All agencies are required to comply with CMMC, not just DoD, so I am trying to figure out how that works if we are in the base GCC cloud versus High or DoD. What tools do we have to help ensure compliance in GCC G3 and/or G5?
If you keep GCC, you will need compensating controls in place to protect CUI.
The other topic, is the pairing with Azure for IaaS & PaaS services, such as Windows Virtual Desktop and Sentinel. The natural pairing for GCC is Azure Commercial. To get coverage for Gov compliance requirements, you will want to use Azure Government (in another tenant). That has a whole host of challenges straddling tenants. Alternatively, GCC High is naturally paired with Azure Government in a single tenant.