December 28, 2020

Should I migrate to GCC High? Do I have to? Are there alternatives? 

If you’re a DIB member and you are using Office 365 — as so many do — reaching CMMC Level 3 compliance is going to force you to make some difficult decisions. 

To help guide you through them, I invited Scott Edwards, President at Summit 7 Systems, onto the show to go over what CMMC Level 3 requires and how you can achieve it. 

Scott explains:

  • The requirements for CMMC Level 3 compliance and what they mean for Office 365, G Suite, and in-house email companies
  • The process and expected costs of migrating to GCC High 
  • How GCC High compares to alternatives

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Speaker 1: (00:06)
You’re listening to the virtual CISO podcast, a frank discussion providing the best information, security advice, and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry: (00:25)
Hi there. And welcome to another episode of the virtual CISO podcast. I’m your host, John Verry, and with me as always the lime to my Corona, Jeremy Sporn. Hey Jeremy. Were you in a hurry before this episode? Because that might be the weakest intro you’ve come up with yet.

Jeremy Sporn: (00:42)
I am a huge fan of putting a lime in my Corona. And I think that’s a significant compliment, I can rest my head on my pillow tonight knowing that I’m the lime to your Corona. And I feel great about that. That’s awesome.

John Verry: (00:58)
I don’t expect the gin to my tonic the next time we’re [inaudible 00:01:01]. That’s all I’m going to say. All right. So what’d you think about my conversation with Scott Edwards?

Jeremy Sporn: (01:06)
To be blunt, it was awesome. As a-

John Verry: (01:10)
Thank you.

Jeremy Sporn: (01:15)

John Verry: (01:16)
[inaudible 00:01:16].

Jeremy Sporn: (01:16)
As anyone who’s going to listen to this episode knows, that was not the reason why I thought it was awesome. There may be no one outside of Microsoft who understands their suite of products better than Scott. And I don’t mean that in like, he’s a great sales guy kind of way. I’m sure he would do phenomenal on a sales call. I mean that in, he knows how they actually work, their options, their configurations, their names and acronyms, which sounds silly, but Microsoft products deserve their own dictionary. He knows this stuff so well, I’m sure he could recommend the perfect solution to any one of his clients, which is why they have a lot of them, just an insane amount of knowledge, which is crazy because Microsoft comes up with so many updates each year, needless to say, I was very impressed and the information he had to share about what DIB orgs need to hear using Microsoft products to be CMMC compliant was just perfect.

John Verry: (02:09)
Yeah. If you are a DIB member and you’re using Office 365, as so many do, you’ve got some significant decisions to make in order to get to a CMMC level three. And I don’t know too many better people to talk with about what your alternative approaches are, what the subtle nuances are of each approach. The other thing which you did a really good job, at least for me is I was always positive when I heard this idea that you have to migrate from commercial to GCC high and the cost to do that.

John Verry: (02:40)
And I honestly thought it was like highway robbery. It’s like, “Oh, it’s X thousand.” I’m like, “Wow. Somebody is just getting rich on that.” He does a fantastic job explaining everything that has to happen. And by the time we got done, I think I was actually saying, “It actually sounds pretty cheap right now.” I mean with the amount of work that’s necessary. So I thought he did a really fantastic job. The other thing I like about Scott, he seemed very, very transparent, very willing to talk with about all of the different alternatives in a very fair and balanced manner. So, a great podcast to listen to if you’re on office 365 and moving towards CMMC.

Jeremy Sporn: (03:20)
I couldn’t agree more like John said, if you’re part of a DIB organization and thinking about making that move to GCC high, this is a must listen. Scott from Summit 7, basically provided an entire consulting session for free and was able to clarify a lot of key details like costs, timeline to migrate, who should, and like John alluded to before, who should not migrate, which I thought was really cool. Even better, he gave a glimpse into the future of Microsoft products, which, because they update them so often is very key for DIB orgs to have a good understanding of, just so much good information here. Looking forward to everyone listening to this one.

John Verry: (03:58)
Nothing more to add. So let’s get to the show.

Scott Edwards: (04:04)

John Verry: (04:05)
How are you today?

Scott Edwards: (04:06)
I’m doing great. Thanks for having me on.

John Verry: (04:08)
Yeah. You said you’re doing great and you probably should have waited to after you get done with this conversation, then we’ll see if you still think it’s great. I always like to start the conversation easy. Tell us a little bit about who you are and what is it that you do?

Scott Edwards: (04:21)
Sure. My name’s Scott Edwards, I’m president managing partner here at Summit 7 Systems I founded the company about 12 years ago. My background is primarily Microsoft platform and information security. I’ve been working in the Microsoft ecosystem since about ’97, ’98. I’ve been doing IT security for a long period of time. I have a master’s degree in information security from James Madison. My undergrad was from West Point. So I’ve got the military background mixed in with the IT technical and security background.

John Verry: (04:49)
My daughter is a biomedical engineering major at JMU. It’s a fantastic school. She’s in her junior year there. And I can’t say how impressed I am with the program.

Scott Edwards: (05:00)
Congratulations. That’s great. My son is making his college decision right now, we’re finishing up all the applications and man-

John Verry: (05:08)
Is JMU in play?

Scott Edwards: (05:10)
It is not he wants to go into nuclear engineering. So he has-

John Verry: (05:15)
That’s a much smaller subset.

Scott Edwards: (05:17)
It is. There’s not a lot of schools that do it. MIT is his number one, West Point and Michigan are his number two and three.

John Verry: (05:25)
Those are the three… I don’t know, West Point’s program that well, but I can tell you the other two programs are amazing engineering programs. Doesn’t Caltech Jet Propulsion Lab also have a nuclear program?

Scott Edwards: (05:37)
They have one, but he does not want to go to the West Coast at all. He’s not interested with the West Coast. He likes East-

John Verry: (05:44)
And where are you? Are you in Northeast?

Scott Edwards: (05:46)
I am not. I am actually in Alabama. Huntsville, Alabama.

John Verry: (05:49)
Got you. Cool. All right. So one thing, again, before we get down to business we always like to ask, what’s your drink of choice?

Scott Edwards: (05:56)
My drink of choice. I drink a lot of water. Water is probably what I drink 99% of the time. When I drink something else, it’s typically wine. So I guess that would be the two. Water and wine. I’m not a-

John Verry: (06:07)
Water and wine. That sounds a little bit biblical in some sense, but I’m not going to take it there. You don’t turn the water into wine before you drink it, do you? Just checking. You did go to West Point. That’s pretty-

Scott Edwards: (06:20)
[crosstalk 00:06:20]. No.

John Verry: (06:22)
And on the red, do you go white, you go red?

Scott Edwards: (06:25)
Red. Malbec.

John Verry: (06:27)
Are you a Malbec guy? I’m not a Malbec guy. I drink a lot of red wine. I’m more of a Cab or Red Blend. The Malbec has got a little bit of, something in it that doesn’t…. And do you go Chilean on the Malbec, I know a lot of people that like Malbec.

Scott Edwards: (06:41)

John Verry: (06:41)
Argentinian, that’s it. I knew it was South America. So obviously I’m thrilled to have you on here today. CMMC obviously big, hot area dealing with email is a huge area for this. And I know that you guys have a lot of expertise in this. You’re one of, as I understand it, one of only nine IT organizations that have been authorized to help orgs that have less than 500 seats I think it is, move to an environment that they call GCC high. So I’ll start with the question, if I am somebody in the DIB and I need to have CMMC level three conformance, do I need to go to GCC high?

Scott Edwards: (07:25)
So that’s a great question. So there’s a short answer and a long answer.

John Verry: (07:29)
I like long answers. Anyone who knows me knows that I can rattle on for hours. So feel free.

Scott Edwards: (07:34)
So the short answer to that is to meet the basic CMMC requirements to 130 control, straight up as they’re listed in the CMMC 1.0 or 1.02, you do not have to be in GCC high. There’s nothing in those 130 practices and the 51 maturity level processes that requires GCC high, however, all of the companies that are looking for level three compliance, pretty much all have a DFARS 7012 clause as well. And so, as part of the DFARS 7012 clause, there’s a number of things in there that really push you towards GCC high. So you’ve got things like paragraph (c) through (g) and the DFARS clause, which requires things like the incident reporting and the forensic information gathering capabilities. Microsoft will not sign up to support those requirements in the commercial platform. So if you want to get the incident response capabilities, you want to get the forensic information gathering requirements cover as part of Office 365, then you need to move into GCC high, where they’ll contractually sign up to be able to support those requirements underneath Office 365. If you’re in office 365 commercial, you have a breach, you’ve got an issue.

