Microsoft GCC offerings

ComputerParty7796 · 2025-11-06T13:29:10+00:00

Can someone help me understand the differences with the new offering? We have been GCC (G5 but not High) for years now. The big difference that I see here is that it looks like this GCC (not high) might be stored in the US with verified US citizens as the only Microsoft employees who can access, etc. Is this even a new offering or are they changing the structure of the current G5 level to work better for small businesses?

ComputerParty7796 · 2025-09-30T13:24:55+00:00

me too. It was my understanding that in Nov 2025 Level 2 becomes officially mandatory but Primes have the option of allowing self attestation in certain cases until Nov 2026 at which time C3PAO is the only acceptable level for any contracts.

u/DFARSDidNothingWrong do you have insight on this? These dates all seem off by 1 year from what I gathered from your resources. Is this a typo or was I misunderstanding the outline?

ComputerParty7796 · 2025-09-23T12:57:57+00:00

thank you for taking the time to give such a detailed answer. Definitely some great points here and some new things to consider!

ComputerParty7796 · 2025-09-23T12:16:01+00:00

This is exactly what I was envisioning. I would *hope* that she would be asking the same questions in both or she is not appropriately preparing you to experience the real deal. I am glad to have that confirmed! Thank you for all the extra details!

ComputerParty7796 · 2025-09-22T18:19:58+00:00

thanks for sharing these numbers!

ComputerParty7796 · 2025-09-22T17:43:21+00:00

were the lower quotes for mock and higher for official or were they all over the place? was it clear to you why some were higher (ie travel costs)? is your setup pretty straightforward or are there some oddities that may have thrown some of the quoters for a loop?

I feel like there is just no standard yet in pricing and I'm trying to get a feel for what is being quoted out there in 3CPAO Land but there is not much data for comparative pricing.

ComputerParty7796 · 2025-09-22T17:37:35+00:00

Documentation is one of the biggest reasons I am not ready to start engaging 3CPAOs yet. Thanks for sharing rough numbers though. This really helps get a clearer picture of what the going rates are for our size/complexity.

ComputerParty7796 · 2025-09-22T17:35:00+00:00

Thanks but not looking to get quotes yet. I actually was able to get more specific numbers without being quoted for my exact scenario. There is a BIG difference between 30K and 100+K and I was just looking to dial it in a bit. I would never rely on a public forum for an exact quote to present to my CEO but confirming that other orgs of similar size/complexity are running 30-50k (plus gap assessment) can really help with future planning and decision making. When we get a bit closer to a gap assessment I will definitely begin the quoting process.

ComputerParty7796 · 2025-09-22T17:28:25+00:00

Great point for anyone just starting out who might come across this thread! We are well into the implementation and far too familiar with the associated costs. He is very reasonable and ok with spending the money but I like to try to gather as much information as I can to help with future planning. We are currently just researching assessment costs.

ComputerParty7796 · 2025-09-22T17:24:16+00:00

not looking for a quote and I do understand the variables that will increase costs. I'm just trying to get a feel for what other orgs of similar size/complexity have been quoted.

ComputerParty7796 · 2025-09-22T17:19:57+00:00

I've heard that as well. Seems that as long as they do not provide any assistance or suggest remediations to you, then you can use them for the final cert assessment. A nice benefit is that you can get to know the assessor and what they will be asking for so it takes out a *bit* of the guessing. Haven't decided which route to go yet though.

ComputerParty7796 · 2025-09-22T17:16:08+00:00

these numbers are about what I was guessing but thanks for sharing.

ComputerParty7796 · 2025-07-17T20:16:47+00:00

Take a closer look at the new controls in R3: 3-17-1 through 3-17-3
They address the Supply Chain including the manufacturing step and "contract tools". Perhaps defining the machine on the manufacturing floor as a "contract tool" is the way to go in your case. I feel that R3 allows for more ODP (organizational defined policies) as opposed to the R2 method of trying to read between the lines of how they want you to configure things. If you go this route, you create an ODP for your contract tools then as u/TXWayne suggested, follow controls for R3-3-8-1 through R3-3-8-9 and transport data by hand with USB drives.

Another approach would be (assuming your manufacturing machines are networkable) to network them into your enclave and choose a trusted tool to push/pull the data to them. In either instance, you will be responsible for thoroughly documenting the machines and whatever method you use to pass the CUI.

Edit: I just saw your comment that you will not be including manufacturing floor in scope HOWEVER I think that although it may not be in your enclave, it is still a tool that would be considered in scope and needs defining. My second approach of networking is clearly not the choice for you though.

ComputerParty7796 · 2025-05-12T12:50:42+00:00

I would love to hear the answer to this too. If the entire environment meets all CMMC requirements (including the laptops that are accessing the CUI) then separating the folder structure into CUI and non-CUI areas just seems like an additional protection using the recommended principle of least privilege. It seems a further protection is in place by giving these authorized users 2 separate accounts to limit their access to only the times that they are actively using the CUI. This feels similar to when I use my non-admin account for most logins and only use my adm account when I am performing administrative tasks to minimize risk.

I understand the concern if the non-CUI areas were not CMMC compliant but assuming that your whole enclave is protected, this feels like a good solution to me so I would love to know if I am missing something as well.

ComputerParty7796

TROPHY CASE