CarahCast: Podcasts on Technology in the Public Sector

Data Governance Implementations for the DoD Based on Lessons Learned from CMMC with AvePoint

Episode Summary

The introduction of the Cybersecurity Maturity Model Certification (CMMC) to the Defense Industrial Base (DIB) comes with a renewed emphasis on securing Controlled Unclassified Information (CUI) across all layers of the DoD supply chain. For DoD agencies and DIB contractors who are subject to CMMC, Microsoft 365 offers robust tools like DLP and AIP to protect content at the file level. However, to ensure CUI remains secure, IT requires an additional layer of control over where the data resides in their environment (i.e. Teams, SharePoint). Striking the balance between enabling end-users to collaborate efficiently while maintaining secure control over these collaboration workspaces requires a strong data governance strategy to be in place. In this podcast, listen to AvePoint Public Sector's Principal Solution Engineer, Jay Leask, and C3 Integrated Solutions President, Bill Wootton, to learn how organizations across the DIB are implementing smart data governance strategies to navigate the following challenges in their M365 environments: • Reporting • Decentralized provisioning • Control over membership • Inadvertent sharing • Data classification • Workspace recertification • Lifecycle management

Episode Transcription

 

Data Governance Implementations for the DoD Based on Lessons Learned from CMMC

Speaker 1: On behalf of AvePoint Public Sector and Carahsoft, we would like to welcome you to today's podcast focused around data governance implementations for the DoD based on lessons learned from CMMC, where Jay Leask, Principal Solutions Engineer at AvePoint Public Sector and Bill Wootton, President of C3 Integrated Solutions, will discuss how organizations across the DIB are implementing smart data governance strategies to navigate the challenges in their M365 environments.

Jay Leask: Thank you so much. Good morning, everyone. We're going to do webcams instead of slides today. So, hopefully, this will be a different type of conversation than you're used to, with all the webinars were attending this year. So, Good morning. My name is Jay Leask, I'm the Principal Solution Engineer and Lead Strategist for the national security program here at AvePoint Public Sector.

Jay Leask: AvePoint is a Microsoft ISB. For those of you not familiar with us, providing tools to migrate, manage, and protect your data in Microsoft both on premises, and since its release on Office 365. The pandemic has really changed how people work. But in the DoD, and the defense industrial base, it's been a complete turnaround in both how we work and how we think.

Jay Leask: While cloud first has been discussed in the commercial sector for quite a while, very few government agencies were following that mindset. However, with the DoD and Microsoft's roll of the CVR in response to the work from home edict, the idea that the Department of Defense and its partners in the DIB could use the cloud, and were using the cloud completely changed the conversation.

Jay Leask: Having spent the last year working with our defense and DIB partners on what it means to take a cloud-first mindset, I'm excited today to bring Bill Wootton from C3 Integrated Solutions to the room to talk about what we've learned for those agencies, from those agencies, and our DIB partners considering a cloud-first mindset. Especially, in relation to how regulations such as the CMMC may affect tools, like Office 365, when rolled out. Bill, really appreciate you joining us today.

Bill Wootton: Thanks, Jay. Great to be here. Definitely.

Jay Leask: So, we wrote a series of blog articles, blog articles, it's going to be a day, we wrote a series of blog articles over the past year related to the CVR, and what it means to move to an aisle four, aisle five environment for supporting collaboration. And as part of that, you wrote an article specifically on things you've learned from governance relating to CMMC.

Bill Wootton: Yep, yeah. It was a great blog. We were able to pull apart some of the things that we are seeing in the customer environments, what clients are coming to us with various challenges towards, and then how we've been able to craft some solutions around that, and bring different ideas, and some creativity, obviously, leveraging some of the AvePoint solutions towards those key challenges our clients are having.

Jay Leask: So, the goal here today to talk about CMMC, the various levels, maybe the five stages of grief, where they might be, and really figure out, how do we take that step? And how do we ensure we're not just following the regulation, but protecting our data, right?

Bill Wootton: Absolutely. And that's probably a good spot to start. At this point, there's probably 20 webinars a day on various topics around CMMC that really cover what the role is, and where it came from, and what the roles are about that. But I just think the quick level set for everyone on this call, is that CMMC is all about protecting controlled unclassified information.

Bill Wootton: And there's five levels of certification that comes with it. Level one is simply federal contract information, which all contractors agree to. When they sign a contract, and they agree to [DFAR 00:04:11], there's a rule in there that is effectively CMMC level one. Level two is a transition. Level three, if you're going to hold, store, process, or transit CUI data, then you're going to be level three, and you're in the club for that.

Bill Wootton: For those in the defense industry that correlates somewhat closely to DFAR 7012 with some additional controls, and the element of maturity that goes in on top of that as well. And that brings us up to one of our first questions for today is, from the audience, we can get an idea of what stage of CMMC folks are aiming for, and what they're aspiring to be accredited at?

Jay Leask: Yeah. During the intro, we had a question up that talked about what environment you were in whether it was GCC, GCC High, commercial. I saw there's a really big spread naturally, a lot more people in commercial than I had expected there to be. What are your thoughts on how those environments relate to what we're talking about today?

