies aligned with contract data retention requirements, and external sharing restrictions enforced at the tenant level. DCMA assessors routinely evaluate SharePoint GCC High implementations by examining tenant configuration settings, reviewing access logs for unauthorized external sharing attempts, and validating that CUI marking and handling procedures are consistently applied across document libraries. Recent DIBCAC assessments have specifically flagged organizations using SharePoint GCC High incorrectly configured with guest access enabled or lacking proper DLP rules for ITAR technical data. The platform's audit capabilities directly support CMMC Level 2 requirements for activity monitoring and incident response, making it a preferred solution when properly configured with appropriate governance frameworks.
Deployment & Architecture
Deployment Model: Government Cloud (FedRAMP boundary)
SharePoint GCC High operates within a FedRAMP-authorized boundary. CUI can be processed within the authorization scope, but contractors must verify their specific use case falls within the system's security boundary as documented in the SSP.
Implementation Guide
Defense contractors implementing SharePoint GCC High should plan a 12-16 week deployment timeline across four phases. Phase 1 (Weeks 1-3) involves tenant provisioning, establishing federation with existing Active Directory, and configuring baseline security policies including conditional access and DLP rules for CUI categories. Phase 2 (Weeks 4-8) focuses on site collection architecture design, implementing information architecture aligned with contract data segregation requirements, and migrating legacy file shares while maintaining CUI chain of custody documentation. Phase 3 (Weeks 9-12) covers user provisioning, SharePoint governance training for 200-500 users typically costing $15,000-$30,000, and pilot testing with select CUI datasets. Phase 4 (Weeks 13-16) includes full production cutover and compliance documentation updates. Organizations must update their SSP to reflect SharePoint GCC High as an authorized system component, modify authorization boundary diagrams to include Microsoft's GCC High infrastructure, and create POA&M entries for any configuration gaps. Total implementation costs range from $75,000-$150,000 including licensing ($12-$22/user/month), professional services, and internal resource allocation. Critical data handling procedures must address CUI export restrictions and ensure migration activities maintain proper marking and custody documentation throughout the process.
Configuration Checklist
- 1ISSO shall provision SharePoint GCC High tenant and configure tenant-level external sharing restrictions to block anonymous and guest access per NIST 800-171 AC-3 requirements.
- 2System administrator shall implement conditional access policies requiring MFA for all SharePoint GCC High access and document configuration in the SSP Section 10.
- 3ISSO shall configure DLP policies to detect and prevent sharing of CUI markings including FOUO, ITAR, and proprietary technical data per DFARS 252.204-7012 requirements.
- 4System administrator shall establish site collection structure aligned with contract data segregation requirements and document access control matrices in authorization boundary diagrams.
- 5Legal team shall review and approve SharePoint governance policies ensuring compliance with ITAR technical data handling requirements under DFARS 252.204-7021.
- 6ISSO shall configure audit logging to capture file access, sharing attempts, and administrative actions with 180-day retention per NIST 800-171 AU-6 requirements.
- 7System administrator shall implement automated retention policies for contract-specific CUI data and document disposal procedures in the SSP.
- 8Training coordinator shall deliver SharePoint CUI handling training to all users and maintain completion records for CMMC Level 2 assessment evidence.
Compliance Cross-References
SharePoint GCC High's compliance directly supports multiple NIST 800-171 control families including Access Control (AC) through Azure AD integration and conditional access policies, System and Communications Protection (SC) via encryption in transit and at rest on FedRAMP High infrastructure, and Audit and Accountability (AU) through comprehensive logging and monitoring capabilities. The platform's FedRAMP High authorization satisfies DFARS 252.204-7012 cloud security requirements for CUI processing, while its government-dedicated infrastructure addresses DFARS 252.204-7021 requirements for ITAR data isolation. Within CMMC Level 2 assessments, SharePoint GCC High impacts the Access Control, Audit and Accountability, and System and Information Integrity domains, with assessors focusing on tenant configuration compliance rather than underlying infrastructure security. The FedRAMP High authorization provides inherited controls for physical security (PE), system maintenance (MA), and incident response (IR) control families, reducing the contractor's assessment scope while maintaining full compliance with CUI protection requirements across all applicable regulatory frameworks.
Other FedRAMP Authorized File Sharing Tools
Related Compliance Assessments
Frequently Asked Questions
Is SharePoint GCC High FedRAMP authorized?
Yes. SharePoint GCC High is FedRAMP High authorized as part of the Microsoft 365 GCC High environment.
Can I use SharePoint GCC High with CUI?
Yes. SharePoint GCC High is approved for CUI and ITAR file sharing and document management in defense contractor environments.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack SharePoint GCC High compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days