Handling Sensitive Data in Tenant Migrations for DFARS-Covered Entities

With cyberthreats becoming a growing concern for the federal government, and in particular the Department of Defense (DoD), federal contractors and subcontractors must adhere to an ever-evolving list of cybersecurity regulations in order to ensure the security of the sensitive government data they handle, such as Controlled Unclassified Information (CUI). In particular, all defense contractors and subcontractors that process, store, and transmit CUI must comply with the Defense Federal Acquisition Regulation Supplement (DFARS), which is a framework of cybersecurity regulations designed to enhance the security of sensitive defense information stored on non-government networks. Considering defense information could threaten national security if leaked, it’s essential that defense contractors do their part to secure the sensitive data they handle. In fact, if defense contractors do not properly protect their CUI, they may face fines, penalties, and even loss of contracts, making prioritizing compliance essential for these organizations.

For many defense contractors, an essential step in achieving compliance with DFARS includes migrating from a commercial Microsoft tenant to one of Microsoft’s secure government cloud solutions, such as Microsoft Government Community Cloud (GCC) or GCC High. These platforms offer the enhanced security and compliance features necessary to help defense contractors secure their CUI and achieve compliance with DFARS, FAR CUI, and CMMC 2.0. Yet, migrating to GCC or GCC High is no simple task for DFARS-covered entities, as special care must be taken to secure your CUI throughout the migration process. To help ensure that you maintain compliance during your tenant-to-tenant migration, keep reading as we take a deeper look at DFARS and how it affects GCC migrations.

What Is a Tenant Migration and Why It Matters for DFARS-Covered Entities

Of course, the first question you may find yourself asking is what a tenant-to-tenant migration is, and what is involved in this process. A tenant-to-tenant migration is the process of moving data, users, and applications from one cloud tenant to another. This is commonly done during mergers and acquisitions to streamline operations, or when consolidating multiple tenants for operational efficiency. Tenant migrations are also common for federal contractors who may need to move from a commercial tenant to Microsoft GCC or GCC High to ensure the protection of their CUI.

Tenant-to-tenant migrations can be complex, especially when dealing with sensitive data, as they involve the migration of workloads such as mailboxes, OneDrive files, SharePoint sites, and Teams data to the new tenant. Compared to migrations involving commercial tenants, GCC and GCC High migrations can be particularly complicated due to the enhanced security requirements involved. Additionally, these migrations can take longer, as defense contractors must receive eligibility validation from Microsoft before they can purchase GCC/GCC High licenses, and a phased migration approach is usually employed to ensure data integrity.

DFARS Requirements for Handling Sensitive Data

Tenant-to-tenant migrations can be particularly complex for DFARS-covered entities, as additional precautions must be taken throughout the migration to ensure compliance with the security controls outlined in NIST SP 800-171. DFARS outlines strict guidelines for the steps defense contractors must take to secure CUI, including maintaining compliance with NIST SP 800-171, using cloud service providers that meet at least FedRAMP moderate, maintaining thorough security records and audit logs, as well as reporting cyber incidents within 72 hours. To maintain compliance and ensure the security of your CUI, it’s then essential that you take special precautions when migrating to GCC/GCC High, such as by maintaining strict access controls and encrypting data. Careful planning is essential before starting a tenant-to-tenant migration to ensure you’re prepared to properly secure your CUI throughout the migration.

Microsoft Cloud Options for DoD Contractors

Before you can start planning your migration, you must first decide which cloud environment is right for your organization. Ultimately, this will come down to your contractual compliance obligations, as Microsoft GCC and GCC High offer different levels of data security. Microsoft GCC is sufficient for many defense contractors, as it offers compliance with DFARS 7012, NIST SP 800-171, CMMC Level 1, and FedRAMP Moderate. However, if your organization is subject to stricter regulations and you need to achieve CMMC Levels 2 or 3, you require FedRAMP High, or you handle ITAR data, then you will need GCC High. Once you’ve chosen the right licenses for your organization, your next step will be to submit a validation request to Microsoft. Only eligible government organizations, contractors, and partners can use GCC/GCC High, so you will have to go through a validation process before you can purchase your Microsoft licenses. Once you receive validation, you will be ready to purchase your licenses and start planning your migration.

Pre-Migration Risk Assessment and Data Mapping

With your GCC/GCC High licenses purchased, you’ll be ready to start preparing for your tenant-to-tenant migration. As we’ve previously mentioned, careful planning is essential when migrating to ensure everything goes smoothly and your CUI is properly protected. In particular, DFARS-covered entities will find it useful to perform risk assessments and data mapping so that they know where their data resides and what steps they need to take to ensure compliance throughout the migration. This process includes:

• Identifying CUI: Your first step will be to assess your network and identify the types of data you will be migrating and, most importantly, identify where CUI resides on your network. Not only will this help give you a good idea of the scope of your migration, but knowing where your CUI resides is essential in securing it properly during your migration.

• Classifying Data Sensitivity: Once you assess what type of data you’re migrating and where it resides, your next step will be to organize data by its level of sensitivity. This will help you manage your data more effectively during the migration and allow you to prioritize the protection of highly sensitive data groups that are at greatest risk.

• Apply Security Controls: Once your data is organized by sensitivity, implement security measures tailored to each category prior to the migration, such as encrypting, and restricting access to, CUI.

Best Practices for Migrating CUI for DFARS-Covered Entities

After taking the time to thoroughly plan your migration, you’re almost ready to execute the first phase of your migration. However, during the actual migration is when your data is at greatest risk, making it essential that you take certain precautions to maintain compliance during your migration. Best practices that you can implement to ensure your CUI is secure include:

• Using Tools That Support Encryption in Transit: Migration tools can be essential in streamlining the data migration process. However, to ensure you’re able to maintain compliance throughout your migration, any tool you choose should support the encryption of data in transit, as required by NIST SP 800-171.

• Implementing Zero Trust Principles During Migration: To further protect CUI during your migration, you should also implement the principle of least privilege, in which users only have access to the minimum data and services necessary to do their job. By enforcing multi-factor authentication and access control policies, you can ensure only authorized individuals have access to CUI.

• Ensuring Integrity and Traceability of Data: You should also safeguard sensitive data by backing up data, validating data at each stage of the migration, and employing strong security measures in the new tenant.

Partner With an MSP for Compliance and Execution

For DFARS-covered entities, migrating from a commercial Microsoft tenant to GCC or GCC High requires careful planning to ensure data security and integrity as well as continued compliance throughout their migration. This can make DFARS-compliant migrations complex and lengthy, which is why it is important that you consider partnering with an experienced MSP such as Agile IT as early as possible in the migration process.

As an MSP/MSSP with ample experience handling DFARS-compliant migrations, as well as a Microsoft AOS-G partner and Cyber-AB authorized RPO, you can trust agile IT to help you navigate the complexities of a GCC migration. Our team of Microsoft and Compliance experts can help you choose the right licenses for your organization, navigate the validation process, and plan and execute a secure and compliant migration while minimizing costs and downtime. Additionally, we can help you achieve and maintain compliance in your new tenant, and help you prepare for CMMC audits.

Feel free to contact us today to learn more about our migration and compliance services.