GCC High is not required to meet CMMC at any level. However, GCC High is the only version of the Office 365 or Microsoft 365 platform that meets the reporting requirements of DFARS 7012 found in paragraphs C-G. Technically, the Commercial and GCC versions of the platform can be configured to meet NIST 800-171, and the vast majority of CMMC’s requirements with native security products/capabilities. CMMC Level 3, for example, can be met in Commercial and GCC per the standards written to date.

if you have DFARS 7012 requirements in your contracts, then you need GCC High