Bill Wootton: Well, to some extent, it's all the same. To some extent, it's different. There are the obvious differences between commercial, GCC and GCC High. Those are mostly about where the data resides, what Microsoft will attest to from a compliance standpoint, and how that functions for the unique requirements of it.

Bill Wootton: But in terms of the feature functionality of some of the things we're going to talk about around Azure Information Protection, data loss prevention, and how AvePoint tools overlay on top of that, it is pretty much the same. There isn't a big spread difference. When Microsoft was able to release unified labeling late last year, we got pretty close to parity in this area between the various clouds.

Jay Leask: Yeah. Supporting the public sector as much as I have over the last five years, the number one comment we hear is not just what features are available to me, but how do I know what features are available to me? We hear a lot on the commercial side of new things roll out, and just waiting for them to show up, and reading all that documentation, trying to know when is it going to come to me? What's it going to be? Is it going to look exactly the same? Those are a lot of questions we come across, right?

Bill Wootton: Yeah. We get those every day. Especially, we do a ton of work in the GCC High space. And there is always that lag between commercial into the GCC High space. Microsoft is doing a great job to close that gap. They've made huge progress over the last couple years. But there is still a little bit of a lag. And even at that point when things roll out, it's not always as even as we'd hoped it would be. But we're we are seeing great progress in that area.

Jay Leask: Yeah. So, Bill, out of curiosity, looking at the questions, we see it started out 50/50 between level one and level four, five. It looks like level three is starting to catch up. What are your thoughts on what we're seeing, and how that relates to what you would have expected?

Bill Wootton: So, I'm not surprised to see so much of level four, level five concentration there. The CMMC board and DoD has communicated pretty clearly, level one is where they think the majority of people are going to land. I think they're a little overly optimistic on that. Level three is going to be anyone who covers CUI. That's going to be the minimum threshold. So, we are seeing a tremendous amount of interest, and planning, and strategy around that.

Bill Wootton: CMMC has said level four and five is going to be reserved for a very small percentage of contracts. And while they really haven't given any indication of what those mean, I think a great starting point. Unless you really know you're in a very sensitive industry, level three is the right target for folks to know that they're holding government data.

Jay Leask: So, you talked a little bit about the differences between one, three, four, five. And it sounds like the "most sensitive data" is where you're going to see a four, five. Can you talk a little bit more about that?

Bill Wootton: So, we don't know too much about that, in some ways. They're not planning really too many contracts. I don't think any of them this year, and there might not even be any next year that are going to be four and five. The focus is getting the industry up to level one and level three standards.

Bill Wootton: They will continue to refine and roll out four and five at a later date. So, again, unless you're working with hypersonics, or missile defense, or something in that area, I think the right target for most people, assuming you're holding government data is going to be that level three area.

Jay Leask: Thanks, Bill. So, what are you seeing in terms of market preparation at this point?

Bill Wootton: So, we're seeing, obviously, a lot of interest. So, we've seen a tremendous difference and a trend to shift between, say, maybe two years ago, and last year, and this year. Obviously, with the interim rule coming into effect, its real, people are taking it seriously. But we still, I like to joke that we do see the five stages of grief with contractors. There are still folks out there that are in denial, that are an anger. They don't understand why they need to do it.

Bill Wootton: They just haven't gotten the message that this is important. You're holding government data, you are holding national secrets at some level, we need to protect this information. But more and more now, we're seeing people progress through that where they've gotten through the bargaining phase, and their entity acceptance, and we're seeing a great acceleration of people preparing, and taking action to at least accommodate self-assessment rule, which is the priority right now for everyone.

Bill Wootton: But those longer-term plans for audits, that's not a flip of a switch. That's probably, at least a three, and usually, a six- to nine-month process for people. People are making those investments and decisions now. And so, we're excited about seeing how people are taking it seriously and taking action to get ready for it.

Jay Leask: So, Bill, what are some of the challenges, and actually, before we jump into that, the Q&A is open. We are pushing some questions out, but feel free to ask questions in the Q&A, and we'll try to address them as we go through. So, Bill, one of the areas of concern is specifically around controlled sensitive information, CUI or yeah, controlled sensitive or controlled unclassified information.

Bill Wootton: CUI, yeah.

Jay Leask: What are some of the challenges that companies are facing in trying to protect that?

Bill Wootton: So, the first thing everyone looks at is at the network layer, all of the things that need to be put in place to manage the practices., The multi factor authentication, the network monitoring, the device management, physical security, the guest logs, and then the policies and procedures of layer on top of that, so that they can demonstrate the maturity on that piece.

Bill Wootton: And that's great, that's a great start. It's some of the low-hanging fruit in some ways, and some of the things that people can tackle. But as they get deeper and deeper into the process, we also find that what happens is when they start really thinking about how do you control the flow of CUI, both inside and outside of your organization? That starts to be a little bit harder to deal with.

Bill Wootton: Because it's a little more abstract, and it starts to shift the more from a technical equation to a business process conversation. And that's where folks tend to struggle a little bit.

