Microsoft 365 Tenant Migration with Controlled Unclassified Information (CUI)

Microsoft 365 has become an invaluable resource for organizations across a wide range of sectors as it provides a convenient, secure, cloud-based platform to store information and collaborate with colleagues across the country. However, while Microsoft 365 offers a wide range of productivity and security features suitable for most commercial organizations, it does not provide the enhanced compliance features necessary for federal contractors safeguarding Controlled Unclassified Information (CUI).

Particularly for organizations within the Defense Industrial Base (DIB), migrating from a Microsoft commercial tenant to Microsoft Government Community Cloud (GCC) or GCC High will be necessary in order to properly protect the sensitive government data they handle to maintain compliance with complex federal cybersecurity regulations like DFARS, CMMC, and FAR CUI. However, for these organizations, migrating from a commercial Microsoft tenant to GCC or GCC High is no simple feat, as extra care must be taken to ensure their CUI is protected at each stage of the migration.

If you’re a defense contractor considering migrating to GCC High, keep reading to learn more about the challenges involved in a CMMC-compliant tenant-to-tenant migration, best practices to ensure this process goes smoothly, and how working with a Microsoft partner can help.

What is CUI and Why Does It Impact Tenant Migrations?

If you’re a new federal contractor, the first question you may find yourself asking is what CUI is and how it impacts tenant migrations. CUI stands for Controlled Unclassified Information, which is a category of sensitive, but unclassified, federal information that requires protection, as it could still threaten national security and economic interests if it were to fall into the wrong hands. Federal contractors that handle CUI must then adhere to a variety of specific cybersecurity regulations to ensure the proper protection of the CUI that they handle, store, and transmit on their network.

For federal contractors that handle CUI, Microsoft’s commercial tenants usually are not sufficient, as they do not meet the stringent security, data residency, and access control requirements mandated by federal regulations like DFARS and CMMC Level 2 for handling CUI. For these organizations, migrating to Microsoft GCC or GCC High is essential, as this highly secure environment provides the compliance features they need to keep their CUI safe, which is essential in preventing a costly data breach. However, performing a tenant-to-tenant migration while handling CUI is no easy matter, as one wrong move could mean the loss of sensitive data, which can result in penalties, fines, and lost contracts for failing to meet your compliance obligations. This makes it essential that you thoroughly plan your GCC High migration so that you do not succumb to the pitfalls organizations face during tenant-to-tenant migrations.

Challenges in Migrating Tenants with CUI

While tenant-to-tenant migrations are almost always a massive undertaking, they can be particularly complex for federal contractors handling CUI. This is because these organizations must be extra cautious during their migration in order to comply with stringent federal security and compliance requirements for handling CUI leading up to, during, and after their migration, ensuring data integrity while minimizing costly downtime. The good news is that having a clear strategy in place before starting your migration can help ensure this process goes as smoothly as possible. The fact is that without the proper planning, you can encounter numerous roadblocks during your migration due to the challenges posed by GCC High eligibility validation, the need to secure sensitive data during transit, tenant provisioning and security control reconfiguration, and potential feature parity issues. Fortunately, properly planning your tenant-to-tenant migration and working with an authorized Microsoft AOS-G partner can help streamline the migration process.

Best Practices for Microsoft 365 CUI-Compliant Tenant Migrations

While performing a tenant-to-tenant migration with CUI can be challenging, taking the proper time to prepare, and following a few best practices, can help ensure this process goes as smoothly as possible. A few best practices for a CUI-compliant tenant migration include:

• Pre-Migration Assessment of CUI Footprint: Your first step to ensure a successful migration will be to conduct a thorough inventory assessment to identify every piece of the CUI across your entire environment. This will help you ensure you know where your sensitive data is so that you can make plans to properly secure it during your migration.

• Selecting the Right Destination Tenant (GCC or GCC High): Of course, before you can start your migration, you’ll need to decide whether Microsoft GCC or GCC High best meets your needs. Ultimately, this will depend on your compliance requirements, but if you handle ITAR data or need to comply with CMMC Levels 2 or 3, you should choose GCC High.

• Gap Analysis Against CMMC/NIST Requirements: Next, you’ll want to perform a gap analysis evaluating your current cybersecurity posture against the security controls in NIST SP 800-171. This will help you better understand what you need to do to properly protect your CUI in your new tenant.

• Using FIPS-validated Tools for Secure Transfer: The right migration tools can be essential in helping facilitate a smooth migration. However, when choosing migration tools, it’s essential that you ensure they are FIPS validated, as this will help ensure the security of your CUI during your migration.

• User Communication: In order to ensure a smooth migration, it’s also essential that you maintain open communication with all stakeholders throughout the migration process. Ensuring everyone knows what will be happening on what date/time, and what their role is in the migration process, can help prevent confusion later on.

Partnering With a Microsoft Partner for CUI Migration

Of course, if the prospect of managing a tenant-to-tenant migration while maintaining compliance with federal frameworks such as CMMC and DFARS feels overwhelming, the good news is that you do not have to go through this process alone. Partnering with an IT Managed Service Provider (MSP) experienced not only in performing tenant migrations, but that also has experience with compliance, can be crucial in streamlining your tenant migration. The fact is that an experienced MSP can take much of the stress, hassle, and guesswork out of a GCC High migration, as they can help you navigate the eligibility validation and licensing process, help you create a migration plan, and oversee the migration to ensure a smooth transition and the proper protection of your CUI. By working with an experienced MSP, you can reduce your burden and the threat of unexpected downtime, allowing you and your team to focus on your core business functions.

However, when choosing a CUI migration partner, it’s also essential that you select an MSP that not only has experience with CUI migrations but is also a Microsoft-authorized AOS-G partner. Only authorized entities are allowed to sell GCC and GCC High licenses, and an AOS-G partner can not only help you choose and purchase your Microsoft licenses, but they can also help you navigate the validation process and execute your migration. Additionally, if your organization is subject to CMMC, consider choosing an MSP with Registered Provider Organization (RPO) status, as an RPO can also help ensure that you maintain CMMC compliance throughout your migration, and they can help you prepare for CMMC assessment in your new tenant.

Final Thoughts

Migrating from a Microsoft 365 commercial tenant to GCC or GCC High is about more than just migrating data; it’s about ensuring compliance and protecting national interests. Given everything that’s at stake when handling a CUI migration, it’s essential that you take your time to plan your migration thoroughly and find a Microsoft partner you can trust to help ensure you maintain compliance at each step of the process.

If you’re ready to start your CUI migration, consider reaching out to Agile IT today. Not only do we have experience helping federal contractors handle CUI migrations, but as a Microsoft AOS-G partner and Cyber-AB certified RPO, we can help you navigate the complexities involved in achieving and maintaining compliance before, during, and after a GCC High migration. Feel free to contact us to learn more about our GCC High Migration Services, as well as to speak with our team today.