On any given week, our sales team speaks to numerous contractors in the defense industrial base (DIB). Many of them believe they are DFARS compliant, but Microsoft O365 Commercial isn’t compliant with CMMC.

In 2019, Microsoft took the position that companies cannot handle controlled unclassified information (CUI) when using the company’s Commercial email and file sharing cloud-based serve.
Compliance in Microsoft 365 Commercial

Chart from: Microsoft

As a result, companies cannot become DFARS compliant if they are running on O365 Commercial.

Why O365 isn’t DFARS compliant

Compliance with DFARS 252-204-7012 focuses on maintaining the security of CUI as well as ensuring that cloud service providers storing the CUI follow specific standards in the case of a breach. These later standards, referred to as sections (c) through (g) in DFARS 252-204-7012, spell out the steps a contractor must follow for cyber incident reporting, discovering malicious software, media preservation and protection, accessing additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.

In 2019, Microsoft updated their guidance to state they cannot support sections (c)through (g). Their Commercial line is designed for a global service and they cannot ensure that requirements (c) through (g) are met across the globe. Instead, Microsoft states that in order to:

“[C]apture the market for the DIB and cabinet-level agencies, a mirror copy of Office 365 DoD was constructed and branded Office 365 Government (GCC High).”

The GCC High Challenge

In no longer supporting DFARS with their Commercial line, Microsoft has required customers to opt for GCC High in order to meet the requirements of (c) through (g). However GCC High is a challenge for most small to medium sized businesses. One of the major challenges is the total cost of ownership for the platform. Contractors considering migration are faced with a combination of license fees, migration fees, and consulting fees that totals between $30-$50K. Additionally, installation typically takes 6 to 9 months and requires migrating the entire enterprise onto the GCC High platform.

A Midwest parts supplier with 250 employees is faced with the challenge of meeting the DoD’s CMMC requirements. Download our case study to learn how PreVeil helped them meet their compliance goals at a lower cost. Download our Case Study

These financial challenges and interruption to business make a potential shift to GCC High too high of a hurdle for many companies in the DIB.

PreVeil: Affordable compliance

By contrast, PreVeil for Gov Community is an affordable, easy to use and compliant alternative for DIB suppliers looking to achieve DFARS and CMMC compliance. With PreVeil for Gov Community, data resides on AWS Gov Cloud which supports DFARS, CMMC, ITAR and NIST 800-171. Moreover, it costs a fraction of what GCC High costs and requires no up-front implementation fees. Implementation of the PreVeil system can be completed in days and can be deployed to only the subset of users within the company who handle CUI.


Commercial O365 is no longer a viable option for those DIB companies seeking DFARS compliance. However, DFARs compliance doesn’t need to derail your business. DIB companies can easily get started on an affordable and manageable path to compliance with PreVeil.

Contact our sales team today.