<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt="">

In Defense of Your Data: Navigating CMMC Compliance in Google Workspace

Air Date: December 14, 2023

 

As organizations in the defense industrial base increasingly adopt cloud collaboration tools like Google Workspace and Microsoft Office 365, questions arise around meeting CMMC security requirements. While many organizations assume they must remain on Microsoft to meet CMMC compliance, Google’s cloud can provide a more cost-effective and secure foundation – bolstered by third-party tools like Virtru – for maintaining the confidentiality and integrity of CUI and other sensitive data.

Join this timely discussion with experts Zach Walker, Founder & Managing Partner of ATX Defense, and Trevor Foskett, Senior Director of Solutions Engineering, at Virtru as they break down key considerations, capabilities, and use cases for complementing Workspace with end-to-end encryption to support data residency and CMMC compliance. 

Whether you're evaluating a migration from Microsoft or already managing a CMMC-compliant Workspace environment, this session will provide valuable insights and best practices grounded in real customer solutions. Grab a cup of coffee and obtain actionable guidance on Workspace data protection approaches to meet current DFARS standards while future-proofing for forthcoming CMMC regulations! 


Transcript

Alright. Welcome everybody. This is the latest episode of Virtru's sort of casual conversation series, Hash It Out where we discuss industry topics and just have sort of casual conversations about them to see, you know, what we're thinking with thought leaders in that space. So, my name is Trevor Foskett, Senior Director of Solutions engineering here at Virtru. If you've been watching Hash It Out, you've probably seen my face a couple of times.

I'm joined today, by my friend, Zach Walker, who's the founder and managing partner of ATX Defense, and our session today is titled, "In Defense of Your Data, navigating CMMC compliance in Google Workspace." So, Zach, thanks for joining us. You wanna give a couple words on yourself and an ATX defense.

Yeah. Love to. Yeah. Thanks so much for having me Trevor and Virtru. I'm very excited to be here today. So, ATX defense is a management consultancy.

Primarily, what we do is work with the Department of Defense, mainly here in Austin, Texas and help them with various technology initiatives that they have, generally around software development, things like that, which is very different than CMMC.

That's something that we came into a couple of years ago because we were working with the Department of Defense and offering them Google Workspace as a Google partner. And then, again, working through all of the fun compliance issues and questions and and everything to give them CUI capable workspace. And then at some point, it hit us probably too that this is something that the DOD needs. It's probably something that industry needs and I was just astonished when I was starting to look and do the research online.

You know, Google Workspace, CMMC, which is nothing there. I mean, the only thing you'd find is all the FUD that's out there by the Microsoft resellers about how you can't use Google Workspace. The CMC. And then I started hearing these stories of dual use startups and other high growth companies, which are almost all on Google Workspace, being told that they have to move to Microsoft GCC high to do any work with the government.

And I was just really blown away that there wasn't a voice out there kinda countering that or giving some information, because every time a startup leaves Workspace to go to GCC High, an angel loses its wings. And so what we're doing here is trying to stop that from happening. And just make sure people have the information they need. We're a very non-traditional reseller.

Your work consultancy, you know, CMC is a very important topic for us, just being mission driven myself. I've been a reservist for twenty two years and worked at the intersection of commercial tech and national security and intelligence for a long time. And so there's a lot of reasons why DOD wants CMC to happen. There's a lot of reasons why this day under one seventy one is a lot of the land and, you know, happy to jump into those as well.

Yeah, and it's just a very important thing.

Awesome. Yeah. Appreciate that. And you mentioned a couple things in there that I think really resonated, especially in this world of CMMC, and you CMC has been looming over a lot of these contractors for a couple years now.

You mentioned FUD, which for those who aren't aware, fear uncertainty and doubt, as well as just getting people the information they need. I think there's a there's a lot of FUD out there and maybe not a lot of the information people need when it comes to CNMC and leading a lot of people to maybe make, you know, overcompensating in what their plans are for that or simply not understand what's what's required them. I mean, to that end, you recently published a quite lengthy blog post about your findings kinda looking into what does CMMC actually require and is this something that can be achieved on Google Workspace?

I think if you ask most IT folks in the DOD adjacent space, they would say you really need to be on Microsoft platforms in order to meet these requirements. Can you tell me a little bit about kind of what inspired you to write that, that piece and, and, you know, a little bit about what your findings were and if you were surprised or not by kind of the result.

Yeah. Yeah. No, I just kept having to email people these answers, and I just thought, okay. Maybe I should just sit down and type this all out so I don't have to keep emailing it back and forth. The way this started for me is over the summer.