Jay Leask: Yeah. It's interesting, as I have spoken more and more about Office 365, run workshops on the capabilities of technology, run workshops on adaption and security, the one constant is this is no longer what technical capabilities exist. There's a lot of conversation around, what are the business problems we're trying to support?

Jay Leask: Because if you can't understand that, then trying to identify how we're going to protect that business information, or that mission information becomes very difficult. Traditionally, we're so used to the technology being a, put out the technology, tell people it exists, we're going to lock it down, and we're done. But as this technology changes so rapidly, as we're trying to introduce new factors like external sharing, and partner engagement, just rolling technology out becomes less and less of an appropriate solution.

Bill Wootton: Yeah, absolutely. When we roll out an MFA or device management solution, there's pretty hard boundaries of we're not going to allow access unless you get a text message, we're not going to allow access unless there's a device is enrolled. Those can be pretty well-driven. But as you mentioned, as we start thinking about the business process on these, what data is CUI is enough of a challenge?

Bill Wootton: And we probably won't cover that today. But once you identify the CUI data, how do you know where it is? How do you make sure you're applying maybe a header on it, or encrypting that file individually, or ensuring who has and doesn't have access to it? Those are the things that become much more abstract and so much more challenging.

Jay Leask: Yeah, I agree. And it's interesting, looking at the technical capability. So, we put a new question up, and I feel like we're firing questions left and right for [Christine 00:12:47]. And normally, we're much more docile in that side. But we look at different types of... or different instructions you have to do.

Jay Leask: You have to understand what is your CUI, which like you said, is a workshop all in it of itself? How do you label that content? How do you then turn out who can see that content based on how it's labeled? And what other policies do you need to consider? So, understanding these challenges is a big part of that, right?

Bill Wootton: Yeah. And we're seeing that on the results of the question, we'll try to talk a little bit about the answers as they come up. Identify CUI, over half of the respondents say that's the biggest challenge, because that's step one. Just trying to understand where it is, and what is that data? And there're so many different ways to do it.

Bill Wootton: We tend to focus on things like technical information, and controlled information, how do you build stuff around that? It gets slightly more complex, and actually more important when it's export controlled data as well. And there are some tools to work with that native to say to Microsoft Suite that help with it.

Bill Wootton: But it still comes back to that first business process, identifying who should be able to have access to that data. And where does that data reside within your system? Because sometimes, those system boundaries may not be at the edges, they may be internal, and within your overall environment.

Jay Leask: Yeah. We've been talking with a number of federal partners who are looking at utilizing the native capabilities for identifying this content for putting out their labels. We have a number of technological capabilities like trainable classifiers, and other AI type capabilities, and they're there.

Jay Leask: It's a matter of learning the tech, and really spending some time to figure out how does that tech support what you need to do. For example, the trainable classifiers to auto label your content. It's a task. It's not just turn it on. You have to understand the definitions behind the labels and all of that to be able to run with that kind of technology.

Bill Wootton: Yeah. And a lot of times, for our clients, we work with small and mid-market contractors. Especially, long before we get to those identifiers, we still have to have the education around what is available? As your information protection, data loss prevention, and Microsoft Suite, really strong, really great tools.

Bill Wootton: But let's first talk about what can you do with them? And even before we get to the identifiers, how do we do that manually? What type of data do we want to do? We want to make sure we isolate. How do we want to label that? What protections do we want to put on it?

Bill Wootton: The Microsoft Suite does a great job of that baseline, and that information at a file-by-file level. But I think it's also a little bit of a challenge, and we start getting to scale, and that's where those identifiers start to come into play. But I think as you probably run into, there's some limitations to those identifiers, right?

Jay Leask: Yeah. There are definitely some limitations. The first comment I would make around that is, depending on what you're trying to do with the labels, and the identifiers, you have to consider is this a single security issue? Is this an end-of-life rule? You need to understand how does this work within the full lifecycle of collaboration?

Jay Leask: That's definitely something that we've seen a lot of question around is, I don't want to just do records management. And I don't want to just do a single time security rule. I want to be able to modify this over time. Take something from a draft where it is open to more people, because the content inside of it is non-specific perhaps to when it when does it cross the CUI line?

Jay Leask: And how do we change the qualifiers around that? To when does it become a record? Or when is it time to destroy that content, because it's no longer relevant? There are all sorts of limitations on how that works, and the complexity of trying to do that. Let alone, the licensing questions and things around that side.

Bill Wootton: Yeah. And it's important to really recognize that when we talk about these things in the abstract, is it's easy to talk about it almost in an individual file level, or even in an individual contract, or an individual project type level. I've got one project. All my CUI goes into one folder. I've got it under control, it's not so bad.

Bill Wootton: But as soon as you start talking about that at scale, where you have an organization that's got multiple contracts, multiple projects, and again, maybe not the identification data is entirely clear on where it sits, and then it starts to spread out a little more maybe in other organizations, or other teams, or SharePoint sites, that becomes uncontrollable very, very quickly. I know that's something you guys work with and seen as a challenge.