Scott Edwards: (08:47)
You call Microsoft say, “Hey, I need support for this breach incident. And I’ve got to report up to the government through a DIB Net.” Microsoft’s going to say, “Sorry, we don’t support that in Office 365 commercial you’re on your own.” So that’s one of the main reasons. The second main reason is that not all, but a majority or many, how about that? Many companies that have a DFARS clause and are handling controlled and classified information, many of them also have export controlled information. So ITAR content, no foreign content, that kind of content Microsoft does not support being in the commercial platform or even in the GCC platform. The reason is because they have non US support personnel that have access to those platforms through support cases and what have you.

Scott Edwards: (09:35)
So, if that content is in Office 365 GCC high in Azure government, then the entire support team on that side is all US persons’ Background check, it has everything that you need there from that standpoint. Whereas in the commercial, and even in the GCC platform, you don’t get that kind of support coverage. Your support is going to be follow the sun support just like it is for everybody else. You call up, you put in a ticket, you’re going to potentially pick up someone in Thailand or India or Ireland or wherever-

John Verry: (10:03)
Which would violate no foreign.

Scott Edwards: (10:05)
Potentially. If during the process of working the ticket, they got access to the actual content in your tenant, then that could be a potential export which would be a problem. And so what ends up happening is not just for the CMMC requirements, but for the export control, the no foreign requirements and the DFARS paragraph (c) through (g) requirements, you have the issue or people move into GCC high. That’s really kind of long answer for that.

John Verry: (10:37)
But that’s a really good and subtle distinction that I don’t think most people really understand. Because most people painted the CMMC level three requirements, so just to be clear, if I don’t have any 7012 requirements right now and I was to win a new contract for CMMC level three, in theory, I don’t need to go to GCC high.

Scott Edwards: (10:57)
If you did not get the 7012 clause as part of that contract?

John Verry: (11:01)
Right. And assuming that we go to the new, that would happen under what? The 7020. So if you look at the interim role, there’s 18, 19 20. 20 is the one that calls CMMC level three. I don’t think it’s going to have any tie left to 7012.

Scott Edwards: (11:17)
It will actually.

John Verry: (11:18)
It will?

Scott Edwards: (11:19)
As they are putting out the new contracts moving forward, they’re going to have that entire 7,000 series as part of the DFARS contractual-

John Verry: (11:28)
So your answer was technically correct, but in reality, virtually anyone who has the CMMC level three requirement is going to have the 7012 requirement. Because I was going to ask you, does that mean… Because the next question was around 7018. If you had a 7018, you were saying, that’s also going to include the 7012, which means that I’m still going to end up in that same GCC high situation problem.

Scott Edwards: (11:51)
So if you’ve got 7012, which is going to be in all the contracts, and they already are. You get 7019, 7020 and 7021, those are going to be the new, those are what’s in the interim rule. So the new interim rule has those three new ones, all three of those are going to basically come as a package. So you’re looking at 7012, 19, 20 and 21 all coming essentially as a package in the upcoming contracts.

John Verry: (12:12)
Thank you. And yeah, you’re right. I think I said 18, 19, 20 instead of 19, 20, 21. Thanks for correcting me. Okay, cool. So I said that you need GCC high. That obviously was for somebody that let’s say using a hosted mail service. An existing commercial instance of Microsoft 365, as an example. Let’s say I’m running my own mail server, can I run a CMMC level three 7012 compliant mail server in-house?

Scott Edwards: (12:44)
Absolutely. No problem with that at all. If you have the skillsets, the desire, the data center environment, to be able to properly run an in-house Exchange SharePoint file servers, everything that you need to support your infrastructure in-house, and you can do that all inside your own data center, then yeah, you can absolutely build the CMMC level three, no problem. Or level four level five, that’s totally up to you. The challenge that we run into is that vast majority of companies don’t have that kind of infrastructure in place.

John Verry: (13:17)
Or a skillset for that matter.

Scott Edwards: (13:18)
Or a skillset. And then if you really look at it and you start adding up the costs of doing that, the cost to run that kind of infrastructure in-house is very significant. And when you try and compare that against a suite of products that you get, like Office 365, that suite of products is very cost competitive. Even at the more expensive rates that you have to pay for GCC high, it’s very cost competitive.

John Verry: (13:43)
What Microsoft packages into Microsoft 365 at the price they package it in, is ridiculous. It’s unbelievable how inexpensive it really is when you look at the value proposition. Like under a commercial license for $35 per month per user, you look at the number of applications. Yeah, it’s insane. So I agree with you. I was asking it more from a theoretical perspective, or if let’s say I’m a 5,000 person company and I’ve already got the infrastructure I think those kinds of organizations might have both the skillset and infrastructure to support that.

Scott Edwards: (14:16)
And we talked to companies today. I had a call last week with a customer, they are a very large company. They do run a lot on-prem and they’re going to continue to run a lot on-prem, but you can’t get Teams on prem. And so they want to run Teams. So they are basically moving to Office 365 GCC high to do nothing but run their Teams platform. And so that’s a very point solution for a platform and maybe down the road, they end up migrating other workloads to it in the future. But their initial entry point for the platform is going to be Teams. Just to enable instant messaging and meetings and everything else.

John Verry: (14:53)
Yeah. We’re on Teams, so I’m a huge advocate of Teams. And yeah, I can understand, even when you look from an effectiveness and efficiencies of operation, I think Team’s a wonderful, wonderful platform. So let’s roll back for a second. So we talked about CMMC level three, because I think that’s where a lot of the concern is. But something like two thirds of the 300,000 plus folks in the DIB that are going to have to comply, they’re probably going to have to only comply with level one. So let’s talk about level one. If I’m currently sitting on a Microsoft 365 commercial let’s say E3, or something of that nature do I need to migrate from there?

Scott Edwards: (15:30)
Absolutely not. Level one, stay in Office 365 commercial, heck you can even stay in G Suite, all day long. If that’s the right place for you. If you ever have any intention of handling controlled unclassified information, you ever have any intention of pursuing a CMMC level three, four, five contract in any way, shape or form, then Office 365 commercial is the right place for you. It is a FedRAMP moderate platform, or it’s federate moderate equivalent. It hasn’t been certified to federate moderate specifically, but it’s been built to federate moderate standards. Whereas, GCC has been built to federate moderate officially. It is a solid platform, has great security controls built into it. If all you’re dealing with is FCI data, Federal Contract Information Office 365 commercial can certainly meet all those needs.

John Verry: (16:18)
Got you. And you briefly touched on G Suite can G Suite be leveraged for CMMC level three or higher?

Scott Edwards: (16:27)
Sure. So it does not meet the DFARS (c) through (g) requirements. They have not signed up to meet those requirements. And then there are also still some export control requirements that you have issues with in G Suite. Now I know that there are with the ITAR export control, carve-outs for encryption, there are some methods where you can use some file level encryption type software to basically continue to use G Suite and get some of the way there, but you’re still never going to meet the DFARS (c) through (g) requirements in G Suite.

John Verry: (17:00)
Got you. All right. So let’s go. Not that we’re really talking about a lot, although we have one org that we’re talking with right now that we’re helping them pursue level five which is interesting. Level five, would GCC high be sufficient to meet level five?

Scott Edwards: (17:16)
Yeah, it will. Obviously, a lot of the level five stuff is going to require additional software to be added to it. Because you’ve got a lot of monitoring and management and threat monitoring and all kinds of different capabilities that you can leverage pieces of Office 365 and the Azure platforms to help you.

John Verry: (17:33)
Right. The new Sentinel stuff, looks amazing. It looks like Sentinel would be a good add on, as an example.

Scott Edwards: (17:39)
Sentinel is actually part of our baseline package for CMMC level three. You’ve got to have a centralized SIEM solution, and Sentinel is great for that. Because you can ingest all the Office 365 data directly into Sentinel and there’s no cost it. So Sentinel is a great solution. You can meet level four, level five with Office 365 GCC high end as a government as a piece of that puzzle to build out that platform. But there are other things that you’re going to need to add to it that would be third party, if you will.

