Compliant Tenant-to-Tenant Migration for DoD Subcontractors

Performing a tenant-to-tenant migration is an important task for Department of Defense (DoD) subcontractors, as migrating from a commercial Microsoft tenant to a secure environment such as Microsoft Government Community Cloud (GCC) or GCC High is essential in order to maintain compliance with evolving federal cybersecurity regulations like NIST SP 800-171, DFARS 7012, and CMMC 2.0. If DoD subcontractors handle Controlled Unclassified Information (CUI) and continue operating in a commercial Microsoft tenant, they fail to meet their contractual compliance obligations, which could lead to fines, lost contracts, and a hindered reputation. Choosing the right Microsoft tenant is critical to protecting the sensitive government data you handle and ensuring compliance.

However, migrating from a commercial Microsoft tenant to GCC or GCC High is no simple feat, and careful planning is critical to help you maintain compliance throughout your migration. If you try to rush this process, you may make costly mistakes that could put your CUI at risk and lead to unexpected costs and downtime. To help ensure that this process goes smoothly, keep reading as we look at the challenges DoD subcontractors face during tenant-to-tenant migrations and the steps that you can take before, during, and after your migration to ensure you maintain compliance.

Challenges of Tenant-to-Tenant Migrations in the DoD Supply Chain

Before you begin planning your tenant-to-tenant migration, you must first understand the challenges organizations within the Defense Industrial Base (DIB) face during these migrations so that you can prepare accordingly. The most common challenges DoD subcontractors face during tenant-to-tenant migrations include:

• Handling Controlled Unclassified Information (CUI): The biggest challenge organizations within the DIB face when performing tenant-to-tenant migrations is ensuring CUI is properly handled and protected. Implementing the security controls from NIST SP 800-171, including encrypting data in transit and at rest, will be essential to keep your CUI secure.

• Meeting DFARS and NIST SP 800-171 Standards During Migration: Before starting your tenant-to-tenant migration, you must also evaluate your compliance obligations, such as DFARS and NIST SP 800-171. You should plan for how you will maintain compliance with these standards during your migration, as well as in your new tenant. Maintaining compliance is one of the biggest challenges when performing these migrations, so you’ll want to go into your migration with a compliance plan in place.

• Avoiding Compliance Gaps: Compliance gaps when migrating to GCC High can leave your data vulnerable during this transition and put your CUI at risk. Before starting your migration, you should perform a gap assessment so that you can identify, and plan to resolve, gaps in your compliance posture before the move.

Choosing the Right Environment: GCC vs. GCC High

Once you understand and prepare for the challenges you may face in a GCC High migration, your next step will be to determine which secure Microsoft tenant is right for your organization: GCC or GCC High. Of course, if you’re unfamiliar with these licenses, you may find yourself wondering what the differences are between the two, and how you’ll know which one you should choose.

While both Microsoft GCC and GCC High offer secure cloud environments for government agencies and contractors, they differ in the level of security they provide. Microsoft GCC and GCC High both offer enhanced security and compliance features that can help organizations within the DIB secure their CUI and achieve compliance with NIST SP 800-171, DFARS 7012, and CMMC. However, GCC High provides additional enhanced security and compliance features that are necessary for organizations that need to achieve CMMC Levels 2 or 3. It also provides the data residency and access controls necessary for organizations handling ITAR-controlled data. Choosing between Microsoft GCC and GCC High will then come down to your organization’s compliance obligations. If you’re unsure which licenses will work best for you, consider consulting an experienced Microsoft AOS-G partner who can help you select and purchase your Microsoft licenses.

Pre-Migration Planning Steps

Once you’ve chosen your Microsoft licenses, your next step will be to start planning your migration, as having a proper migration plan in place can help ensure this process goes as smoothly as possible. Key pre-migration planning steps that you should take include:

• Assessing Your Current Environment: To better understand what you need to do to ensure compliance in your new tenant, you should evaluate your current compliance posture and identify any gaps that need to be remediated. You should also analyze existing hardware, software, and applications to ensure they’re compatible with GCC High.

• Identifying Sensitive Data: To understand the scope of your migration, you should take the time to determine where CUI resides on your network, and what files, users, and applications will be moving to the new tenant.

• Designing a Compliant Architecture: Finally, you will need to set up the target tenant before you can start your migration. Make sure that you take the time to configure necessary security settings and permissions to ensure compliance.

Migration Execution Strategies

Once you’ve taken the time to plan your migration, you’ll be ready to proceed to the execution phase. Of course, special care needs to be taken when executing your migration to prevent mistakes, downtime, and additional costs. To streamline your GCC High migration, consider the following:

• Tools for Secure Data and Identity Migration: To streamline the migration process and enhance data security, you may want to consider using specialized migration tools for moving mailboxes, SharePoint, OneDrive, and Teams. Just make sure that any tools you’re considering using have the necessary compliance certifications.

• Phased Migration vs. Cutover: When executing your migration, you’ll need to determine which approach to take. While a cutover migration may seem better as it allows for the entire migration to take place at once, a phased migration is safer when handling CUI, as it is more manageable and reduces risks.

• Testing and Validation: Once you’ve performed your phased migration, it’s essential that you perform validation and testing to ensure that all data has been transferred properly, system functionality is correct, and that compliance has been met in your new tenant.

Post-Migration Compliance and Governance

After executing your migration, it’s essential that you take steps to ensure you maintain compliance in your new tenant. A few steps that you should take include:

• Audit Access and Permissions: In your new tenant, take the time to review user access and permissions. It’s essential that you implement least privileged access controls so that users only have the minimum data access necessary to perform their jobs. This limits who has access to CUI, which can enhance data security.

• Policy Enforcement for Ongoing Compliance: Ensure that you have policies in place to enforce new security measures, such as MFA and data encryption, as this will be essential in maintaining compliance.

• Incident Response and Monitoring Setup: While the goal of NIST SP 800-171, DFARS, and CMMC is to prevent data breaches, it is also important to be prepared for the worst-case scenario, which is why DoD subcontractors need a data monitoring and incident response plan in place. Constant monitoring can help you detect suspicious activity and data breaches quickly, minimizing their impact, and an incident response plan can help ensure that you’re able to react promptly and report the incident to your prime contractor within 72 hours, as required by DFARS.

Work With a Compliance-Focused MSP

Executing a tenant-to-tenant migration can be a daunting prospect for DoD subcontractors, as this process can present many challenges and requires careful planning and execution to ensure CUI is properly protected throughout the entire process. However, even a well-planned GCC High migration can be costly, time-consuming, and result in unexpected downtime. To help ensure that your GCC High migration goes as smoothly as possible, you should then consider working with an experienced, compliance-focused managed service provider (MSP). Compliance-focused MSPs have the specialized knowledge and experience to help guide you through your migration while ensuring that you maintain compliance and experience minimal downtime. They lift a weight off your shoulders by walking you through the migration process while managing complex documentation and helping you establish compliance in your new tenant. Furthermore, once your migration is complete, they can continue to help by providing ongoing monitoring, compliance support, and they can walk you through any audits you face.

If you’re in the process of migrating from a commercial Microsoft tenant to GCC or GCC High, consider contacting Agile IT today. Our team of experienced Microsoft and compliance experts is here to help walk you through your migration, simplifying this process for you and your team. Additionally, as a Microsoft AOS-G partner and Cyber-AB-approved RPO, we can help you purchase your Microsoft licenses and help you achieve CMMC compliance.