Jay Leask: It is. And it's also interesting, too, as we shift to these technologies, like Microsoft Teams, where the tool is designed to be open for collaboration across your organization, there are simple questions, like information architecture, and how does that affect what we're doing? The governance from Microsoft really has become a site collection level, that top level.

Jay Leask: And where you're starting to think about your information architecture, your knowledge management, and those things. It changes that information architecture to the modern technology. You can't really have a very deep information architecture anymore. Because how the toolset manages that has completely changed. Everything's focused on metadata.

Jay Leask: It's focused at the top level. It's focused at the groups for security. And you have to have ways to augment that. Make sure your controls are at the top level, that workspace level. Make sure your planning is at that level. We've had conversations recently with record teams looking at folder depth for being able to manage the types of records.

Jay Leask: And if you look at the capabilities of SharePoint and Teams, which is using SharePoint for the file content, do you think that older information architecture becomes harder to support your automated rules, your trainable classifiers, et cetera? So, what we do with our customers is, is we start to look at that workspace level and start to understand okay, the first thing is, what is the purpose of this workspace?

Jay Leask: How are you going to use this workspace? Is it for a department? Is it for a special project for a customer? And then, you can start to build your policies around that. When we work with them to help define these types of workspaces. We start to build in mission or business-focused questions. How is it going to be used? Who's going to have access to it? What type of data is going to be expected here?

Jay Leask: And by doing that, you can begin to apply your policies at the site level. The problem is natively, those policies are tenant wide. So, you can control things at a site level, but the automation of that tenant wide. You're going to set your external sharing across the tenant. You're going to set your, who can create things, and what can they do with those workspaces, again, at the tenant level.

Jay Leask: So, if you're trying to do it at a role level, or a department level, or based on a business case, then you have to have another method for trying to gather that information, and then controlling the management and provisioning lifecycle aspects of those workspaces.

Bill Wootton: Yeah. And these challenges are just exponentially multiply when we get into the defense community, and especially when we get into the small, and mid-market contractor community. Most of the time, there's not a dedicated SharePoint person on staff with most contractors up until a pretty high level of users. And even when they do, there might be one or two, and they're design related.

Bill Wootton: They're not policy and administrative focus. So, even where we can... we run into this situation where we are taking a brute force approach, we're locking everything down, which is not productive, or we're trying to either trust, or overwhelm whoever is managing these sites that to know where to take those granular controls when they are available.

Bill Wootton: And that level of expertise just doesn't exist in smaller mid-market contracts. So, we need to help with that. We need to find ways, and this is where the tools come in, being able to give some of that intelligence, and give some of that support. So, you don't need a tremendous PhD level and SharePoint permissions to be able to run an environment.

Jay Leask: Yeah. That's actually one of the first areas we try to help our customers understand. Why is a tool like AvePoint cloud governance valuable to you in managing your workspaces, and managing your permissions? Like you said, to be able to understand all the areas that you need to look to check your SharePoint permission, to check your group membership, especially when you're adding in the complexity of external users, it becomes very hard.

Jay Leask: And when the requester of a workspace is the owner and SharePoint site, collection admin, that aha moment often happens with our customers where they're like, "Wait, I can't expect Bill from accounting to understand how to manage the permissions and make sure everything is safe." So, our renewal and recertification process actually brings all of that information in a business context to the people who run these workspaces.

Jay Leask: So, they can see not only what are the group memberships for my team, but what are the unique sharing permissions that have been assigned to content within your workspaces? When someone goes to file share within a Word document, what sharing links have been created? Who have they been shared with, and what permissions were added to that?

Jay Leask: That information is something that you can't really expect the individual to understand how to do, as you said, without that PhD in SharePoint administration.

Bill Wootton: Yeah. And there's multiple layers of complexity with this as well. There's the business layer. In a manufacturing plant, the person that's on the shop floor may have access to a certain amount of information for them to be able to do their job. But they probably don't deserve access to the underlying design calculations and qualifications for how that par got built, and what the stress loads are on it, or other pieces to it.

Bill Wootton: So, even within an organization, there's a business piece that says, "Well, this environment, this site, this team should only be accessed by a certain number of people. And everyone who's in a different division should never have access to that." And even when you get past that business level, a lot of times there's a licensing level as well. A lot of organizations right now are putting different flavors of licensing in their environment.

Bill Wootton: So, that engineer has the higher-level license, and some of the additional security features, and for lack of a better word, is an authorized or compliant user. But there are plenty of other folks in the organization that maybe they've made different business decisions on to save some money and licensing. And now, we've got to ripple that down into governance to make sure those users never see that CUI data.

Bill Wootton: That takes it past just what permission should you have, but enforcing the permissions, and making sure that Bob in engineering doesn't inadvertently send it to Jenny on the shop floor because she has a question. And just in terms of convenience, when Jenny never has the rights, or the authorization to see that information. Those are the types of challenges that are... they get to that level of complexity, and then folks really don't even know where to start to get past it.

Jay Leask: Yeah. We have an FSI, a federal systems integrator customer that we're working with that has some significant contract requirements and regulations that they have to consider around their data. And one of the big concerns they had when they came to us was exactly what you just described. How do I ensure that Bill does not share this document with somebody who is not permissed to see it?

