Last Updated on March 15, 2023
Companies of all sizes in the US Defense Industrial Base (DIB) that handle Controlled Unclassified Information (CUI) must achieve full compliance with the NIST 800-171 and/or Cybersecurity Maturity Model Certification (CMMC) standards. That will compel many orgs to move some or all users from a commercial Microsoft 365 cloud environment to one of Microsoft’s “government cloud” platforms: either the Government Community Cloud (GCC) or GCC High.
Conrad Agramont, CEO at Agile IT, shares a wealth of firsthand insights on how the government and commercial clouds differ, who each cloud is for, and issues to keep in mind as you plan for a M365 environment that meets your DoD compliance needs.
Join us as we discuss:
- Who really needs to be on GCC High
- Key feature differences between GCC High and commercial M365
- Considerations you might not think of for deploying and managing multiple Microsoft 365 tenants
Do you need to be on an M365 GovCloud?
If your org handles Controlled Unclassified Information (CMMC) or has a Defense Federal Acquisition Regulation Supplement (DFARS) 7012 or 7019/7020/7021 clause in your contract, you need to comply with either NIST 800-171 or CMMC. Which means you’ll need to move to GCC.
If you handle sensitive CUI data types like International Traffic in Arms Regulations (ITAR) data, you’ll need to move to GCC High.
What about key migration considerations?
Businesses that need to move users to an M365 GovCloud should be prepared for several changes and challenges. Among them:
- Licensing costs are much higher for GCC High, and you’ll need to pay for a full year upfront.
- Your migration tools and processes will need to comply with the security requirements in your contract.
- Many orgs underestimate the volume and diversity of the data they need to move between M365 tenants.
But in Conrad’s experience, the hardest thing to move in any migration is the people.
“Normally the execs are going to say, ‘I don’t want that MFA! What are all these security hoops? That’s not how it used to be.’ That’s the hardest,” Conrad relates.
Migration time and costs
In M365 migrations, as with many others, the key factors that drive time and cost are data volumes and people. As Conrad puts it:
“Ideally, most projects could take one day to five days to complete,” Conrad observes. “Why doesn’t that happen? People. You need to communicate with them. You need to check them…”
Data volumes also have a big impact. Some orgs have just a few employees but huge volumes of data and/or highly complex M365 environments with custom applications that can’t easily be recreated on the government side.
Migration costs also vary based on user licensing (50-70% higher on GCC High), configuration efforts, and operational costs for running a second M365 tenant.
While Microsoft is making steady inroads towards feature parity, there are many M365 commercial features that aren’t supported or don’t work the same way on the government side. Built-in voice support in Teams is one example. Another is reduced AI support in GCC and GCC High, which can impact Microsoft Syntex, Microsoft Power Platform, and other Microsoft and third-party applications.
The government environments are also designed to be more secure by default.
Conrad explains: “There are a number of places where you might need to open up the sharing a little bit more, or create other [ways of doing] things. But I think it’s good because it makes you be more intentional. It lines up more with a Zero Trust kind of approach. Which is, I should open things up gradually as I need them. Not just have it all open and then I have the burden of trying to pull it all back in.”
Pros and cons to a “hybrid approach”
Many DIB orgs moving to GCC High hope to save on licensing fees by putting the minimum number of M365 users on the government cloud. But having two M365 tenants introduces complexities and challenges. Plus, cost savings aren’t as great as one might think.
Conrad clarifies: “Say I have a small group of people over there [that need to be on GCC High]. It should be kind of cheap to get going, right? Well, it might be cheaper for you because you will only have a few people in GCC High. But it’s still expensive because it’s not just a license. You have to setup, configure, operationalize, and meet compliance—whether it’s 15 people or 500 people.”
Then there are the operational costs of maintaining two M365 tenants, each with its own set of policies and procedures. You might also need separate tools for things like mobile device management (MDM) and identity & access management (IAM).
For more insights on this topic, listen to Episode 113 of The Virtual CISO Podcast with guest Conrad Agramont from Agile IT.
A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.