John Verry: (18:08)
I know one point, which is I’ve heard different things and I think it might have been different things at different points in the life cycle. So, what I originally had heard was that you couldn’t run a mixed environment, some percentage of your employees on a commercial instance and some on a GCC high instance. And then recently somebody told me that they had been told by a vendor like yourself and in fact, it might’ve been you guys that they had backed off of that, that they’re now supporting a mixed environment. Can you give me some clarity there?

Scott Edwards: (18:38)
So supporting might be a strong word, but yeah, you can run a mixed environment. It just isn’t very easy, and it’s not very user friendly. Because when you do a mixed environment and we’d run across this in some very large companies, especially companies that have a minimal DOD presence, maybe only 10% of their revenue, 15% of their revenue is DOD. And so they don’t want to move a $100 billion company into GCC high 100% if they only get 10% of their business from DOD. So what you want to do or what they’re doing is essentially they try and split off a division and move that division or that subset of users into GCC high and then leave everybody else in commercial. Now, the challenge with that is that now you have two different identities.

Scott Edwards: (19:32)
You’ve got an identity and an email address for your GCC high users. You’ve got an identity and an email address for your commercial users. And that can be bad from a branding standpoint for some companies, they want to have a single brand that they go to the world with. And so that’s a challenge for that. And then sometimes they want to leave users with access to both platforms GCC high and commercial. And then, then you come into some major user training issues where, “When do I use which platform and how do I collaborate with each team appropriately? And how do I make sure that my data from my GCC high environment doesn’t cross-pollinate over into my commercial environment. And that becomes a real challenge from a data management standpoint. So yeah, you can certainly do it, but it definitely has its set up pitfalls.

John Verry: (20:19)
Got you. So, it would sound to me that your general recommendation would be, it’s not the best way to do it and that you’d have to really understand what that is. And I think the use case is limited, I think it’s limited like you said to an organization that in fact we’re talking with one now, they’ve got 2000 users, but they’ve only got like 50 people that support their 7012 conforming projects. So it’s a big lift for just 50 people, but not a significant percentage of that. Okay. That makes sense. Just out of curiosity, if we were to fast forward three years, do you think Microsoft will find a way, do you think that’s on their roadmap to simplify that? Or do you think that that is inherent in this idea of the fact that different domains, different levels of trust, different security requirements, like, “Look, it really just shouldn’t be that way.” And for some small subset of companies, you know what? You’re probably going to have to find a different approach.

Scott Edwards: (21:24)
Sure. So Microsoft is very much moving toward a platform where they can enable more collaboration between the environments while still providing the same security assurance levels. So we see things like the B2B capability or business to business capability, which is enabling today external sharing and such between tenants within Office 365 to GCC high. So GCC high to GCC high tenant. What is coming down the road is what’s going to be called B2C or business to consumer which is going to allow collaboration and such between… Initially it’s going to allow GCC high users to access resources sitting over in commercial.

Scott Edwards: (22:07)
So you have this split situation where the main company is sitting over in commercial, and you’ve got this 50 users sitting in GCC high where they can access SharePoint, One Drive, et cetera, sitting over in commercial that is going to come first. And then down the road further from that, there’s going to be some level of capability to allow commercial users to access GCC high potentially. First one is going to be the other way around GCC high access and commercial-

John Verry: (22:33)
Which I think is the more important of the two use cases. Because technically you don’t want people that are not in GCC high accessing GCC high resources by definition. I Got you. So just the same way that we saw Microsoft come out with Teams and we saw there were limitations in Teams where you couldn’t have people from outside your organization and then you couldn’t have private channels. And we were all yelling for private channels and eventually they got there. So it sounds to me like we’re recording this on in October mid-October of 2020 for anyone that’s listening. So I think what it might be is that if I asked you the same question one year from now that you might’ve given me a different answer.

Scott Edwards: (23:10)
Yeah, absolutely. There is a lot coming with Teams because Teams is today’s killer app.

John Verry: (23:17)
That’s their focus.

Scott Edwards: (23:18)
It’s the focus. And so there’s a tremendous amount of capability coming out on Teams in the next few months. That’s going to continue to enable additional collaboration both between tenants and GCC high and then eventually with other users.

John Verry: (23:33)
Got you. So, for those users that are the bulk of their revenue comes through contracts with the government that are going to be thinking about migrating from commercial, Microsoft 365 to GCC high, take us through, what’s the process? I know that there’s a migration that’s necessary. I’m not sure what exactly that means, but I’ve heard that term. And I know that there’s a cost to migrate, and I know you can’t give exact costs, but if you give people some level of ballpark. And then the second part of that question is that once I’m on commercial, let’s say, need three, let’s say it’s roughly 35 bucks a license. I’m hearing, it’s roughly a $50 uplift when you move into the GCC high. Can you give us an idea of what that process looks like and what some approximate costs are for budgeting purposes?

Scott Edwards: (24:23)
Sure. Yeah. I can absolutely do that. So first thing is you’ve got to get validated. You have to go in, you have to do your validation with Microsoft. Basically what Microsoft is doing is ensuring that you have a verified need to be into GCC high.

John Verry: (24:35)
Really? So right now pivot point, if I wanted to be in GCC high, because I think my customers would like that or would think better of us for that, I can’t go in unless I actually have a deforest requirement in one of my contracts?

Scott Edwards: (24:51)
Today that’s a requirement. However, it is changing. Microsoft because of CMMC they realize that companies are going to have to get certified before they can win a contract. You’re going to have to be CMMC level three, and you’ve got to get the platform, you’ve got to build a platform, you’ve got to get the platform audited, and then you’ve got to get your certification before a contract awarding, right?

John Verry: (25:12)
Oh, I got you. I know why you do it. So they’re just worried that too many people are going to try to come into it too fast. Just the same way they’re doing right now with the provisional auditors. Unless the government says, “You’re one of the people we want to do.” Or, “You can’t do it.”

Scott Edwards: (25:23)
Right. And so you’re going to open the door up more and basically previously you had what was called a category three validation letter from Microsoft. And so they’re opening it up so that now that you can have, what’s called a category two. And so it lowers the bar a little bit for entry into the environment, but it’s going to allow more companies to get access to GCC high. So that’s the first thing you’ve got to do, is get the validation done. Once you get the validation done, you need to work with an AOSG partner like ourselves, have a conversation about what kind of licensing you need. What kind of licensing is going to meet both your functional requirements, as well as your compliance requirements. Then you get a quote, you execute the quote, the order gets placed. And then Microsoft has currently a four to six week SLA to actually deploy that tenant.

Scott Edwards: (26:08)
So it’s not ideal. It takes longer than we would like for it to take, but that’s the SLA as of today. So four to six weeks to get the tenant built. For Microsoft, activation emails are sent out and such. Then you can actually start the configuration process to build that environment to standard. So you can do that yourself. You can work with us a company like ourselves to go do that work where we actually build to the 130 practices in CMMC level three. And then once that’s built out, that’s when you look at migrating your data in, and when you say about migration, yes, it’s a migration. So if you’re coming from Office 365 commercial, you have to do a full up tenant to tenant migration. You have to migrate Exchange, you have to migrate SharePoint, you have to migrate One Drive, you have to migrate Teams. All of that content that’s sitting in your commercial tenant today has to migrate, your mobile devices have to migrate if they’ve been joined to that environment. Everything has to migrate into that new tenant.

John Verry: (27:03)
So a couple of quick questions there. So that sounds to me like now I’m starting to understand where this all is. So now we’ve got, every device has to be reappointed from an authentication perspective. So anyone who’s accessing email. Anyone who’s accessing SharePoint, all that stuff needs to be pointed. And it also sounds like, and correct me if I’m wrong, and this would make sense. You have to move all of your data. That’s currently sitting in a non fed ramp ATO environment into this FedRAMP ATO environment. So literally we’re talking about like disc to disc copies. They’re physically moving data, migrating data.

Scott Edwards: (27:36)
It’s moving data centers.

John Verry: (27:39)
So that’s where that level of effort comes into play.

Scott Edwards: (27:43)
Yeah. All the data will move from a commercial data center from the commercial tenant, to the government tenant and the government data center. So yeah, it’s a full up move and we use third party tools to make that move.

John Verry: (27:53)
And one other question. So that was also interesting to me was something you said, we’re going to configure the environment to live up to the 130 requirements, 130 practices that are required. So that’s from, I’ve spent a little bit of time in Microsoft, so that’s the equivalent of going into the Microsoft security and compliance center and configuring all of those options in such a way that they’re aligned with the requirements?