Jay Leask: How do we make sure they don't go around the requirements? It is so easy for you to go and share that document using some of the examples we've discussed already. So, with them, what we've done is we've set up a couple of things. One, during the provisioning of their workspaces, we're identifying what contractual requirements there are around this content.

Jay Leask: So, there's something called Cost Accounting Standards. And so, we're assigning the CAS groups to each of the workspaces that are being created. And we're also assigning whether or not this has ITAR data. So, we know if foreign persons are allowed to look at this data or not. Once we've done that during the provisioning stage, and making sure that over time that hasn't changed through the renewal process, we then locked down all of the sharing capability.

Jay Leask: So, you can't just file share a document with somebody, you have to follow some more strict guidelines, but only where that's necessary, only when the policy says this type of content can't be shared. The third thing we've done is we've added a means to include new people into the workspace. So, natively, if you go file a user or not file, within a team, you go to add users to the team, there's some capabilities around that.

Jay Leask: But being able to check the CAS group, the foreign national status among using active directory capabilities, it's really limited from a native capability. So, what we've done is we've built some workflows within cloud governance to look at those stats from the group, whether foreign nationals are allowed, whether what CAS group is this.

Jay Leask: And then, checking the people that are being added to this workspace to make sure that they meet the requirements. If this CAS group four, make sure that the person being added is in task group four. The big key for this customer was we want to be able to manage exceptions, not just the rule. So, they've wanted the ability to say, okay, you're trying to add somebody who has foreign citizenship to a group that has ITAR data.

Jay Leask: Let's automate an approval process where the cyber team and the correct people can... the management, the cyber team, et cetera, can all approve this person being added to the group or being added to the SharePoint site collection. So that we're making sure that there is not just a means to control it, but then a means to have exceptions where those make sense.

Bill Wootton: And that's so key to this, because we all know that our best laid plans are always going to set up a system that's going to cover 80, 90, maybe even 95 or 98% at a time, but there's always going to be that situation. Maybe there's an executive who's not part of that CAS group, or part of that division that you set it up around, but they need access for some reason.

Bill Wootton: Maybe you're pulling in a PM for something, or it's just simply someone's rotating into the team. And before the systems catch up to it, they need to get access to it. I love the fact that you guys have the ability. And we've been able to kind of understand, how do we make that work? How can we put that? And probably most importantly, we're recording those exceptions.

Bill Wootton: So, when you sit down for that audit, and you can say, this is my team that has CUI, or my teams that hold CUI data, here are my access records around it. And by the way, here are the exceptions, and I've got them all documented, we're all good to go. Not only have you've developed and deployed a secure, manageable environment. And manageable piece is the important part on this in a lot of ways.

Bill Wootton: You can also be, to build those artifacts from an audit standpoint as well. So, it's great to be able to do that. And I think, again, taking you back down to that small mid-market contractor standpoint, without a level of experience. When we can put the system in place, when we could put the protocols in place, maybe fine tune around the edges, where, "Oh, you've got a special requirement, or you've got a special layer, or label that you want to use, we can do that.

Bill Wootton: We can adjust it a little bit." But being able to get them off the ground and running very quickly with a kind of a structure using best practices really accelerates that adaption curve.

Jay Leask: Yeah. The other use case similar to what you're talking about there that we have is with one of our federal agencies. They want to make sure that when these workspaces are created, and when I say workspace, 33 minutes in, I'm saying this. When I say workspace, I'm referring to SharePoint site collections. I'm referring to Office 365 groups, and I'm referring to Microsoft Teams.

Jay Leask: So, everything we're talking about fits across those places. So, they wanted to make sure that when a team or a SharePoint site collection was created, that the right unified labels, as well as the right metadata for records management were added to a default to all the content areas. So, we're working with them right now to define what are those labels?

Jay Leask: What is the metadata required for records management, and how do the labels react to the security profile? And when you create a new workspace, what information do we need to programmatically assign those defaults to your workspace? So, from a security perspective, knowing it if ITAR, CUI, knowing what other regulated data types you may have, so that we can set the right security labels.

Jay Leask: And then, from a records and information management perspective, being able to understand what types of records data you're going to have, so that we can set the right metadata to support your records program. All of that, at the time of provisioning. And if there's changes during a recertification and renewal process, being able to capture those changes and changing the policies at those times.

Bill Wootton: Yeah. Let's take a moment to mention the fact that we're talking about one end of the spectrum where we've got a lockdown data. I think one of the great things also is there are situations, and we can accommodate, and build in the fact that we don't always need a lockdown data. That occasionally, you'll build a team that you want the entire company to have access to. You want to provide information out.

Bill Wootton: Maybe it's the marketing communications team, and they're putting out copies of the Twitter feed, or logos, or collateral, and you wanted broad based access to that. We can set this up, and deploy it, and have a category when we roll these out that it's like, "Yeah, these are open. They're intended to be open." It's not just all about locking down data. It's about understanding all of the various use cases, and making sure you're accounting for them, including the ones that tend to be a little more open.