Honestly, I'll be honest. My family and I went out to town for a bit of time, so I could, like, actually finally sit down and concentrate. And so I was, like, you know what, I'm gonna write a guide on level one of CMMC. Which is just if you're dealing with federal contract information, non public information, that's generally accepted as level one of CMMC.

How would you do that in work space? Can you do that in work space? What else might you need? And just get that out there.

And that's something that we made, CMMCguide.ATXdefense.com. Put that out over the summer and it was really popular. And that was really for the first time people were saying, wow, I'd never had any idea that you could do this in workspace, and to be fair, it is a little bit more complicated than just buying a single license like you do with Microsoft, but it certainly can be done, and it can be done at a much lower cost for Microsoft. So again with that, sending out the guide, answering questions, you're getting lots of questions about that sovereignty and ITAR support and foreign nationals and just all the things that you reasonably would want to know if you're adopting it for your business to meet both CMMC and other, you know, defours, you know, the seventy twelve requirements.

So I just collated that data and thought, I'll put it out there.

There's also a really, I'd say, really good group of people that are in the CMMC space, which I guess I'm not one of them, just by whether you wanna be or not, you're you're in Yeah.

Yeah. I'm in it now. But it's just really supportive. It's a really good group of people.

You know, again, it is almost exclusively Microsoft, but not because they don't wanna do anything else. It's just historically been what this environment has done because it mirrors the DOD. And until recently, the DOD has been very much Microsoft Monopoly. So it's a great group So anything I post, I generally put it out to them first and and let them hack at it and ask questions and and some of the more controversial things that I was saying, which I felt like, you know, certainly stepping out of my comfort zone talking about, you know, fifty one forty eight s two encryption and and department of state rules and regulations and I tar and all that.

Just putting out there my understanding of what I could tell in the context of Google Workspace.

And as far as I can tell, either everyone thinks it's wrong, and they're just not saying anything because they think it's really funny, or it's actually correct, and you really can. Do what you need to do in Workspace for anywhere from, you know, thirty to ninety percent less cost than on Microsoft GCCI.

Oh, yeah. So if you're someone who's, you know, thinking about CMMC compliance, you deal with CUI, but you wanna be in the Google ecosystem, what are some of the top things I wanna think about as I evaluate that ecosystem. Cause you mentioned, you know, I think one of the advantages that Microsoft has in this space is they say, look, you buy the licensing. And you're good.

Google, and you're finding not quite like that, but there are options. So are there a few kinda key things that you would have people look at when they're evaluating that ecosystem? You need to do this, this, and this in order to to check those boxes, or is it more org by org sort of up to company preference? What were your findings like on that front?

Yeah. Yeah. I think what it really comes down to is a very different approach, but you really have to decide what kind of information either you're bound to be held by contract or the kind of information you think you'll need to store securely within a workspace. It's not really the same on the Microsoft side.

And I thought this was really interesting because both the resellers and Microsoft itself, and I quote them in my CMMC guide. What they say is it really doesn't matter what kind of data you store. You really need to get GCC high, which as far as I can tell, is about $1150 a user a year. I don't know because they don't post this information publicly, which I think is also kind of a red flag.

But, yeah, well over a thousand dollars a year, and the reason you need to do that is to think their words. You don't wanna deal with the pain of having to migrate every time you go from Yeah. Commercial to GCC and then migrate from GCC to GCC high, it just sounds like a really horrible, expensive process.

Google, their technology is not legacy. Right? It's very modern technology. That's just not how Google works.

See, there's no migration if you need to change editions of Google. And also all editions of Google for the most part, you can do those things that you can't do in Microsoft guarantee your data stays in the United States. That's a very, like, expensive premium feature at Microsoft. You get that just by getting Google workspace, because of the way it's architected.

And especially when it comes to some of the more niche data residency things, the data sovereignty issues, that's just an add on. And seamlessly in the back end, it fixes the issue with Google whereas in Microsoft, that would be a whole migration. So and that's why I think that was one of the more contentious points in what I wrote. Is essentially what Microsoft's saying is that no matter what your use case is, you really need to pay eleven fifty a user a year.

What I'm saying is if you don't have ITAR, export control data, you know, limited dissemination data with no form, like ATX defense, we're essentially a DOD contractor doing management consulting.

We only deal with CUI Basic, right, and CUI Basic meaning, by definition doesn't have special handling controls, doesn't have special safe driving controls, That's all we need.