Scott Edwards: (28:17)
Yeah. It’s Exchange settings, it’s One Drive setting, it’s SharePoint settings, it’s Intern settings, it’s advanced threat protection. It’s all of it. All of that has to be configured to standard as part of the project.

John Verry: (28:31)
Okay. So that’s where, I can see now that there’s a considerable amount of work there.

Scott Edwards: (28:37)
There is. There’s a considerable amount of work. And it takes a lot of time over the time and we’ve done, gosh, probably approaching 200 tenants now.

John Verry: (28:49)

Scott Edwards: (28:49)

John Verry: (28:50)
That’s amazing.

Scott Edwards: (28:53)
And so we’ve done a lot of tenants, a lot of migrations. So we have gotten better at it and we’ve gotten pieces that we’ve been able to script, and we’ve been able to continue to cut the project where we can as we have gotten more efficient at it, but it still is a lot of work. And honestly that amount of work is one thing. But when you’re working with a customer, and you have to essentially teach that customer what’s going on and explain to them what’s happening and how they have to use this feature going forward, if they’re going to maintain this environment long-term, they have to understand the configuration. So we have to go through these configurations with the customers and we can’t do it all at one sitting. We have to take it a piece at a time because we’d overwhelm them otherwise. And they wouldn’t remember anything after the first two hours anyway. And so we have to do a piece at a time. And so that takes time. It’s an effort. There’s a lot of effort involved in-

John Verry: (29:52)
Plus it’s retraining even… And not only is it that the people that are going to administer the system or responsible for the system, but then you’ve got the end users. So you’re touching everyone’s device.

Scott Edwards: (30:02)
There’s a lot of communication, there’s a lot of organizational change management that goes into it.

John Verry: (30:08)
That’s a big thing. I agree completely. People have to understand now, they no longer do it this way, they do it this way. And I’ve been in the game longer than I care to imagine, moving people’s cheese, disrupts a lot of things.

Scott Edwards: (30:22)
It’s a big deal. When you’re taking people from Office 365 commercial to Office 365 GCC high, it’s not as big a deal. However, if they have not been living up to the security requirements in commercial, that they have to meet in GCC high, then it still is a big deal.

John Verry: (30:39)
If they haven’t been using two factor authentication. And if they’re not familiar with Microsoft authenticator [crosstalk 00:30:44] I agree completely. Intune. Again, what do you mean my Android phone, I no longer can use one, two, three, four?

Scott Edwards: (30:54)
Yeah. All of those things, you were on Office 365 commercial, but you were-

John Verry: (30:59)
You were using it badly.

Scott Edwards: (31:01)
You were using 5% of the capability. Now you’re moving into GCC high and you’re using 95% of the capability. There’s a lot there to learn. And so, it can be a big change depending on where you’re coming from. And if you’re coming from on-prem, or you’re coming from a G Suite or you’re coming from some kind of Linux based system, there’s a lot of that kind of stuff where we’re migrating people from hosted Linux email-based systems, people are using-

John Verry: (31:25)

Scott Edwards: (31:26)
Yeah. All kinds of-

John Verry: (31:28)
I’m amazed. Listen, I’ve got to be honest with you, the more I talk to people in the DIB and defense supply chain, the more I realize why CMMC is so important. And I mean that very sincerely and I feel bad for all the little organizations that are very frustrated and are worried about how they’re going to stay in business. But at the end of the day, when you realize what infrastructure people were running and the way they were running it, and they were handling information, that’s critical to our national defense. You say, “Sorry guys. But I mean really, as a country, we can’t afford to do this any longer.”

Scott Edwards: (32:00)
Yeah, absolutely. We’ve run across small companies, the sub 20 person companies that were literally going out and creating a commercial Gmail account for their employees.

John Verry: (32:07)
Mm-hmm (affirmative).

Scott Edwards: (32:07)
That’s how they run their business, and you just can’t do that.

John Verry: (32:10)
No, I agree completely. And I know we can’t give you exact numbers, but if you had a 300 person organization, there’s a lot of companies in the DIB that are 300-ish people, manufacturing concerns and things of that nature in terms of that migration costs, is that a dollar? Is it 10,000? Is it a 100,000? Is it a million? What’s a generic ballpark?

Scott Edwards: (32:33)
Sure. So for the base infrastructure bill, depending on what all you’re going to move to the cloud, if you’re going to move, if you’re only going Office 365 and you’re not doing any servers, you’re not moving any servers into Azure or anything like that. It’s literally 100% cloud. And you’re going to look and set up the environment probably somewhere in the 30K range, 30 to 35 K range. And if you’re looking at doing migrations of data, again, you’re looking at probably another 30 to 35 K for base email and maybe some One Drive content here or there. If you’ve got a full up environment where you’ve got terabytes of data sitting in SharePoint and one drive, and you’re moving a bunch of teams because you’ve heavily leveraged Teams and Office 365 commercial, and obviously you’ve got your email data there that migration could go from being 20K, you could go to being 75K or a 100K. It just really depends on the amount of data that you’ve got.

Scott Edwards: (33:29)
And then if you’re moving all into the cloud where you’ve got server environments, you’ve got Office 365, you’re doing windows 10 policies so that you can manage your windows 10 devices with Intune instead of using active directory. And you’re doing a full up deployment, that way you’re looking in the 60K range to do the implementation instead of a 30K range. So, all in all most companies in that size range, we typically see spend somewhere between 75,000 and 100,000 in infrastructure and buying cost.

John Verry: (34:00)
Yeah. Look, that doesn’t sound like you’re charging them an unreasonable amount, given the amount of level of effort. I mean, you just outlined a crap load of work and a crap load of work that if is not done, all of the rest of the investment they’re going to make, which is going to be 20, 30, $40,000 for the audit, they’re going to pay consulting firms. If they use a consulting firm somewhere between 30 and a $100,000, they might have to buy a SIEM solution. So if they’re going to make a 200,000 investment and then they’re going to not do your migration, they’re going to fail the audit.

Scott Edwards: (34:36)
Yeah. And at one point we actually build a SIEM solution as part of that project. We build Sentinel as part of that.

John Verry: (34:45)
Just out of curiosity, does the Sentinel solution… How well is that going to work if I’ve got infrastructure in AWS or I’ve got significant network infrastructure?

Scott Edwards: (34:58)
It’s fine. You can point all of those devices into Sentinel.

John Verry: (35:02)
Basically. So it’s basically a wallet. Of course, it has enhanced capabilities for the Microsoft 365 environment. It’s a fundamental basic, SIEM is just catching logs. Let’s not over complicated, but they have to support the ability to capture logs from these types of devices, which is always a pain in the ass for any SIEM vendor. Is figuring out, which devices to capture data from and keeping that stuff up to date.

Scott Edwards: (35:30)
If you have a type of device that doesn’t have native support within Sentinel. You can always put a CIS log server in and you can then point the CIS log server into Sentinel. So they can always act as an intermediary if you need it to. But yeah, Sentinel is a full up SaaS based SIEM solution.

John Verry: (35:47)
Okay. That makes sense. And so just for the record. So when you were talking about $60,000 price tag, did that include SIEM or not?

Scott Edwards: (35:57)
Yeah, it does.

John Verry: (35:58)
So that’s really not a bad price at all then. Because it’s not unusual that you’d spend… If you take, a Splunk would cost you a hell of a lot more than that, but even if you take a simpler solution, like an AlienVault, which I’m a fan of that’s not an inexpensive solution either. So if you’re kind of doing that all at the same time, it’s really not that bad a price, to be honest with you.

Scott Edwards: (36:18)
Yeah. We feel like it’s a pretty competitive price point for what we’re doing. But that doesn’t mean that it’s still not a huge undertaking for a 20 person company.

John Verry: (36:31)
Those are the people that I don’t know how we’re going to survive this.

Scott Edwards: (36:35)
We have a lot of companies that are 20% companies that have done this. And it is a pain for them. And we’ve had to work with them on potentially spreading payments out. We also run managed services. We help them on that side too. And so there’s lots of ways that we can work with a customer to make sure that they’re taken care of, our main goal is to make sure that they get to where they need to go. We want to help them protect the data appropriately so that they can continue to do their job and support the government. That’s where we sit. So whatever we can do to make that happen we want to make it a win-win for both of us.