Jay Leask: Yeah, absolutely. So, as a great example, AvePoint, we're 15 or so thousand employees globally, there are going to be areas like the public sector workspaces, where they have to be locked down, and considering citizenship, considering other security aspect. But then there's going to be other areas like the Arlington office, which is purely for collaboration, and designed to allow anybody who might visit the office to be able to access, and see what events are going on?

Jay Leask: And I recognized during the pandemic, this is less important, but what events are going on? We have a coffee club and a pie club that post regularly in there. So, being able to support those workspaces, without bogging them down with the heavy security conversation we're having with related to the CUI data, et cetera.

Bill Wootton: Yeah. I'm a big fan of pie, you got to get me in that club.

Jay Leask: Next time you come in there.

Bill Wootton: Absolutely. So, let's talk a moment about the end of a project, and the end of that life cycle. Not every contract lasts forever. Not every project lasts forever. There's a natural life cycle into that. Talk a little bit about how we periodically either check for, or in the appropriate time, decommission things, and how these tools can work with it.

Jay Leask: Yeah. So, one of the things that we've learned, natively, there are some controls on lifecycle management of your workspaces. And generally speaking, they are pretty straightforward. There is how often do you want a workspace to have to go through a renewal process, the least process? And if it's an active workspace, do you want it to have to go through that process?

Jay Leask: And the consideration here is this is a tenant-wide setting. So, if you say every 12 months, I want my teams to have to renew. And if they're active, don't worry about it, then every single team goes through this process. What we do is we approach this from the business perspective. So, if you build a workspace that is for a project, how often do you want that project to have to renew their workspace.

Jay Leask: Versus if you're building the AvePoint Arlington office team, that office isn't going anywhere anytime soon. So, we don't need that one to do a renewal every three months. And so, we take each workspace based on what we're expecting it to have the type of data, et cetera. And we set a policy that makes sense for that.

Jay Leask: So, for example, if you have a project that's going to have external users, guest access turned on, and you're going to have CUI data in there, you probably want to have the permissions recertified on a monthly basis to make sure those external users still need access to that workspace and that data. And you probably want to renew it every three or six months.

Jay Leask: But that Arlington office, you don't need that information. The employees may change, but we're not talking about a secure data where you want to bog down your administrators with that many renewals. Now, besides the renewal process, we also build why cycle management into this and a multiphase lifecycle management.

Jay Leask: So, you can determine when is it time to lock people out, and archive the space versus when is it time to delete that space, and get rid of the contents altogether. The third piece of this would be from a records perspective. And again, one of our federal customers is doing this is before we can archive or delete a team, for example, we need to make sure all of the records have been pulled out of there.

Jay Leask: And so, they're using our cloud archiver product to identify the record exists inside of a team, and moving it to a SharePoint site collection for long term storage, so that they can still perform their lifecycle action on the workspace without losing that critical data.

Bill Wootton: Yeah. It is at such a longer-term thought. But do you see how much data explodes, how much storage explodes over time? And being able to start to effectively refine, and limit that storage explosion with smartly getting rid of the data you want to get rid of is fantastic. And I think we're such an early phase in all of this, a lot of private companies aren't thinking about it yet.

Bill Wootton: But they'll be getting there fairly soon. In a couple years, they'll be like, "Wow, how do I know to do this?" And we do see that now. We'll go in to do a migration from say, commercial to GCC High, and we'll looking at our SharePoint, and they've got sites that are five, six, seven years old at this point that they don't even know who... they don't even know the name of the guy that's supposedly created the site, much less the data that's in there.

Bill Wootton: And so, being able to start to manage that, and control that is really powerful. So, let's talk a little bit about deployment. Let's talk a little bit about what you recommend in terms of how we deploy the tool. How do people get started with it?

Jay Leask: So, I'm going to start by saying, it's never going to be perfect. If you wait until you're perfect, you're never going to deploy, and I have seen project after project with Office 365. Heck, I've seen product after project with SharePoint before that, where when you are trying to make a perfect environment, you just never take the first step to production.

Jay Leask: So, I'm going to say start small. Figure out, one of the approaches we take with our customers as we developed a service catalog that we utilized for end users being able to make their requests, et cetera, is start with your centralized core services. I know I need a provisioning service. I know I need a renewal service. I know I need a change security, or change business owner service.

Jay Leask: So, start there and deploy those things. And then, as you recognize new services that are required across the organization, you can add them. But also, as you recognize that particular organizations, subsets of your organization need different rules, you then begin to apply those separately. Now, with our service catalog, you have the ability to permission trim all of the services.

Jay Leask: So, you can create your centralized core services, and then your divisional or business unit services key to those specific people. But again, it's start small, and then grow over time. Governance, security, with three-year product life cycles, there's a possibility that you could revisit this conversation every three or four years.

Jay Leask: But with as often as Office 365 comes out, you have to have a living plan to adjust how you manage the system, what you offer your end users, how you train your end users. Again, this is not a set it and forget it thing. I'm not selling you an air fryer that you set something up, and walk away for 45 minutes. You have to constantly curate this. The other thing is, think about templates.