And for CUI Basic, you really only need, by my estimate, the lowest version of Google workspace, which is roughly twenty bucks a month. So if you go to Microsoft, they would say pay eleven fifty a year. If you go to Google, again, for a simple normal use case, pay two forty a year. You'll need to get a little bit like antivirus things like that, but if you can't find antivirus for less than like nine hundred bucks a year, then then you're doing it wrong.

Maybe you need a different MSP to work with to figure out where you should be buying your Internet.

Right? Yeah. You might need a different service provider. Yeah. You're That's right. That's right.

Well, you mentioned, I mean, it's interesting. You know, you mentioned we talked a lot about CMMC, and you said, you know, sort of in the same breath, ITAR, which a lot of times go hand in hand. We work with a lot of organizations who need CMMC and ITAR, but they're not the same. And there are some organizations who only need one and only need the other. And I think there's a very important distinction to be made because the requirements are similar, but not quite exactly the same. ITAR has some requirements for, you know, encryption and hosting of keys to be outside that same environment, whereas CMMC just says we need to have encryption.

CMMC says you need to use specifically FIPS 140-2 validated encryption modules, ITAR says that or equivalent. So it sounds like you guys are working mostly with CMMC, but do you see any areas of overlap there that, you know, would require someone to maybe change their plans, or is it largely you know, you wanna just focus just on CMMC for Workplace or are there sort of ITAR solutions there as well?

For us as a company, we really wanna focus on that defense industrial base, and honestly, it is stepping back a bit.

For us, it I mentioned earlier, it's really kind of a mission driven thing for us having backgrounds and defense and national security, but think more more specifically to put a finer point on it before I started at ATX Defense as a reservist, I was on active duty for about four years with the defense innovation unit. Which iss an organization that actually they've done some really cool stuff. They're now back reporting to the secretary of defense. Their big thing was, let's get all these non-traditional companies, all of these dual use startups, you know, think about, you know, Elon Musk companies and other really, really high growth venture backed companies that don't traditionally work with DOD because it can be so slow and painful.

Let's find ways to get them into DOD. Let's get them in. Let's make it easy. And, yeah, you did that to phenomenal success.

Right? My first deal, we were able to get a five million dollar contract awarded in twenty six business days, which That's amazing. Right?

They've done amazing work bringing these companies in.

Now we're saying thanks for playing.

But here's Miss eight hundred one seventy one, and I hope you're ready to spend God knows how much I'm getting your systems up to date with Miss eight hundred one seventy one. And I think for a lot of these companies that maybe only do a small percent of their work in DOD, they're gonna say, no, we're good. Yeah.

Thanks for the good contract vehicles, but I don't think it's worth it for us to go down that path because that's going to hamper us as we grow and do with things in the company. And that's the part that that's, I think, is hard for DOD to realize. I know they put out public statements that they expect consolidation in the industry, which is just a really mean way of saying it. Like, companies are gonna go to business, get bought and sold.

And I think there's just a bigger issue there or national security concerns with that.

Yeah. You know, I'm curious about that. And this I had this thought the last time we spoke about this, but we moved on to something else. I didn't get out, but I'm curious.

Do you think there's an, you know, there's obviously an awareness of the effect that this will have sort of on the marketplace as far as these smaller contractors. Do you think there's any intentional thinning of the herd here, and we're getting a little bit beyond the technology here. So feel free to take a pass on this one. This is just more you know, shooting a little bit.

But, you know, what do you think there? Do you think it's intentional? Like, let's kinda, like, get some of these smaller ones out of the way so we only deal with a smaller consolidated base, or is it just an unfortunate side effect of the requirements for handling this type of data?

I like that. Like, some kind of grand, like, conspiracy theory of your way to I'm always gonna go to a base site.

Yeah. I like that.

What I'd like to say about conspiracy theories is, oh, I've yet to meet a government program manager that's a conspiracy theorist because once you actually know how things work on the inside, like, there's no way anyone could pull off anything of that scale. Right?

Take your thing.

Yeah.

And I would say the same here. Right? No way do I think the department of defense wants to limit competition and wants to cut out small businesses. I really don't.

They're doing it for the right reasons. And certainly coming from the highest levels, the things that, especially the deputy secretary of defense, DR. Kat Hicks is saying I am not. There is no senior executive or general officer who would say that they don't want smaller businesses in this space.

And if they did, I think it would end very badly for them. It's really not the intention, but what they are saying is, hey, you know, they're not saying that I'm saying this, but on their behalf, like, you know, the the recent Chinese fighter plane looks a whole lot like a US air force fighter plane, and it's probably not because they really love the USA Air Force. Although, I can't blame them. I love the US Air Force too.