John Verry: (37:13)
Got you. So in terms of… And I’m just professionally curious about this, not that anybody else cares that’s listening. But scrum, I want to ask the question anyway, is that a lot of PowerShell? Are you able to do… Like, if somebody is listening and they’ve got a team, and they’re thinking like, “I can’t afford this, I’d like to.” Can this be scripted with PowerShell if you know what you’re doing?

Scott Edwards: (37:34)
There are pieces of it that can be, and then there are pieces of it that can’t. There is a fair amount of PowerShell that we’ve built over the last few years, specifically to this, there’s arm templates that you can build. There’s all kinds of capabilities that we’ve been able to leverage. And that’s why we’ve been able to continue to add more capability without really changing the price point too much. Microsoft has really continued to roll out features and capability. We pretty much just roll those features into the projects that we’ve got and just continue to go. Because we’re able to continue to build efficiencies and that’s what we’re trying to do.

John Verry: (38:07)
Got you. So we touched on the customer. Great. Thank you for that. I appreciate that a lot. So now we’re moved over, we’re now running in our new environment. I’m not a Microsoft reseller, so I don’t know the exact numbers, but I think we’re on E3, I think maybe E5. But I think any E3 license is about 35 bucks a user roughly on the commercial side. A, do they use that same terminology like E3, E5 on the government side? And B what’s a relative price point?. I’m sure this are options and things of that nature, but does that add $10 per user, per month, a $100 dollars per user per month? Give me just a ballpark?

Scott Edwards: (38:45)
So, what I really talk about is I talk about it in terms of suites of licenses. Because an E3 by itself does not get you there from a feature standpoint to what you need to beat the same MCL three requirements. So we have a number of different suites and it depends on what the actual user needs for what suite you go with. For example, on the low end, we can use something like an M365 F3 and add the DLP add onto it and add ATP to it, Advanced Threat Protection.

Scott Edwards: (39:15)
So, if we do that on the low end, those are going to be users that are limited to a two gig mailbox. They have access to SharePoint, they have access to Teams just a basic functional user. Many times these kinds of users are what we would think of as onsite government contractors that have their main day-to-day account with the government. And this is kind of their corporate user account, those kinds of users or manufacturing floor workers, those kinds of users that are maybe accessing mail via a phone or a tablet device. And they don’t really have a full up Windows 10, or anything like that. For those kinds of users, we can get those users full up license for less than $300 a year.

John Verry: (39:54)
I’m sorry. Is that on commercial or is that on government?

Scott Edwards: (39:57)
For GCC high. That really the-

John Verry: (39:59)
Really? And I have a client right now who we’re working with and they’re dealing with it, they have a shop floor. They have manufacturing floor. And a lot of people access all their stuff through shared kiosks. So that kind of a user, you might be able to get down to 25 bucks a month?

Scott Edwards: (40:15)
Yeah. About right. It was 250. Yeah. But even less than that potentially. So, we can get those kinds of users for that kind of price point. Now you flip it to the other extreme. And we look at the user that is, they’re using Power BI, they’re using audio conferencing, dialing capability. They’ve got voice, they’re doing privileged identity management that needs the EMS E5 license. So we’re going to end up putting them and they’ve got a Windows 10 device. So they’re getting windows 10 upgrade. Windows 10 enterprise upgrade as part of their licensinG Suite. So they get everything. They get the windows 10, they get the Microsoft 365 E5 or the Office 365 E5, which is part of the M365 bundle. And they get the EMS E5, which is part of the M365 bundle.

Scott Edwards: (41:06)
All of those three licenses together, the windows 10, the EMS E5, and the regular E5 are part of a bundle called the M365 E5 license. That bundle is going to be more up toward a thousand dollars a year per user. So you’ve got a wide range of pricing there depending on how much feature and functionality do you need. We can get everything from that M365 F3 up to that M365 E5 to meet the requirements. And then in the middle, we have the M365 E3 or we can go without the desktop license, and we can go with an E3 and an EMS E3 with an ATP add on if they don’t have a Windows 10 Enterprise desktop need. And those are more in the five to $600 range. So there’s a wide range of licensing types and needs that are out there based simply on what kind of features you need for each individual user.

John Verry: (42:03)
Sure. So that’s a pretty complex question to-

Scott Edwards: (42:06)
It a very complex question. It is. And every customer that comes to us, it’s a different mix. Some companies come to us and they say, “Okay, we want 10 M365 E5s and I need 250 M365 F3s, because all my people are out on government contract. And we only have 10 people that work in the corporate headquarters. And so we’ve got those kinds of companies. And then we have other companies that are 100%, M365 E5 for every single person in their organization. Because they are R&D and they’re heavy into everything. They use every feature that Microsoft provides for them and they all have desktops and laptops and mobile devices and tablets and everything.

John Verry: (42:48)
Got you. Excellent answer by the way. Thank you. And it makes this understandable that there’s not just a uniform answer to this and that depending upon your particular context, the answer may be different. Just out of curiosity, when you get to somebody that’s a, I’m going to call them a knowledge worker. Somebody who’s in engineering or somebody who’s doing design work, things of that nature. And they’ve got to get to a Microsoft Teams level of environment, can that happen at that lower end of the scale? Or does that happen towards the middle and upper end of the scale? Does Team’s usage influence that? Because it seems to me like the vast majority of my clients right now, they want to make sure that their uses have the capability of interact with Teams.

Scott Edwards: (43:34)
So yeah, on the lower end of that, we can certainly do Teams.

John Verry: (43:37)
Really? Okay.

Scott Edwards: (43:39)
[inaudible 00:43:39] capability is on that F3 license at $300 a year type license. But the sweet spot that we typically see the most off is what is the E3 license. The E3 license meets all the requirements from a compliance standpoint. And it also has your windows 10 enterprise desktop, windows 10 enterprise E3. It has office pro plus so you get Word, PowerPoint, Excel, Outlook, you get those desktop applications, which everybody needs or knowledge workers need for sure. Because that’s what they spend their day in. It gives you access to have mobile devices with Intune, you have Azure information protection, all those baseline capabilities are there. So that E3 license is really what I call the sweet spot. And we call that our full user. And so that one is more in the $600 range.

John Verry: (44:32)
But that’s still not that bad. Because most people were probably paying closer to 30, 35 bucks already. So you’re really only adding 20 bucks per user, per month, roughly.

Scott Edwards: (44:40)
That’s about right.

John Verry: (44:42)
That’s less than I thought it was. So there are alternatives, you and I have chatted about alternatives. There’s overlays that you can put on and things of that nature. So if you’re thinking about moving from the…. You know you are in 365 now, you’re looking at some type of an overlay solution that bolts on the top of it and move some stuff to another environment versus not something that can prevail as an example. And you look at the idea of keeping everything purely, completely in Microsoft Office, a pure MS environment, if you will. In GCC high. One of the advantages to having everything, I’m assuming that there’s advantages to be purely in the Microsoft environment versus running this hybrid type of environment, what would those be?

Scott Edwards: (45:29)
Yeah, sure. So if you go with an overlay type situation where you’re basically encrypting, you’re trying to identify and encrypt controlled unclassified information and put it into this lockbox, if you will. For example, I could prevail you’re encrypting that content. The challenge that you run into is, you’re now paying for a platform in Office 365, that you’re not going to be able to use. Because of so many of the features within Office 365 rely on Microsoft being able to read search index that content. And now you have essentially turned all of that very valuable content you have into a black box. You’ve locked it up so that Microsoft can’t read it anymore. And so now you can’t use things like e-discovery and advanced e-discovery. You can’t use things like search. You can’t use things like DLP. You can’t use things like Azure Information Protection.

Scott Edwards: (46:17)
So you’re basically paying for a lot of feature set that now you’re basically just throwing out the window and saying, “Oh, we’re not going to use that anymore. We’re going to lock it all up in this prevail thing, or this third-party encrypted solution, and we’re not going to be able to use the features that we’re paying for in this E3 or in this E5 license.” And that doesn’t make a lot of sense to me. Why would you turn Office 365 into a really expensive blob storage, which is essentially what you’re doing at that point. Is turning it into blob storage. And so that’s the one thing that I don’t like about that approach, the other thing that I find challenging about that is from a cost perspective. So let’s use the numbers that you were using, maybe they were paying $30 a month in commercial. So that’s $360 a year. And so you add on to that, the cost of this third party solution. I think that their solution is somewhere around $250, $280 a year per user-

John Verry: (47:14)
Roughly. It’s definitely in that ballpark.