Jay Leask: So, I talked about types of workspaces earlier. You know you're going to have communities of interest. You know you're going to have... or communities of practice, you know you're going to have projects. You know you're going to have departments. Start to analyze, what are our default types of workspaces. And then, from there, you can define how do I want people to use Office 365?

Jay Leask: For a community of interest or a community of practice, you're probably going to give them a SharePoint site collection for sharing files. You're probably going to want to make sure they have access to stream so that they can store videos and presentations as they share information with each other. If you're in the commercial space, you might give them a Yammer Community.

Jay Leask: Because you know that it's going to be more of a whole of organization community rather than a subset of users. So, you can identify your types of workspaces, define how you want them to use the system, and then you can start to build out templates based on those expectations. But realize that a template is not just look and feel.

Jay Leask: It is what services, Office 365 services do they have access to by default? It is what policies support those services from a security perspective, from a renewal and lifecycle perspective, from a security, from a records management perspective. So, this is what a template is. And a tool like AvePoint's cloud governance does support all of those capabilities.

Jay Leask: And then, the last piece is sometimes, you may need to get some expert help on this. Microsoft has a great program for customer success. If you're eligible for that, that's something you want to take advantage of. But then, there are partners like C3, who can help you understand how do I wrap my head around this massive toolset? And how we can best use it for my, whether it's an enterprise organization, or a small organization, how do we figure that out?

Bill Wootton: And that's the challenge that we've embraced with our approach to this. We do a ton of work with small and mid-market contractors. Over time, we see certain use cases, we see certain profiles. We can talk about how manufacturing organizations, and professional services firms, and engineering firms. After you start working with a few of them, certain commonalities start to come and play.

Bill Wootton: And that's where we're trying to have an impact on this is by taking some of your concepts around an immersion program, and templates, and some of the basic building blocks, applying them to common use cases that we see across multiple clients to give that starter package to say, "Hey, we can get you up and running, we can show you what we see is best practices, both from a use case, and from an implementation standpoint, these are the scenarios we see."

Bill Wootton: I use the manufacturing example earlier. Here's how we can address these things. And then, we're fine tuning around the edges rather than starting from scratch. And I think interestingly enough, as you get into this, and as you go down in size, that constant tweaking and adjusting is going to be a little bit less. We'll never be set in and forget it.

Bill Wootton: But we can set them up with something that's stable, and has a fairly long use case and use. And then, we can come in, and tweak, and adjust it as new opportunities or new challenges come up for them.

Jay Leask: Yeah. It is as you start to look at the capabilities of Office 365, of third parties, and whether or not you need their tool sets, it can be a little overwhelming. And so, really taking this piece by piece. There are often times where I walk into a customer, and we're talking about governance, and we're talking about security, and they're just like, "I just don't see it right now."

Jay Leask: I say, "Okay, let's talk about where you are, you need X, Y, and Z. Your current requirements say that you don't need what I'm bringing to the table. And that's great. Rule that out. And then, let's talk again in six months and see where you are. Let's understand both me as a vendor, and you as an IT department rolling this tool out. But understand that this is definitely a multiphase thing.

Jay Leask: And as you see changes in your environment, changes in the regulatory controls that you need to consider, then you need to revisit how you're deploying, and that's when you can decide, okay, is it time to bring in that third party? Is it time to roll out this new feature? Is it time to upgrade our license from E3 to E5?" Those are the types of things you need to do, but is it is a constant improvement, constant evaluation.

Bill Wootton: And that comes full circle with everything. We started the conversation, you take those highest priorities, things that are required. If you haven't done MFA yet, for some reason, get that done. If you're not doing your device management, you're monitoring, there's other pieces that are... make sure you've got the perimeter set, and you've got your environment locked down.

Bill Wootton: But we can also talk to you about okay, that's great. Over that horizon, once you get all those pieces in there, and you start getting into those final pieces that are really going to help you get that security and compliance you want. We can start talking about that early on, and give that expectation that, you know what, here's what your pathway looks like. Here's where you're going to wind up going.

Bill Wootton: And when you're ready to start talking about these things, or what usually happens when someone comes to the IT guy, and starts talking about it, and they identifying it as a need, they're ready to accommodate and respond to it. The thing I hate is if one of our clients ever gets caught flat footed, which is something that you didn't see coming or expected.

Bill Wootton: We always try to make sure that they have an idea. And they know okay, wait a minute. Yeah, I heard about this. I know about it. I might not be on it. But I know I can go get that answer really quickly.

Jay Leask: Yeah. Hey, Bill, there's a question. I don't know if you saw it in the Q&A. There's a question around vendor certification. Do you have any thoughts or comments around vendor certification, and what percentage of them cover each of the various levels?

Bill Wootton: Wow, that's a loaded question. CMMC are still trying to figure that out. We're really early on that process. I think anywhere you look across the vendor ecosystem and the supply chain associated with it, whether it's the Microsoft's and the Googles of the world, or providing the services, some of the monitoring services, the folks that are out there doing SOC and SEM services, or providers like us.