Probably because it was super easy to spot to take all those documents off of you know, someone's unpacked Windows XP desktop, and just, you know, kinda pull for it off there because someone made a widget that goes in a thing that goes in a thing that goes in a thing that goes on F35, but they need to deal with the plans or schemes, schematics to get sharing made, and it was just so easy to take. So then that's the part that I'm kinda torn because from my defense innovation unit working with venture capital, you know, MBA perspective. Like, this is a terrible thing to do to companies.

The DOD should make it easier. We're gonna squeeze out these deleted startups and small businesses, but then from, you know, putting my decade at the NSA add on, well, we need this though. I mean, there's a reason why this exists. There is not an easy way to make it to where our data can be more secure.

You know, this has been around since 2017 and that's the part that I certainly didn't realize when I first got in this business is that the actual requirement to protect CUI, which is this very, very famous DFARS 252.204-7012.

Which I know far more about than I ever hoped. That's been in effect since 2017. So UFCMC is not new, and I get that a lot. Right?

Right? It's it's, CMMC is not out. It's not a final rule. We're not gonna worry about it.

Like, if you have CUI, if you're bound by that clause, you've had this requirement since 2017. And so there's really no no excuse in it, and it really matters what size you are. So, again, Apex defense could be a five or six person company. It could be greatly on Northrop Grumman.

I mean, it's all the same, it's all the same requirement to protect that. And there's a very good reason again because we know for a fact that this information is being taken. We know it's being compromised. We know it's just, you know, countless hours and billions of dollars of R&D that's being taken that puts national security at risk.

And so it was a very long answer to a very simple question, but I certainly think that the DOD has a very good reason for wanting to do this. Yeah. And I think that it's not intentional, but we just have to be realistic. Like, this is going to dramatically hurt companies, especially when they start seeing the bill from Microsoft.

Again, over a thousand dollars each year.

Well, that's, you know, I think you're absolutely right. You know, while I always think it would be, you know, the world would be a very interesting place if all these conspiracy theories were true, to your point, no one's got time for that, and it is just a side effect, which makes the, you know, the importance of what you guys at ATX are doing that much more important, finding affordable solutions for people to meet these compliances because if you're paying that eleven hundred something per user per year, some just aren't gonna be able to do it. So can we find an alternative on a Google Workspace or on, you know, a Microsoft commercial cloud rather than a government cloud, you know, to make that work.

I think it is really important. A lot of our customers come to us for just that. Hey, it sounds like we're gonna have to move to GCC high. That's gonna quadruple our budget. Is there anything that Virtru can do to kinda help us either move to Google where, you know, we frankly prefer to be or just stay on the commercial cloud and and using sort of our encryption technologies can help you do that serving the same way that you look, not just at what Microsoft is saying you need to do, but looking what actually the letter of the law says and saying what other technologies can we use to meet these requirements, maybe not in that one fell swoop of boom. I've just bought a GCC license, but if I add on Google assured controls, and then I'm using client side encryption or Virtru for sending encrypted Gmail, things like these can get you there, and that total package cost is gonna be, I think, wildly more affordable, even if you add on some extra bells and whistles that, you know, you don't totally need, you're still gonna have a better, you know, experience in that workspace world.

So that's so interesting that you're at, you know, DIU and hearing about that sort of investment. Is that sort of doing your experience in investigating new technologies? Is that sort of how you became more of a Google guy? I mean, coming from your government background. It seems like you should probably be a Microsoft guy. Are you just thinking Google's more forward leaning, or how did you wind up as being sort of a Google evangelist?

Yeah. I certainly wasn't a Google evangelist in the government because I didn't have a chance to. I just knew I hated having to spend thirty minutes trying to log into my email, my government email, and it just randomly not working and crashing. And I just thought we were just hopeless. Like, I should probably start learning mandarin now because when China comes, like, no one's gonna be able to access their email and it's all over. But then when we got to DIU, yeah, DIU, DIU accepted time.

Again, just one of the barrier breaking things that they did is they essentially gave themselves a waiver to use. Google Workspace, back when you back, like, 2016 before it was cool and way before it was compliant, but that's a different story.

And it was just maybe we'll edit that part out with.

Yeah. I don't know that part. But, you know, and it just was hard to explain how transformative it was. And all seriousness, you know, as much as I hate using the Microsoft email, right, just just the way it was architected, just the way you had to go through, just the owner's layers of security and ID card or a government device and just all the things that were more security theater that were were implemented than to be able to use Google and to be able to just send messages to people and not have to worry about it and just easily implement chat and share files without having to go through.