Scott Edwards: (47:17)
It’s something like that. So let’s say you add 250 to that 300. So now you’re in the 550 range per year for this third-party add on solution where you’re basically throwing away a lot of feature set on the Office 365 side that you’re not going to be able to use anymore. Where if you contrast that with moving into Office 365 GCC hIgh for basically the same cost, you can move everything into GCC high and have all those features available to you fully. So I don’t understand why you would want to handicap your platform and add a bunch of additional costs at the same time.

John Verry: (47:48)
Yeah. So like when I’ve had that conversation with clients because we’ve had that conversation with clients, we’ve been led to believe that the people that have told us that they’re getting quotes from orgs like yours, not your organization specifically, just to be very clear. That they were seeing more like $50 per user difference. So if you look at $50 per user versus $30 per user, and I think it also goes down to something that we’ve talked about prior, where if 10% of the people in a 2000 person organization need to migrate, you could get to a point where it might make sense. But I think your argument is that anytime that you get to a point where the bulk of the people in your organization need this, and you have this ability to segregate the in-step and tune the license to the individual user, that we’re no longer talking about 50, in fact, the cost might be the same, or it might be 25 or $30 per user for a bolt-on versus 25 to $30 for yours. Then I guess the only value proposition to their solution at that point in time would be that you don’t do the migration,

Scott Edwards: (48:53)
That’s right. You don’t have the migration piece-

John Verry: (48:56)
Which is a one-time cost. And depending upon it and how big you are and whether you can afford it or not, I guess that could make the decision a little bit more difficult.

Scott Edwards: (49:05)
Well, yeah, you’re right. It could make the decision more difficult and it’s certainly something to consider. Absolutely. But the other thing to consider as well is even if you have a third party overlay into an Office 365 commercial or a G Suite or wherever you want to put it, you’re still not going to get your DFARS compliance requirements covered. You’re still not going to meet those paragraphs (c) through (g) for reporting and forensics and everything else. Because, just because you’ve protected the data from an encryption standpoint, you’re still not using a platform that is going to give you all of the forensics and the investigation data that you may need in case of a breach.

John Verry: (49:40)
And what specifically is that requirement? So as an example, in that circumstance, what is it that that solution would not provide you? Would be my question.

Scott Edwards: (49:52)
Sure. So if you have information sitting in Office 365 commercial, commercial Microsoft will not provide the investigative information in case of a breach for you down at the sub infrastructure level. So beyond what you can get with your toolsets, your audit logs and such at Office 365. If you go down below that, into the network and into the infrastructure of the office 365 platform, Microsoft’s not going to give that information to you. And it doesn’t matter where you are on the commercial platform. You’re not going to be able to get that. Whereas in Office 365 GCC high you would be able to get that. So it’s a very small point maybe, but it is something to consider depending on-

John Verry: (50:36)
Well, it might be a small point, it might be a huge point. The reality is, look at the end of the day, you were doing all of this to be compliant. Honestly. I’d love to think that people are altruistic and they do things because they’re looking out for the goodness of the country. But the reality is they haven’t done a good job with this stuff before this, because security is expensive and now they’re looking at this and going, “Well, I have no choice, but to do this.” So anyone who’s spending this amount of money and no matter which way you do it, it’s going to be expensive. So they’re spending the money, if you’re running a risk, that one way of doing it does not make you a 100% conforming and that, and that you may end up having an issue because of that. I do think that’s a big issue. So my understanding is that these other tools have a tendency, I think the most common place that they put them in is into AWS in their FedRAMP ATO environment. So would that be the question is whether or not, if it’s in AWS, AWS is going to give you that support or not? And that’s what you’d have to figure out?

Scott Edwards: (51:36)
AWS may give you that support. AWS is a great platform.

John Verry: (51:39)
Okay. So that would be the question. So the question might be yes or no, they don’t provide. So anyone listening should make sure whoever they’re working with that, and this is an important point, not only are we meeting the CMMC requirement, but we’re meeting the defense DFARS clauses that are integral to your contract, that call CMMC or call 800-171. So as an example, one of the common confusions people have is that you look at CMMC level three and supply chain risk management doesn’t come into effect until level four. So people say, “Oh, I don’t have to worry about… I can give my data to anybody else. And I don’t have to….” Well, first off, that’s illogical. The second thing is take a look at clause, I think it’s M of DFARS 250. The 7012 clause that says you need to flow this down.

Scott Edwards: (52:28)
You have to [inaudible 00:52:28] now.

John Verry: (52:28)
Yeah. Because CMMC still, doesn’t say it, but now the… And I’m not going to let you crack me again because I’m going to get it right. The 7020 clause specifically says you need to flow down CMMC level three to the next level down as does the 7019 clause say that relating to 800-171.

Scott Edwards: (52:45)
And so what you’re going to run into is there’s a lot of debate right now on if the assessors for CMMC are going to be looking specifically for compliance with DFARS clauses or not. So what we may end up running into is the CMMC assessors, the third-party audit guys, they may or may not be looking at the DFARS specific requirements, but your DIBCAC auditors from DCMA, those are the guys with their medium and high assessments. Those are the ones that should be looking at, are you doing-

John Verry: (53:17)
That’s a really interesting… That would stink if they’re not at least looking at some level of that DFARS requirement, because otherwise that creates a hole in the system that I think is too… Because actually John Ellis was on the podcast and I spoke with him, he’s got about 50-ish auditors. And we have, how many? 350,000. Like he can’t possibly chase everybody, which would mean that like we’ve got things where people are flowing down the information to somebody else’s environment, and actually aren’t validating that their CMMC conformance or their 800-171 conformance before flowing it down. That would just break the whole system.

Scott Edwards: (53:56)
I agree.

John Verry: (53:57)
So I hope you’re wrong. Not that you’re wrong. I hope that what you just conjectured doesn’t turn out to be true, because that would be a huge flaw in the system.

Scott Edwards: (54:05)
There’s one set of people who are pushing very hard for that, that they think that the CMMC auditors assessors should not be looking at anything beyond specifically the 130 practices. And then there’s another camp within the bodies out there that are saying, “No, you’ve got to look at things like DFARS and you need to at least have an understanding of things like export control and these kinds of things. You have to have some of these conversations because if this becomes a checkbox situation, we’ve missed the point.”

John Verry: (54:39)
I agree. I agree completely. The objective is to secure our defense supply chain, our national economy. And if people are conforming with CMMC level three and not conforming with DFARS, then we didn’t achieve that standard.

Scott Edwards: (54:51)
I agree.

John Verry: (54:52)
Question for you. So we talked about all of the goodness of GCC high and I’m an unabashed, Microsoft fanboy. So I believe Microsoft’s blue if that’s what you bleed when you’re a Microsoft fan. Is there anything that you lose in GC…? I think you lose Stream as an example. We use stream extensively and I think you lose Stream. Are those capabilities that you lose when you go to GCC high? And for those that we did lose, do you think at some point some of those might be coming back, it’s just a matter of that they haven’t gotten them through the certification process?

Scott Edwards: (55:25)
Right. Yeah. There absolutely are things. And the list is a heck of a lot smaller today than it was a year ago. Microsoft has done a great job at closing the gap. I say that there I would say they’re 95% there from a security standpoint at this point, but some of the things that are missing, like you said, Stream. Stream is not there yet. It is coming. It’s not there yet. It’s probably going to be a 21 situation for stream. There are features within Teams. Features and sub-features that are rolling out over the next six to nine months, they’re going to catch teams up to what you see in commercial things like the seven by seven view and and the 49 people on the screen situation, those kinds of things are becoming over the next few months. There’s a number of others as well. External sharing is probably the biggest one-

John Verry: (56:13)
But that makes sense though. Honestly. I would have thought that, and external people joining your groups. Inherently, what we’re trying to do is create enclaves where we don’t make it easy to share information and we don’t make it easy for people to get to that data. So that actually makes a lot of sense. And that’s when I think when it does come in place, they’ve got to have it, they’ve got to do it right.

