If you’re in the defense industrial base (DIB), you’re no stranger to ITAR and CMMC. These compliance standards govern the sharing of manufacturing, aerospace, and defense information, as well as controlled unclassified information. Under these regulations, you’re required to put robust security in place for highly sensitive information in transit and at rest.
Organizations managing sensitive data under ITAR and CMMC 2.0 might feel that their options are limited—and, to some extent, they are: Not many applications are equipped to handle highly sensitive information according to these strict standards. And many of the products that are designed for ITAR and CMMC come with a hefty price tag, like Microsoft 365 GCC High.
So, what options do DIB organizations have as budgets tighten and security requirements increase?
When it comes to supporting ITAR and CMMC 2.0 compliance, there are several available paths you could take, depending on your organization’s priorities. If you have a large, sustainable infosec budget, and your employees and contacts are also using the same Microsoft SKU, GCC High may be your solution of choice. However, there are limitations to GCC High, particularly when it comes to collaboration: For example, when it comes to file sharing, Microsoft notes that “Users in GCC-High are currently unable to share with users in Non-GCC High organizations.” It’s likely that users will encounter hurdles when they need to share information with individuals on other Microsoft SKUs or Google Workspace.
These limitations to data sharing prompted one of Virtru’s customers to look for other options. You can read the case study here: Global Engineering Firm Saves $1M by Selecting Virtru Over Microsoft Office 365 GCC High for CMMC 2.0 and ITAR.
Here's how they did it.
In the case of this particular enterprise, the majority of their workforce was on Microsoft Office 365 Commercial Cloud, and when they evaluated the cost and capabilities of the GCC High solution, they didn’t feel the value was there. They wanted to find a better solution, and that led them to Virtru.
The decision to use Virtru paid off, big time: By using Virtru’s Zero Trust data protection on top of Microsoft Commercial Cloud, instead of migrating users to Microsoft Office 365 GCC High, this enterprise was able to save over $1 million, plus the amount it would have cost to move thousands of users onto GCC High, which would have been a months-long process. As a result, they were also able to shut down their last on-prem server and reassign data center employees to other areas of focus, fueling business growth.
Yes, you can use Google Workspace and achieve CMMC and ITAR compliance — as long as you have the right layers of additional security in place (such as Virtru and others). In a recent webinar on CMMC 2.0, Patrick O’Brien, CIO of Summit Federal Services, described the organization’s CMMC 2.0 journey. A Google shop, they quickly realized that they were in the minority in the defense industrial base, and they had to make a decision: Continue with Google, or migrate to Microsoft.
“The first thing we found is we weren't alone in this quest,” said O’Brien. “We kind of found an underground group of Google platform folks who were government contractors. And we've banded together, and we've learned a lot from each other. The biggest thing is that you can do this going through Google. We decided to stick with Google after we thought about this. You know, we were confronted with CMMC, and that was a decision point: Do we stick with Google? Are we going to be able to get through this and continue bidding on government contracts, or do we really need to pivot and go with Microsoft and GCC?”
“I've kind of said sometimes that Google occasionally arrives late to a party, but when they arrive, they usually bring the keg,” O’Brien said. “And in this case, they are proving that that's the case. So they did arrive a little late, but we found that they installed their head of global compliance, who was the former Assistant Secretary for Cybersecurity and Communications at DHS. And she was also the Director for Critical Infrastructure Cybersecurity on the National Security staff at the White House. So they're obviously investing in this, and they've come a long way since we were in the middle of CMMC 1.0.”
O’Brien continued, “Anybody who does this is going to have some bolt-ons. We have found Virtru to be an excellent partner in that regard, helping with some of our email and our file requirements. And they've been super. And there are other products that, whether you go Microsoft or Google or another platform, or you're mostly on prem, you're going to have a lot of elbow grease to do so. For those reasons, we thought we were in a good space and we're actually fairly [far] along in the [CMMC 2.0] process.”
In the same CMMC 2.0 webinar, Stuart Itkin, Vice President for CMMC and FedRAMP Assurance for Coalfire Federal, highlighted that compliance is not the sole objective: “If anybody takes away anything from this particular session and is thinking about CMMC, don't think about compliance. It's not about how we check this box. Think about, ‘How is it that I secure the information that I'm entrusted with?’ and, ‘How do I secure the information that I've actually paid to develop as an organization and that I'm looking to get a return from?’”
Itkin highlights a salient point: The intent of compliance regulations like ITAR and CMMC, and conventions like Zero Trust, is to protect sensitive information — to ensure that only the right people, with very specific attributes, can access the data, and that no one else can. You need these protections to follow the data, whether it stays inside your organization, or whether it leaves your organization. Your ultimate goal is to protect the data itself, whether it’s intellectual property, federal program information, controlled information, or anything else that needs to remain private.
With Virtru, organizations get an affordable way to protect sensitive data without sacrificing the ability to share it when they need to. They can use the cloud collaboration platforms of their choice, whether Microsoft 365 or Google Workspace, and apply Virtru’s end-to-end encryption and granular access controls to information before it leaves your organization’s environment. Users don’t have to change anything about their workflows to use Virtru encryption for ITAR and CMMC data. With Virtru, data is protected across its entire lifecycle, and access controls can be changed at any time to ensure data remains completely secure and under your control.
If you’re exploring your options for CMMC 2.0 and ITAR compliance, contact our team to see how Virtru can help you implement simple, affordable Zero Trust protections for your most sensitive data.