NIST SP 800-171 Considerations in Microsoft 365 Tenant Migrations

For federal contractors that handle Controlled Unclassified Information (CUI), complying with the security controls outlined in NIST SP 800-171 is essential not only to meet their contractual obligations, but also to ensure that the sensitive government data they handle is properly protected. However, achieving the necessary security posture to maintain compliance with NIST SP 800-171 may require you to migrate some or all of your users from a commercial Microsoft tenant to one of Microsoft’s secure government cloud platforms, either Microsoft Government Community Cloud (GCC) or GCC High.

Yet, while migrating to GCC or GCC High can be a critical compliance move, particularly for defense contractors who must comply with additional regulations like CMMC 2.0, DFARS, and ITAR, it can also cause complications, as maintaining compliance with NIST SP 800-171 throughout the migration process is no easy task. It’s then essential that you consider the security requirements outlined in NIST SP 800-171 for protecting CUI before you start planning your migration so that you can take steps to ensure compliance during your migration and in your new tenant. To help you do this, keep reading as we look at what NIST SP 800-171 is, key considerations for maintaining compliance during a tenant migration, and steps that you can take to ensure the security of the CUI you handle throughout your migration.

What is NIST SP 800-171?

Of course, if you’re new to the world of government contracts, the first question you may find yourself asking is what NIST SP 800-171 even is. NIST SP 800-171 is a set of cybersecurity requirements from the National Institute of Standards and Technology (NIST) designed specifically to protect CUI stored on non-federal systems, such as CUI handled by federal contractors and subcontractors. This publication sets a standard that organizations handling CUI on non-federal systems must follow in order to properly protect CUI by providing 110 security controls they must implement from 14 control families. All federal contractors who handle CUI must adhere to NIST SP 800-171 in order to maintain compliance and protect their CUI.

Identifying Migration Scenarios that Trigger 800-171 Considerations

While maintaining compliance with NIST SP 800-171 is essential for any federal contractor, subcontractor, or partner handling CUI, this can cause certain challenges during a tenant-to-tenant migration. This is because any migration scenario involving the storage, processing, or transmission of CUI will require enhanced precautions and planning take place ensuring NIST SP 800-171 security requirements are adhered to during every stage of the migration. In particular, a few common migration scenarios that can trigger NIST SP 800-171 considerations include:

• Commercial Microsoft Tenant to GCC/GCC High Migrations: The most common migration scenario that triggers NIST SP 800-171 considerations is tenant-to-tenant migrations from a commercial Microsoft tenant to GCC or GCC High. While such migrations are often crucial in order to achieve compliance with regulations like DFARS, CMMC 2.0, and ITAR, careful consideration must be made to secure CUI during the move to ensure compliance with NIST SP 800-171.

• Tenant Consolidations After Mergers and Acquisitions: When two companies merge, or one acquires another, they may decide to merge tenants and streamline operations. However, the combined entity must ensure that CUI is protected and NIST SP 800-171 compliance is maintained at all stages of the merger, including when consolidating tenants.

• Any Migration Involving CUI: Ultimately, any tenant-to-tenant migration in which CUI is involved requires careful planning and consideration to ensure that NIST SP 800-171 security controls are implemented, and CUI is properly protected, throughout the migration.

Key Compliance Controls Impacted During Migration

As we discussed in the previous section, any tenant migration involving CUI requires careful planning and consideration to ensure NIST SP 800-171 is adhered to, as this is critical to maintain compliance and ensure sensitive government data is properly protected. In particular, it’s essential that you consider the impact the following NIST SP 800-171 control families might have on your migration:

• Access Control and Identity Management: Maintaining strict access controls and identity management throughout your tenant-to-tenant migration will be essential to maintain your CUI’s security. Implementing multi-factor authentication (MFA), role-based access control (RBAC), and privileged access management (PAM) can help ensure that only those who absolutely need to have access to your CUI before, during, and after the migration, keeping it secure.

• Audit and Accountability: While taking steps to secure CUI throughout your migration is critical, it’s also essential that you continue to maintain comprehensive documentation and audit logs throughout your migration to provide evidence of continued compliance.

• System and Communications Protection: It’s also essential that you continue to protect your CUI throughout the migration by implementing a combination of advanced threat protection tools, data monitoring, and encryption of data in transit and at rest, to maintain compliance and reduce the threat of a data breach.

Planning the Migration with Compliance in Mind

Before you jump into your GCC High migration, it’s essential that you take the time to thoroughly plan your migration so that you do not make costly mistakes that could result in data loss and/or downtime. Taking the time to plan your migration with compliance in mind is critical, as this can help ensure that your CUI is protected leading up to, during, and after your migration. A few things that you should do to ensure compliance and protect your data when planning your migration include:

• Performing a Pre-Migration Risk Assessment: The first thing you should do as you start planning your GCC High migration is to perform a formal risk assessment. This can help you better understand your current cybersecurity posture and the steps that you will need to take during and after your migration to protect your CUI and comply with NIST SP 800-171.

• Implementing Encryption and Data Protection Strategies: Taking extra precautions to protect your data during your migration is essential, as your data can be vulnerable during a tenant-to-tenant migration. You should take proactive steps to protect your data, such as encrypting CUI in transit and at rest, and implementing data protection strategies, such as access controls and MFA.

• Carefully Selecting Vendors and Tools for Secure Transfer: The right tools and vendors can help streamline the migration process and make it as stress-free as possible for you and your team. However, the wrong vendor or application can put your sensitive data at risk and threaten your compliance posture. This makes it essential that you take time to research any vendors or software you’re considering using during your migration to ensure that they offer the right credentials and security to protect your CUI.

Post-Migration Validation Steps

Even after your tenant-to-tenant migration is complete, there are a few key steps that you must take to ensure that you meet the security controls outlined in NIST SP 800-171. Here are a few steps that you can take to ensure compliance in your new tenant:

• Verify Security Settings: After your migration is complete, the first thing you should do is verify your new tenant’s security configurations to ensure that they function properly and that you are in compliance with NIST SP 800-171.

• Update SSPs and POA&Ms: You should also update your System Security Plan (SSP) and create or update your Plan of Action and Milestones (POA&M) to address any security and compliance gaps in your new tenant.

• Conduct Risk Assessments: Even once your migration is complete, you should continue performing risk assessments regularly to ensure ongoing compliance with NIST SP 800-171.

Work with an Experienced MSP Throughout Your Migration

When migrating from a commercial Microsoft tenant to GCC or GCC High, it’s essential that you keep NIST SP 800-171 security controls in mind to ensure you maintain compliance throughout your migration. While this can seem like a daunting task, the good news is that having the right partner by your side can help ensure that this process goes smoothly. By working with a Managed Service Provider (MSP) experienced in handling NIST SP 800-171-compliant tenant-to-tenant migrations, you can rest easy knowing that you’re maintaining your contractual compliance obligations and properly securing your CUI.

At Agile IT, we know how overwhelming a tenant migration can be under the best circumstances, let alone when compliance needs must be taken into consideration. By partnering with us, our knowledgeable team of Microsoft and compliance experts can help walk you through the migration process and help you maintain compliance throughout your migration while also helping you establish compliance in your new tenant. Feel free to contact us today to learn more about our GCC High migration services and the benefits of working with our team.