Last Updated on September 8, 2023
Many of the companies moving to a Microsoft 365 Government Community Cloud (GCC) or GCC High environment might want to save money by migrating only those users who handle Controlled Unclassified Information (CUI) and/or other sensitive US government data to the “gov cloud.”
Is that a practice that Microsoft and its Agreement for Online Services – Government (AOS-G) partners recommend? What are the cost savings likely to be? And what complexities and challenges could maintaining two M365 tenants introduce?
How cheap is cheap?
Say yours is a 300-person manufacturing organization in the US Defense Industrial Base (DIB), but only 10 of your employees will be handling highly sensitive CUI such as International Traffic in Arms Regulations (ITAR) data. Why pay 50%-70% higher licensing fees to put everyone on GCC High? And won’t migrating fewer people’s data also save money? Doesn’t a GCC High “enclave” just make sense in scenarios like these?
That might seem like a slam-dunk decision. But according to Conrad Agramont, CEO at Agile IT, it requires careful consideration.
“Say I have a small group of people over there [that need to be on GCC High],” Conrad posits. “It should be kind of cheap to get going, right?
Well, it might be cheaper for you because you will only have a few people in GCC High. But it’s still expensive because it’s not just a license. You have to setup, configure, operationalize, and meet compliance—whether it’s 15 people or 500 people.”
No relief in sight
Whether yours is an SMB or global enterprise, you need to implement the same controls to pass an audit. There’s no relief for smaller orgs because the government is trying to prevent data breaches involving data critical to our national security and sovereignty. As Conrad puts it, “There’s no way of skimping on it like you would something else.”
So, while creating a GCC High enclave might help you save significantly on the data movement part of a migration, the cost to configure the new environment, create associated policies, etc. will be about the same regardless of the number of people it supports. For example, you’ll need to do about the same amount of work either way to setup SharePoint, Exchange, conditional authentication, mobile device management (MDM), and so on.
Overall, the upfront cost savings with a GCC High enclave might be less than hoped, but still significant. What about the operational side? Are the hassles worth the savings, particularly when people need to collaborate across Microsoft 365 tenant boundaries? Will you be happy with what you’ve implemented?
For sure, some of the capabilities that you have in the commercial M365 environment won’t be mirrored in GCC High. So, you may need to find creative solutions to maintain efficiency.
Likewise, how you approach security-related requirements like device management may not be the same in both environments. That could leave you with two MDM solutions, for instance. You might also need two different sets of policies and procedures around Identity & Access Management (IAM).
Conrad also advocates an unusual staffing consideration because “Commercial people that don’t understand government can make terrible decisions.” He recommends giving whoever manages your GCC High enclave “equal seats at the table” with your CIO/CISO. If the CISO were to impact compliance on the defense side and “the government came knocking on doors,” the negative business impact could be massive.
For more guidance on this topic, listen to Episode 113 of The Virtual CISO Podcast with guest Conrad Agramont from Agile IT.
A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.