Bill Wootton: Everyone's wrestling with exactly where they need to go. We've made some commitments internally at C3. We're going to pursue at least a level three. We're doing everything we can to get there and be ready for that when those become available to us. But I think I turned that question back around and say, keep asking it, keep asking that to every one of your vendors, every one of your suppliers.

Bill Wootton: Make sure that they understand it. There's a good chance because of the maturity of CMMC, they may not have a final answer on that yet. But what you want to hear is that they're aware of it, that they're planning for it, and they are making effort towards it. That's the biggest thing when we go, and vet vendors, and we look at them, I'm looking for very specific things.

Bill Wootton: I'm looking for how committed are you to the federal space? How committed are you to that defense space? Can you handle export control data? And certainly, where are you going? What's your strategy to get there? I think it's a little early to ask where people are. But I think it's certainly early enough to start asking where are people going with that? Because there's a coming earthquake in our industry around that as vendors start to have to sort that out, and start making decisions around that.

Jay Leask: Yeah. As a software vendor, it has been very interesting to see our development teams have to evaluate and respond to even the many certification options there are, from ISO certifications, to Soc 2 certifications, to FedRAMP, being able to provide analysis on each of these, being able to provide, potentially, go through the certification process for each of these. That's something that your vendors need to do.

Jay Leask: They need to be able to provide you insight into where they are, why they chose their direction. And from AvePoint's perspective, we have a page that describes it on our website. Our privacy and security page that lists all of our certifications. But yeah, don't hesitate to ask, where are you on this. But as a software vendor, I would ask that you ask with a little bit of grace and understanding that it may take more than five minutes to get you the answer you're looking for.

Bill Wootton: Yeah. And when we were looking at vendors, and we approached AvePoint, and talk about these things, this is going back actually, before CMMC, I was getting a lot of head scratching of DFAR, tell me why this makes sense. And to your credit, this team at AvePoint, you guys have taken this seriously. And we've talked to all those questions I just ran off, the answer is yes, across the board.

Bill Wootton: So, you guys have a serious commitment to the industry, to the space. You're putting out products that have real good value to it. What we were able to do last year with rolling out backup and GCC High was a huge step in the right direction. Again, checking some boxes off before anyone else did. So, you guys are doing great work in that space. And I love the commitment you have to it.

Jay Leask: I appreciate that, Bill. It's been a very good partnership over the last year or so. And thank you. Today, this was a lot of fun. I really enjoyed being able to share this information, and being able to do it a little bit more. I hope that this format was very valuable to people. From a local government perspective, how do you address organizations that assume all data are open records?

Jay Leask: And what are the repercussions if compliance isn't met? It's an interesting question. If you talk to an organization like NARA, the National Archives, their definition of a record does suggest that everything is a record. The question is, is it a temporary record or a permanent record? And it is up to the organization's records managers to help define that.

Jay Leask: Just listening to a presentation this morning that talked about what is a records manager? How do they relate to software purchases? And how do they relate to the business decisions? So, one of the repercussions of not meeting compliance around your records. There they are dependent on your organization and the specific regulation you have to be focused on.

Jay Leask: But my recommendation to you, to give you more of an answer and less of a tap dance there, is if you are considering that everything is a record, you have to make sure that your technical solution to support that support lifecycle of those records. So, when AvePoint talks about records management, which is conversation in a much longer webinar, we talk about it from information management, and records being one aspect of that.

Jay Leask: So, from when something is created, to when people collaborate on it, to when it gets locked down, and becomes a final copy to when it is destroyed, these are all various stages that your technology really needs to be able to support. And if all you're doing is creating a label that manages a disposition of a piece content, you are not managing the full information lifecycle. You are simply managing the disposition. So, that is something that you may want to consider. Bill, do you have any additional thoughts on that?

Bill Wootton: Yeah. We don't do a ton of work in the local space. It's a little bit out of my expertise. One point I would make, though, is there's probably different flavors of compliance, depending on what that data is, whether if it's law enforcement data, it's going to fall under CGIS. If it's PII or if there's, for whatever reason, some HIPAA components to it, you're probably going to have different flavors of what that compliance needs to be.

Bill Wootton: And that goes back to that business discussion. I think that's what you're alluding to, find the person that's the expert in what the record should be. And then, you can deploy from a technology standpoint, what their guidance is.

Jay Leask: Great, great. Great response. Yeah. So, thank you so much for asking. I hope that was helpful, and feel free to reach out if you want to have a deeper conversation on it. So, I think we've got about five minutes left on the schedule. If there are any other questions, I'm more than happy to stay on. But again, Bill, thank you so much for your time today. And I look forward to one of us doing a wrap up of this and posting it on the blog.

Bill Wootton: Absolutely. Thanks, Jay. This has been a great conversation. Always enjoy talking with you, and work with the AvePoint team, and we're going to continue to develop these solutions. And more, and more, tailor them for the CMMC challenge that everyone's facing.

Speaker 1: Thanks for listening. If you'd like more information on how Carahsoft or AvePoint Public Sector can assist your organization, please visit www.carahsoft.com, or email us at avepointpublicsector@carahsoft.com. Thanks again for listening, and have a great day.