God knows that getting a, you know, a twenty hour course in SharePoint, it was just so easy and intuitive. And I was able to be far more productive. In my job, again, outreach companies, outreach to other organizations doing these projects, doing, specifically cyber cyber projects, I was just a different person in what I was able to get done. And that made me realize that there is hope, really, for the Department of Defense Yeah.

If more people could use Google, I think we'd be in a much better spot. And so I'm, you know, I'm in the reservist. I'm in the reserves. I go to my Air Force drill every weekend, one week in a month. And it's just like this is 2023.

You're in December 2023. Every time, it's like, well, There's a new update to the Windows laptop, so you guys are gonna need to plug it in and let it go for four hours or, like, oh, the network's down again. So you guys, hopefully, you didn't need it, it's just it's Yeah. It's just astonishing what we're doing.

So, yeah, so on that front, I mean, we've been talking a lot about you know, let's think of Microsoft as sort of the default secure solution we should be looking at. But if the cost or maybe some of the user experiences and what you're looking for, let's look at alternatives, but I think based on some of the recent news in just this year alone, maybe the industry should be rethinking that position that Microsoft is sort of the default secure. Can you talk a little bit about some of the things you've seen coming out of that world, not just on a cost basis, but sort of security impact, as far as the way that they've positioned some of their products and, ecosystem?

Yeah. I know it's a very good point, and I think it's an important conversation to have in this context because, you know, Google wasn't in the news over the summer for having the commerce secretary's email exfiltrated China. Right? Do those reasons for that in case you didn't know those Microsoft, right, their information was, was, was taken.

Google went through this. And that's the part that I think is very interesting. Google dealt with their own Chinese Hack operational Aurora back in 2009, 2010. Like, they went through this all, and it was terrible.

I mean, source code taking, name, it's all on the Wikipedia page. And what came out of that was, my understanding, is Google basically said, okay, blank check. If we could try again and rebuild an architecture that was secured from the beginning, and was managed in a way that, let's say China or another actor compromised, part of it wouldn't take down the whole system. How do we do that?

And that's exactly what they did. And that is zero trust. I know zero trust is a buzzword, but that's where it got it started. It was the fall out, the changes coming out of Operation Aurora.

Microsoft, I think, was just busy printing money, selling their existing software to the government and was busy like money printer go. Okay. I guess we'll keep doing what we're doing. Oh, there's another zero day.

Oh, there's another hack. Oh, sorry, guys. We won't let that happen again until it happens the next week. And just they never did that race legacy Right.

Desktop servers and legacy technology that's now in the cloud. I think we're seeing kind of that, I guess, that technical debt of when you do that refactoring, there's a lot of vulnerabilities that are latent. So we're, again, we're seeing that in the news with their I'm saying Google's perfect, certainly.

But, what I am saying is when you rebuild an architecture from the ground up for security.

And, you know, things like GovCloud. Right? Don't need a GovCloud in Google, right, because the infrastructure, all their infrastructure is FedRant high, and certified. Right. It's just a very different way of looking at it. And once you realize there are alternatives, it gets pretty exciting for DOD and DOD adjacent organizations like CMMC.

Yeah. Awesome. Well, I think we are at times, Zach, but that was wildly informative for me. I hope for those, listening in as well.

If you like hearing from Zach and maybe be a little bit today as well. You can join us again in about a month towards the end of January. We're gonna have Zach on a more sort of formal webinar, style, presentation that we're calling "CUI in context, clarifying CMMC and ITAR confusion, for defense contractors." So we're looking forward to chatting with you again, in about a month, Zach.

Any final notes, I know you've got a plane to catch, maybe tell us where you're off to and why, if you don't have any final notes on CMMC and Google Workspace.

Hopefully, we're not making you too late, but, really appreciate the time.

No. No. We're still good. I'm glad we're able to do this today because I am about to head to the airport to go to Las Vegas for my 40th birthday.And, as you know, the old saying goes, you know, what happens in Vegas can stay in Vegas if it fits 1-402 encrypted.

There you go. Couldn't have said it better myself. Zack, thank you so much for the time, and look forward to speaking with you next month. Hope you have a good weekend. And, make it back up in one piece for us. Alright?

We'll try. Thanks so much for that. Bye.

Thank you, sir.

Enjoy a coffee on Virtru!

Fill the form below to claim your gift.