How to Perform a Tenant-to-Tenant Migration for CMMC Compliance
Planning a tenant-to-tenant migration for CMMC compliance? Learn best practices, tool options, and common pitfalls when moving data between tenants under CMMC.

For organizations within the Defense Industrial Base (DIB) subject to CMMC, choosing the right cloud environment is essential in order to protect sensitive government data such as Controlled Unclassified Information (CUI). To properly protect data and maintain compliance, you may find that the best option is to migrate from a commercial Microsoft tenant to Microsoft Government Community Cloud (GCC) High. GCC High is Microsoft’s cloud environment specifically designed for U.S. government entities and federal contractors to protect sensitive government data. As such, it provides enhanced security and compliance features necessary to help defense contractors meet their CMMC compliance obligations.
However, while migrating from a commercial Microsoft tenant to GCC High can be an essential part of the CMMC compliance process, a tenant-to-tenant migration can also be a complex and challenging process. Unless you take the proper steps to understand your compliance obligations and thoroughly prepare for your migration, you could succumb to common pitfalls that could threaten the security of your CUI. To help ensure your data security during your tenant-to-tenant migration, keep reading in this blog series as we take a deeper look at what is involved in a tenant-to-tenant migration and how you can ensure this process goes smoothly.
Why Tenant-to-Tenant Migrations Happen
Before we look at the process involved in performing a tenant-to-tenant migration, it is important to first understand why an organization would need to go through a tenant migration in the first place. Tenant-to-tenant migrations involve moving data, users, applications, and security settings from one cloud tenant to another. Some of the most common reasons a company may need a tenant-to-tenant migration include:
-
Mergers and Acquisitions: Tenant-to-tenant migrations are common during mergers and acquisitions, as the two combining companies will need to integrate their cloud tenants into a single, unified environment in order to avoid confusion and give staff a single place to work.
-
Restructuring and Divestitures: A company that is shifting operations or selling off part of its business will need to separate their cloud environment through a tenant-to-tenant migration.
-
Evolving Compliance Needs: For organizations in the DIB, the most common reason to perform a tenant-to-tenant migration is to meet their evolving compliance needs. The fact is that if an organization wants to acquire or maintain Department of Defense (DoD) contracts, they will need to achieve compliance with regulations such as CMMC. Considering Microsoft recommends GCC High for any defense contractor that needs to achieve compliance with CMMC Levels 2 or 3, maintaining compliance will likely require migrating from a commercial Microsoft tenant to GCC High.
CMMC Requirements to Keep in Mind
If you determine that migrating to Microsoft GCC High is the best option to ensure you meet your compliance obligations, it’s important that you do not rush into your tenant-to-tenant migration. The fact is that migrating to GCC High is a complex process, and you need to keep certain security requirements in mind to properly protect any CUI you handle. Meticulous planning is then needed to ensure a smooth, secure migration. This will include making sure that you maintain data protection throughout the migration using encryption, access controls, and security measures like multifactor authentication (MFA). Taking a phased approach, performing rigorous testing, and thorough documentation are also essential in a tenant-to-tenant migration to maintain data security during the migration, as well as to ensure that the new environment meets CMMC standards.
Common Compliance Pitfalls During Migration
To ensure that your GCC High migration goes smoothly and you maintain CMMC data security standards throughout the migration, you should take care to avoid common pitfalls organizations fall into during tenant-to-tenant migrations. Some of the most common mistakes organizations make during tenant migrations include:
-
Loss of Data Governance: Handling sensitive data like CUI during a tenant migration requires meticulous planning to maintain data governance. If you don’t have proper policies, processes, and strategies in place to maintain data security throughout the migration, this could result in lost data or a data breach.
-
Lack of Audit Trail Preservation: Without proper planning of your tenant migration, you also risk losing your audit trail. However, audit trail preservation is critical to compliance, making it essential that you establish a comprehensive strategy for audit trail preservation before starting your migration. One way to help minimize data loss and ensure data integrity during your migration would be to employ a phased (staged) migration approach.
-
Migrating into Non-Compliant Tenants: Migrating tenants takes a lot of time and money, meaning that the last thing you want to have happen is investing resources in a tenant-to-tenant migration only to discover that the tenant you migrated to does not meet your compliance needs. This makes it essential that you partner with an experienced Microsoft AOS-G partner who can help you choose the right tenant to support your compliance needs.
The good news is that you can avoid these potentially costly mistakes by carefully planning your tenant-to-tenant migration and employing best practices to ensure you maintain CMMC compliance throughout the migration process.
Best Practices for a CMMC-Compliant Migration
While performing a CMMC-compliant tenant-to-tenant migration can be a complex process, taking the time to thoroughly plan your migration and implement a few common best practices can go a long way in helping ensure that your migration goes as smoothly as possible. A few best practices you should implement for a successful migration include:
-
Performing a Pre-Migration Gap Assessment: Before you start your migration, it is essential that you perform a gap assessment evaluating your current cybersecurity posture against CMMC requirements. Documenting any gaps you encounter will help you take appropriate measures to fix these inadequacies when provisioning your new tenant.
-
Consulting an RPO/MSP Familiar with CMMC: When trying to achieve CMMC compliance, it is also essential that you partner with a Cyber-AB-accredited Registered Provider Organization (RPO). RPOs are certified to help Organizations Seeking Certification (OSCs) achieve CMMC compliance and prepare for third-party assessment, and they can be a critical asset during a tenant-to-tenant migration involving CUI.
-
Documenting Your Migration Plan, Including POA&Ms: Before you start your migration, it is essential that you take the time to develop and document a detailed migration plan, as having a plan in place can help ensure that this process goes as smoothly as possible. This documentation should also include a Plan of Action and Milestones (POA&M) that addresses any compliance gaps you identified and how you plan to remediate them in your new tenant.
-
Encrypting Data in Transit and Rest: Leading up to, during, and after your migration, it’s critical that you ensure that your sensitive data (including CUI) is encrypted both in transit and at rest. Not only is this essential to protect the CUI you handle, but it will also help ensure that you maintain compliance.
Consult Agile IT for Help Facilitating a Secure Migration
Performing a tenant-to-tenant migration is essential for DoD contractors looking to protect the sensitive government data they handle, as moving from a Microsoft commercial tenant to GCC or GCC High can give them the compliance and security features they need to maintain CMMC compliance. However, maintaining compliance before, during, and after your migration can seem like an overwhelming prospect, and it is understandable if you don’t know where to start. Fortunately, this is where Agile IT can help.
As an experienced Cyber-AB authorized RPO and Microsoft AOS-G partner, our team has the knowledge, experience, and certifications to help you plan and execute your migration while maintaining CMMC alignment before, during, and after the move. By working with us, you can rest easy knowing that you have IT professionals by your side who have ample experience performing CMMC-compliant tenant-to-tenant and enclave migrations, who can help reduce the risks and costs associated with a CMMC migration.
Feel free to contact us today to learn more about our CMMC compliance and GCC High migration services, as well as to schedule a strategy session with our CMMC migration experts.