When it comes to overall productivity platforms, collaboration tools, and office suites, the two biggest options dominating the market are the Google G Suite and Microsoft’s Office ecosystem. Whether it’s word processing, team collaboration, IT frameworks, device management, or the entire infrastructure of a business, there’s a pretty good chance one of these two options is going to power the way you operate.
If you’ve chosen to pursue a security certification to work with the government – specifically, if you need to adhere to the rules set forth in CMMC – your whole operation needs to be secure. A big roadblock many businesses run into is switching from the basic business or public licenses for Google or Microsoft to more secure, government-oriented versions.
For Microsoft, this means some form of the Microsoft platform for government, like the Commercial Cloud, the Government Community Cloud, or the GCC High. For Google, it means the Google Public Sector framework.
Which one should you choose? Let’s compare them.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontGoogle G Suite and Microsoft's Office are top choices for productivity and collaboration. For businesses needing security certification like CMMC, Microsoft offers three government-oriented platforms, while Google has a Public Sector framework. Microsoft’s GCC High provides robust compliance and interoperability, though it’s costly. Google emphasizes cloud-native security and affordability but has limited pricing flexibility. The best choice depends on your organization’s needs, with Google being cost-effective, but Microsoft offering more comprehensive services.
What is Included in Microsoft GCCH
First, let’s look at Microsoft’s offering.
Microsoft has three tiers of service aimed at government operations. Microsoft Commercial, Microsoft Government Community Cloud, and Microsoft Government Community Cloud High all exist in a tiered framework of security and resiliency.
The first question you might have is, which version do you need? There are a few possible answers to this question.
If all you need to do is adhere to basic CMMC rules at a low security level, Microsoft Commercial is designed to be good enough. However, despite basically meeting the requirements, even Microsoft doesn’t recommend it. Instead, they recommend using GCC High, the strongest of their secure ecosystems.
Technically speaking, Commercial is enough for CMMC, GCC is the minimum for DFARS 7012, and GCC High is required for ITAR compliance. In practice, you’re likely better off with GCC High for all of it.
All versions of the Microsoft government cloud have access to the Azure commercial stack of applications, with everything from Office and Teams to Azure itself to PBX systems and phone systems. Pretty much everything in an office can be run in the Microsoft ecosystem regardless of which of the three tiers you choose.
Microsoft 365 Commercial can, if leveraged properly, meet CMMC L1 and FedRAMP guidelines. It cannot, however, meet CMMC L2 or higher.
Microsoft GCC makes one significant change to adhere to higher-tier security standards, which is data segregation. Cloud data handled in the GCC ecosystem is stored specifically in one of Microsoft’s government-specific data centers, which have appropriately higher security and standards than their baseline Commercial offerings.
GCC High adds to this by limiting data to only US-based government data centers and ensuring appropriate background checks for all employees who maintain them.
Microsoft does offer one even higher tier system, which is aimed specifically at DoD use, but that’s more outside of the scope of today’s discussion, so just know that it exists if that’s relevant to your operations. Since it’s only available to the DoD itself, it’s not really worth comparing, right?
What Are the Benefits of Microsoft GCC High?
Microsoft’s systems have a few benefits when you’re considering using them as part of your overall government contractor operations.
For one thing, huge portions of the government are using Microsoft systems. For a long time, it was really either using Microsoft or using proprietary setups based on Linux; it wasn’t until relatively recently that Google became enough of a major player to take some of the government market share.
Microsoft also has an advantage in terms of collaboration. Since they’re well-practiced and have decades of established systems that intercommunicate, collaboration both with other businesses outside of the government sphere and with other government agencies, partners, and secure facilities is all easy and secure.
It’s also quite likely that your employees and partners are well-experienced with Microsoft systems. It’s a familiar user experience for most people these days, and only those who spend their time in an Apple ecosystem or the youngest individuals who are more used to mobile devices are likely to have a harder time. Even then, since Microsoft set many of the conventions other brands have used, it’s still largely intuitive.
When it comes down to the nuts and bolts of compliance, including auditing and all of the detail-oriented configurations you need to set, Microsoft has another advantage in being very well-documented. Any question you could possibly have can be answered just by looking in the right place.
Are There Drawbacks to Microsoft GCC High?
This wouldn’t be a discussion at all if Microsoft didn’t have any drawbacks. Unfortunately, there are a few things to keep in mind that can influence your decision.
The first is that Microsoft is fairly notorious for being… let’s say, jealous of their tenants. They make it difficult to switch away down the road. If you were in a situation where you want to switch away from Microsoft’s ecosystem for, say, Google’s, it can be tricky. Everything from configurations to data exports are often trickier than they need to be. It’s not impossible, of course, but there’s enough friction there to keep you in place.
A second challenge – and one of the main reasons why you might end up considering moving away later – is the expense. Microsoft GCC High is often somewhere in the neighborhood of $2,000 to $3,000 per user per year. Now, obviously, when it comes to security, you get what you pay for, but the pricing is steep enough that it’s often a challenge for certain kinds of businesses and can even be the difference between choosing to pursue government contracts or not.