Scott Edwards: (56:34)
It’s got to be done very right. Yeah. And so that’s a big one and that’s the one that catches a lot of people and they’re like, “Wow, man, I can’t do this anymore.” And that’s how we work with all of our subcontractors and all that stuff for proposal development or what have you. And so that one can be a big one, but now with B2B, if your subcontractors are in GCC high and you’re in GCC high, then you can still do that. And so that’s going to take some of that sting away. So yeah, there are features out there. Audio conferencing is another one. Audio conferencing and voice capability, whereas Microsoft provided that natively first party support in commercial where you could basically just sign up and say, “Give me a fair-”

John Verry: (57:12)
We’re on Microsoft’s [inaudible 00:57:14], which is great.

Scott Edwards: (57:15)
And so you can’t do that in GCC high.

John Verry: (57:16)
You’ve got to go to a third-party service provider?

Scott Edwards: (57:19)
You’ve basically got to build your own SBCs. You do it through what’s called direct routing. You build your own session border controllers, you can get your own sip trunk and you configure it up with your SBC and connect that to Teams and do the configuration. And that’s one of the projects that we’ve been doing a heck of a lot of, because people want audio conferencing in their Teams, right?

John Verry: (57:37)
Yeah. It’s so elegant.

Scott Edwards: (57:38)
And so we’ve been doing a lot of that, now starting to do a lot of voice implementations in GCC high, but it’s all through this direct routing capability which is very, very different than what you see out of Office 365 commercial.

John Verry: (57:51)
And do you think that’s coming? Do you think that Microsoft’s aware of that and that’s something that they’re going to eventually-

Scott Edwards: (57:56)
They’re are certainly aware of it. I don’t know that they’re ever going to close that gap. Not directly like they’re doing in commercial, they are looking at some different options, but I don’t know that they’re ever going to close that gap like they do in commercial.

John Verry: (58:07)
And then there could be other oddness. Like I know that when we originally were talking with Sam on your team and we tried to do a Teams conference, he was not able to join one of our Team conferences because you guys are GCC high and we’re commercial. So for the most part, I think there’s mostly goodness. And there’s going to be a lot of value to that. And you’re going to have some occasional oddness that you’re going to have to work around.

Scott Edwards: (58:29)
Yeah. If you’re in GCC high and you decide to join a Teams meeting in commercial, you’re going to have to join through your edge browser. You can’t use your Team’s client. And when people in commercial try to join your meetings, they’re going to have to join through the edge browser. They can’t join through their Teams client. So yeah, there’s some of that kind of stuff. And some of that is going to change over time. They’re going to make that better, but that’s just the way it is right now as far as Teams to Teams capabilities.

John Verry: (58:55)
Got you. Last question. And I think you answered this question with the licensing before, but just to make it clear. So when I think of Microsoft licenses on the commercial side, I think of an E3, E5 in this stack, and it sounds like there’s the same kinds of levels with what you were referring to on the commercial side. And just out of curiosity, you didn’t use… Did you use F3 versus E3 and is the F the government? Like, if I hear someone say, “We’re on E3, I know it’s commercial.” Is there a way I can know when somebody is already on? What’s the equivalent license called on the GCC high side?

Scott Edwards: (59:36)
The licenses are actually called the exact same thing.

John Verry: (59:38)
They are both called the E3s? Just to make my life miserable?

Scott Edwards: (59:41)
So you have an F3 license, you have an E1 license, you have an E3 license and you have an E5 license. Those are your base licenses. And then you have what…. Those are what we call the Office 365 licenses or the no licenses. And then you have the M series of licenses. The M series of licenses include the O series license, as well as your enterprise mobility and security capabilities and the Windows 10 licenses. So your M365 F3, your M365 E3 in your M365 E5 are the three bundles that include everything.

John Verry: (01:00:19)
Got you. So I can have an M365 E3 and be in GCC high or in commercial.?

Scott Edwards: (01:00:29)
That’s correct. So if you’re looking at their tenant, the way that you can tell easily is if you go into the licensing pain in the admin console, and you can look at the name of the license and the license will actually say GCC high in the license.

John Verry: (01:00:43)
Okay, cool. Thank you for that. Well, you’ve answered all of my questions and then some, is there anything we didn’t touch on? Look, clearly you guys sound like an amazing organization. Anything else you should point about your organization? Clearly you know your crap, it sounds like you provide a lot of value to a lot of people. Anything you didn’t touch on that you’d like to touch on just as a pitch for your org?

Scott Edwards: (01:01:07)
I can do a ten second commercial. We’re an AOC partner, so we do licensing for GCC high and Azure government. So for subscriptions for that side, and we do the implementations to configurations, to standard for CMMC and DFARS we do the migrations, we do post-implementation support. So managed services as well. If you need us to basically help you manage the environment, long-term we can do that. So, yeah, we’re a full service company as far as IT goes, and we don’t do anything, but DIB. The DIB is our entire market. We do nothing but support companies that have these specific requirements, we’re very different in that way than a lot of other MSPs and IT support teams.

John Verry: (01:01:47)
Got you. Awesome. So I sent you this late, so I don’t know if you actually are prepared for the next question. I don’t know. Did you look at the next question? Or are you going to look bad Scott here?

Scott Edwards: (01:01:58)
We’ll see here in a second, I think-

John Verry: (01:02:01)
You picked Malbec instead of Pinot Noir or Cab that was a little already disappointing. So I hope you’re not going to disappoint me again here. So step it up, Scott, step it up. So far summit sounded like an amazing company to work with.

Scott Edwards: (01:02:15)

John Verry: (01:02:16)
All right. What fictional character or real person do you think would make an amazing or horrible DIB CISO and why?

Scott Edwards: (01:02:24)
Okay. So I did actually see the question. So my answer for this one is going to be Alfred from Batman. He’s super intelligent, he’s very resourceful. He’s back in the shadows, not really out in front of the whole thing. So he’s got his CEO or Batman is out there making the world safe building stuff. But he’s also in the background, he’s building all the cool toys for Batman and making sure that he’s taken care of. Information security, who’s better keeping a secret than Alfred? Nobody’s better at keeping a secret than Alfred is. So I’d have to go with Alfred from Batman.

John Verry: (01:03:09)
You know why I like that answer? Is because the other thing I think about a really great CISO, is they don’t necessarily want, or are trying to take the credit. They’re more than happy to let somebody else be the star of the show? Because they understand what their role is, is just keeping it together at the backend. So I think Alfred’s a great answer. So one last question for you. So, actually I have two last questions for you. The first is you’re in the DIB defense supply chain, you’re chatting with folks every single day like we are, what would be another interesting topic for another podcast to help address what is going to be an incredibly crazy next three to five years for all of us?

Scott Edwards: (01:03:53)
I would really like to see… If you look in the interim rule that was released, that’s a long document, 89 pages. I think it would be really interesting to get somebody on from the DOD to talk about the pricing numbers that they put.

John Verry: (01:04:11)
All right, I know exactly where you’re going. I’m [inaudible 01:04:13]. Where can I hire the guy that is a high level security guy that’s willing to work for a $108 an hour. You’ve got to be looking at some of those numbers and going, like, “I hope my clients are not going to ask me like, “Wait a second. You’re overcharging me.” I looked at some of those numbers. Some of the numbers I looked at, I was like, “Wow, this is pretty good. They gave some numbers that I looked at and I was like, “Wow. They’re telling these people, it’s going to cost them a hundred grand to get there. Okay. That’s a pretty fair number.” And then there’s other places where they’re like, “Well, a good hourly rate for a person with information security expertise is a $100 an hour. And I’m like, “Please send me a list of those people. And I will hire 20 of them tomorrow.” Because they don’t exist.

Scott Edwards: (01:04:54)
The other thing that kills me about the numbers that were in the interim rule is they very explicitly only include the 20 Delta requirements. They don’t include anything in 800-171. So they are expecting that you are already 100%, 800-171 compliant.

John Verry: (01:05:12)
That’s an awesome point.

Scott Edwards: (01:05:13)
If you’re not already a 800-171, those numbers mean absolutely nothing to you from an implementation standpoint.

John Verry: (01:05:19)
I agree completely. And I’ll tell you one of the things which is, and anyone who’s listening, please, please, please do not talk to anybody, anybody about where you are with 800-171 without signing a nondisclosure agreement. And during the RP training, the registered practitioner training, they quoted a number and I forget the number. It’s like $3 billion, the government’s made over the last eight years in false claims acts. And what’s amazing about the false claims act that I didn’t know, maybe you knew this because you spend more time than I do in the DIB, is that the person who files, there’s a whistleblower clause. And if you are the whistleblower, do you know what percentage of the settlement you get?