The third challenge is a series of significant breaches that have happened over the last few years. The SolarWinds breach from a few years ago used Microsoft’s cloud services as an attack vector, a breach of Outlook affected 40 million users, a Microsoft Cloud vulnerability left email accounts vulnerable in 2023, and so on.
To an extent, it’s a little unfair to blame Microsoft for this entirely. It’s not as though they’re incompetent; some of these breaches are incredibly sophisticated and involve numerous layers of obfuscation or supply chain breaches. And, since Microsoft is by far the most widely-used ecosystem, it’s also by far the most widely-attacked ecosystem, and anything is going to have issues under that kind of pressure.
Indeed, a significant part of CMMC compliance is about building resilience against attacks, monitoring to detect breaches and cut them off ASAP, and in-built limitations that minimize the potential damage that could be done when a breach occurs. Any platform can provide those avenues; it’s all in how you configure them for your systems according to CMMC rules.
What is Included with Google Public Sector?
Google Public Sector is the branch of Google operations that works with government and education organizations. It includes a variety of tailored offerings, including Google Workspace for Government, Google-based hardware (like phones, Chromebooks, and tablets), and much more. It has different offerings with different security levels and standards, tailored for specific categories of need, like federal civilian agencies, defense and intelligence agencies, and state and local government agencies.
Recently, Google Public Sector has also been leaning heavily into AI. This is perhaps a questionable decision, given the notoriously “black box” nature of these systems and how prompt injection attacks can permanently alter their memory, and it’s entirely unclear how much government systems are isolated from having their data used in training – and thus be recoverable through sophisticated attacks.
Google’s cloud systems and their government-focused Workspace and other offerings are compliant with the most stringent security laid out in FedRAMP, DFARS, and ITAR, though certain high-tier security may need additional high-tier services from Google, like the Assured Controls Plus feature for Workspace.
What Are the Benefits of Google Public Sector?
Google Public Sector has a handful of benefits over using something like Microsoft.
For one thing, Google has been a cloud-native company for a very long time, and they’re very familiar with stringent security and compliance. Where companies like Microsoft have decades of cruft to support and maintain and have to adapt it to connected environments where it previously might not have had to worry about exposure to the internet, Google was largely designed for that environment from the outset.
Google has also historically led the way with internet security, developing innovative enforcement and encryption options and designing some of its systems with security as a baseline requirement rather than a retrofit.
Perhaps one of the more important benefits, of course, is simply the cost. A full use of Google’s infrastructure, including both hardware and software, can be as little as $400 to $500 – less than a quarter of Microsoft’s pricing for equivalent services and infrastructure. While we mentioned that you get what you pay for, that is only true up to a certain point. At some level, more money doesn’t actually facilitate more security.
Are There Drawbacks to Google Public Sector?
Nothing is perfect in this world, and that goes for Google’s offering for CMMC as well.
One drawback is that Google’s CMMC system really only has one pricing structure. There’s not really any flexibility for organizations in different security levels or of different sizes. Some will find it very affordable, while others will find it quite steep, and they both get more or less the same thing. There are certain small adjustments to be made, but not much.
Above, we mentioned Microsoft being part of numerous security issues. Google isn’t free from sin on this front, either. There have been fewer government-focused breaches, but that’s as likely to be because of relatively low adoption than it is increased security.
There’s also an element of friction within Google itself. Google is somewhat notorious for its different projects, teams, and systems, all being developed and maintained by mostly independent groups of employees. This often leads to incompatibilities between systems that should seamlessly work together. This is a little less relevant in the government space as the systems being used here are more tested to work together, but there can occasionally be oddities that make processes take longer or require more steps than they should.
We also already mentioned Google’s AI systems and their questionable dedication to security. This is still a largely untested field, and while it’s never a bad thing to consider embracing new technologies, there are many rough edges to smooth out, and governmental systems likely aren’t the place to do so.
CMMC Compliance: Which Should You Choose?
When it comes to choosing between a Google infrastructure or a Microsoft infrastructure for CMMC compliance, which option should your organization choose?
There’s not really a right answer here. Both can work, so it depends on factors specific to your organization and your goals.
Microsoft is usually the more expensive option, but since most governmental organizations and members of the defense industrial base and overall government supply chain are likely already using Microsoft systems, interoperability is already established. There’s a lot of friction moving away from them if you choose to later, but if you’re operating with a Google system, there can be friction in working with partners using Microsoft. It tends to balance out.
If expense is the primary consideration, Google may be the better choice. If functionality, expansive services, and a close working relationship with the government are important, Microsoft is likely the better option. If AI is a deal-breaker or deal-maker one way or the other, Microsoft wins for the time being, though their push to add CoPilot to everything may even the playing field there as well.
If you want a deeper discussion of your specific needs, given your operations, the kind of CUI you handle, and the level of CMMC you need to achieve, we’re here to help. At Ignyte, we’re experts in a variety of governmental security frameworks, including FedRAMP, DFARS, and CMMC. Whether you want to use our platform to help you with your audits or you just want our advice, feel free to reach out or book a demo to see what we can do for you.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.