Scott Edwards: (01:06:00)
Isn’t it 25% or something like that?

John Verry: (01:06:01)
20 to 30% depending upon the claim. And not only that, but it’s three times the total value of the contract and $11,000 per incident where $11,000 per incident can be every invoice that you’ve sent. So I got on the phone the other day with a client and the first thing the client says to me is, “Oh man, we need help. We have completely blew off 800-171. We signed some, but we didn’t do anything. So we have nothing.” And the first thing I said to them, I said, “You need to never say that again.” He’s like, “What are you….”

John Verry: (01:06:33)
And I explained false claims act, I explained whistleblower. And someone’s senior management was on the phone call and goes like, “We’re terminating this call at this moment, our attorney is going to be in touch with you.” I’m like, “Dude.” I said, “If I want to go and…” It’s already too late. I said, “If you want, we’ll do right now on the call and send you the nondisclosure so that you have it.” But you let the horses out of the bar already. But that’s a really good point. And I didn’t pick that up. And it makes complete sense though, because if you think about it logically CMMC should not be in, and Katie Arrington’s been very explicit on this all along. This should not be a big lift, it’s 20 controls because you should have already had the 110.

Scott Edwards: (01:07:27)
And you’ve been signing saying, you’ve been doing it for two plus years. I had a call on Friday. You guys may have heard from customers like this or not, but Lockheed Martin and General Dynamics and a bunch of other ones are North of Gramma, just started sending out letters that, “Hey you’ve got to get your stuff together. And we want a report by November 5th and blah, blah, blah, blah, blah.” And so you’ve got all these companies now freaking out. And they should be, because this is a big change. They’re now having to step up and actually do it.

Scott Edwards: (01:08:00)
And so I had a company call me up and they’re a manufacturing company, they’ve been signing for years that they are a 800-171 compliant. Because they didn’t even understand what the clause was when they were signing the contract. They had no idea what it meant the DFARS clause. And I started going through trying to do some education with him. “So are you familiar with DFARS 7012? And this is what it did.” And he’s like, “No, I don’t even know what that is.” And this was the owner of the business who’d been signing contracts for two plus years with these requirements. And literally did not even know what the DFARS 7012 clause even meant, at even a base level. He had no idea.

John Verry: (01:08:36)
No. If you look at, so many of these organizations and you know smaller companies, they do not have legal counsel and they’re hesitant to engage an attorney because an attorney charges them it’s $400 per every 15 minutes and a lot of people don’t trust the attorneys so they don’t want to engage them. So they sign these contracts and you’re right, they have no ideas. I can’t believe how often I get on the phone and somebody say to me, “I got a phone call from our prime and we need to comply with… And I’ll be like, “Okay, so you have contracts that have a 7012 clause on them.” “What’s a 7012 clause?” Like, literally I think so. And I’m like, “Well, you need to go and get your…” I don’t think we keep copies of the contracts we sign.

John Verry: (01:09:17)
The other thing, which is really crazy that I didn’t know, maybe you knew this is that this concept of the Christian doctrine that I had no idea is out there where you have to assume that in the government, if you’re dealing with information, which is in the narrow registry, you have to assume that it’s subject to the [inaudible 01:09:40] requirements and any 800-171 like everyone else independent of whether or not it’s listed in the contract. Because if the government makes a mistake in a contract and shares information with you, but doesn’t obligate you to that, but you should have known. It’s your obligation of knowing that they call it the Christian doctrine. And there’s been organizations that have actually gotten into trouble because they failed to live up to the requirement, but the requirement was not explicitly specified in the contract.

Scott Edwards: (01:10:05)
Yeah. I feel for these companies. Because these guys, they’re just trying to make stuff. They get an order from the government and they’ve got some talented, skilled guys on CNC machines and [inaudible 01:10:20] and all the stuff that they’re building pieces for an aircraft or whatever. And they’re just trying to do their job. And you’ve got all these requirements coming down and they don’t understand what they all mean. So I really, really feel for these guys. But as an industry as a whole, we have to figure out how to continue to better educate CISO community. And even for those businesses that don’t have CISOs. We’ve got to continue to educate the larger DIB community on all these topics. So that they’re not caught blindsided. Because there’s going to be a lot of small businesses that get caught blindsided. And there’s, people’s real livelihoods you’re going to get impacted because of it. And I don’t want to see that. I don’t want to see that at all.

John Verry: (01:11:03)
I hear you.

Scott Edwards: (01:11:05)
There are people trying to do good stuff and they need to be able to continue to do that good stuff.

John Verry: (01:11:11)
Yeah. No, we were talking with a company the other day, a 20 person company and and they had ignored everything. When you start talking, then you start listening to this and it’s a 20 person company and it’s going to be, because they’ve ignored everything to this point, hundreds of thousands of dollars. And they do 95% of their businesses as DOD. And it’s like either you spend a quarter million dollars or you no longer do business with the DOD. That’s a tough situation. One last question for you. And I’m just curious as, do you have any thought process on this because you seem to know a lot about the new interim role. I’m trying to figure out because I’ve had a bunch of the clients that we have that have 7012 clauses. They’re not bidding anything new at this moment.

John Verry: (01:11:55)
And they’re like, “Okay, am I going to be okay on 7012, or do I have to worry about the new SPRs requirements under 18 and 19? And do I have to go through that DOD assessment methodology? And so one of the questions would be, my understanding is that if you’re 7012 and there’s no change to the contract, there’s no updates, there’s no reissuance, anything of that nature. You’re okay. But it seems to me like the government in some cases, updates that contract on a fairly regular basis for different reasons. And I think there’s an incentive for them to update it now to include 7018. Do you have any thoughts or guidance for people who have a 7012, do you think that’s going to happen?

Scott Edwards: (01:12:31)
They specifically said that if there’s an option year, they’re going to include it in the option year. If there’s new task orders on an IDIQ contract, they’re going to include it in the new task orders.

John Verry: (01:12:41)
So task orders and option years you think are going to be the triggers for them to actually proactively insert this, to force you to go and go through a a DOD assessment and file your findings in the SPRS?

Scott Edwards: (01:12:56)
Yeah. That’s where 7019 and 7020 are going to hit. 7021, I don’t think it’s going to hit you until you-

John Verry: (01:13:04)
Did I do it again?

Scott Edwards: (01:13:05)
No. You didn’t.

John Verry: (01:13:07)
No, wait a second. No, wait.

Scott Edwards: (01:13:09)
19 and 20 are the-

John Verry: (01:13:14)
800-171s. And 21 is the CMMC.

Scott Edwards: (01:13:18)
So 21 is not going to hit you until you start looking at contracts’ specific requirements.

John Verry: (01:13:22)
Okay. Cool. All right. Last question. So, folks want to get in touch with your organization or want to get in touch with you explicitly. What’s the best way to do that?

Scott Edwards: (01:13:30)
So you can hit me on email. My email is [email protected]. That’s my email address. And you can reach out to me on LinkedIn. I’m on LinkedIn, pretty easy to find Scott Edwards, Summit 7, you can connect to me on there. I’m always happy to answer questions there as well. And then we have a email address set up for us, if you’ve just got a general inquiry [email protected], and as well. That’s our blogs and the video content that we put together that really we do a lot of content around CMMC and Microsoft platforms.

John Verry: (01:14:08)
By the way you guys, like I said and I mentioned this earlier, Sam Styles, right? Is your marketing guy? Top-notch. And you guys put out some really, really great stuff. I’d encourage anyone who’s listening if they want to learn about CMMC to look at some of the stuff Summit 7 that has out there. I’ve watched and listened to a lot of it. And I think I’ve learned something from every time I’ve I’ve listened.

Scott Edwards: (01:14:28)
Great. That’s great to hear. That’s the goal. Just like I said earlier, we’ve got to educate people and education is really, really key and we try to do a lot of that.

John Verry: (01:14:38)
Sounds good, man. Listen, thank you so much. I thought you did an awesome job today. I appreciate it.

Scott Edwards: (01:14:42)
Thank you so much. Have a great day.

Speaker 1: (01:14:44)
You’ve been listening to the virtual CISO podcast, as you’ve probably figured out we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.