Sharing what we learned deploying our secure federal environment

|

Learn how we deployed the same highly secure environment our Microsoft Federal organization built for sovereign customers like the US government.

Microsoft Digital storiesAt Microsoft, we serve a diverse range of customers, from individual users and large businesses to sovereign governments with specific regulatory requirements. Our platform products such as Microsoft Azure and our Microsoft 365 productivity suite perform extremely well for these different customer segments.

Underneath those broad strokes, we serve very specific, complex customers.

One set of such customers is in the federal sector, where the specific regulatory requirements of sovereign entities—such as the Department of Defense (DoD) in the US—require that we create highly secure environments that adhere to the Cybersecurity Maturity Model Certification (CMMC) standard. (CMMC is an intermediate cybersecurity certification for defense contractors that focuses on protecting controlled unclassified information through enhanced cyber hygiene practices.)

Building environments that meet the CMMC standard presents unique opportunities and challenges, especially when it comes to managing complex collaboration scenarios at scale while also ensuring the security of our customers’ confidential information.

To help us get this right, we build environments for our customers that employ our Zero Trust security model, which means operating on a “never trust, always verify” principle. This enables us to deliver secure platform tools, networks, elastic computing, and storage options. It also helps provide our customers with better collaboration and business operations tools.

This works for governments, their military and intelligence agencies, and goes beyond the high standards of our usual customers.

To specifically address these unique needs within Microsoft, we have created a specialized IT environment, called the Federal Government Operating Environment or Microsoft FedNet. Powered by Azure for Government and Microsoft 365 Government, this environment is carefully designed to match the complex requirements of our US Federal and US Defense Industrial Base clients.

Serving as Customer Zero

In this story, we’ll explain some of the unique challenges we faced internally as we implemented this “company within a company” to allow our employees to work easily across both our traditional corporate environment (CorpNet) and the more highly regulated environment (FedNet) that we use to support our US Federal customers.

We have a strong value around being Customer Zero for our products, so much so that we implement them the way we would suggest our customers use them, so we can experience the customer reality firsthand. While living on the edge of this innovation knife can be unsettling at times, it allows us to be first to encounter challenges our customers might face. As such, we become a valuable feedback loop back to our product teams, which speeds up the innovation cycle and lowers barriers to entry for actual customers.

It was absolutely essential that we deliver a product for our federal customers that met or exceeded the experience that our own team expected. This is the critical benefit of our Customer Zero approach to engineering—we live and breathe the product long before it reaches an external user. That gives us time to explore and refine the customer experience to be as good as can be.

— Jason Zander, executive vice president, Strategic Missions and Technologies

Zander poses for a portrait.
Jason Zander, executive vice president of Strategic Missions and Technologies, led teams across the company to develop, launch, and improve our Microsoft Federal program, which serves important clients such as governments, their militaries, and intelligence agencies.

Cross function, cross company

At Microsoft, our commitment to creating a dedicated environment for highly regulated workloads was not just about establishing a separate space; it was about embodying a cloud-first and deeply integrated approach across our entire business spectrum. This strategic decision was pivotal in aligning our expansive scale with the nuanced demands of compliance-focused sectors.

To get this right, our comprehensive, multi-disciplinary strategy coalesced around rethinking our sales pipeline management, financial systems, modernizing commerce tools, refining our support services, and evolving our internal engineering practices. This cross-organizational synergy was crucial to ensure that every aspect of our business supported and benefited from this new initiative.

“It was absolutely essential that we deliver a product for our federal customers that met or exceeded the experience that our own team expected,” says Jason Zander, our executive vice president of Strategic Missions and Technologies. “This is the critical benefit of our Customer Zero approach to engineering—we live and breathe the product long before it reaches an external user. That gives us time to explore and refine the customer experience to be as good as can be.”

Embracing a growth mindset, we aimed to merge the insights gained from operating a $3 trillion-dollar company with our profound understanding of servicing compliance-intensive customers. This fusion of scale and specialization was geared not only toward meeting existing needs but also toward innovating in novel and impactful ways.

Our workday began by signing in to this secure environment, using Microsoft 365 applications for our daily tasks, and collaborating through Teams. This wasn’t just a separate project; it was a complete shift in our work environment. We effectively isolated ourselves within a secure bubble, distinct from the rest of Microsoft, to ensure we could operate seamlessly as an independent entity.

— Dwight Jones, principal product manager, Microsoft Federal team, Microsoft Digital

Through this transformative journey, we have not only tailored our offerings to meet the stringent requirements of highly regulated sectors, but we have also significantly enhanced our overall business intelligence. By internalizing and refining our products early in their lifecycle, we ensure that our services not only align with but surpass the expectations of our most compliance-conscious customers, continuing our legacy as a global leader in technology solutions.

What does this mean in the real world?

In our journey to develop a more secure platform for internal use at Microsoft, we took an unconventional and immersive approach; we essentially created a new federal entity within our larger corporate organization, where the creators and users of this platform merged into one. Our team, dedicated to building this secure environment, began to experience their daily work lives within FedNet, taking meetings on Microsoft Teams and using document collaboration across Microsoft 365 and ensuring its functionality and reliability firsthand.

“Our workday began by signing in to this secure environment, using Microsoft 365 applications for our daily tasks, and collaborating through Teams,” says Dwight Jones, a principal product manager on the Microsoft Federal team in Microsoft Digital (MSD), our IT division. “This wasn’t just a separate project; it was a complete shift in our work environment. We effectively isolated ourselves within a secure bubble, distinct from the rest of Microsoft, to ensure we could operate seamlessly as an independent entity.”

This shift represented a significant change in our corporate experience.

By establishing secure Microsoft tenants in the Azure Government Community Cloud’s high-security environment, we created what we call “Microsoft Federal”—a company within a company. This bold move came with its own set of challenges, but it was essential. It enabled us to not just theorize but practically test and enhance our FedNet solution in real-world conditions, ensuring its effectiveness for our sovereign customers.

Such an approach was pivotal in validating the reliability and security of our solution. It allowed us to experience the potential challenges our customers might face and address them proactively. Ultimately, this real world experiment was more than just a test; it was a commitment to delivering a product that we ourselves could rely on and trust, setting a new standard in our offerings to highly regulated sectors.

Microsoft Federal is a prime example of the potential in public-private partnerships. We bring our expertise to key government organizations, offering them advanced, secure solutions to succeed in their missions. Together, we’re shaping the future of network security.

— Jason Zander, executive vice president, Strategic Missions and Technologies

Getting security right

The key distinction between our traditional business and our new Federal sector business model lies in the stringent regulatory constraints from agencies like the US Department of Defense, adhering to CMMC level 2. Our FedNet environment is designed to not just meet but exceed these standards. In fact, our FedNet implementation has achieved a perfect score (Microsoft Federal Successfully Completes Voluntary CMMC Assessment), reflecting our security team’s commitment to the highest standards, covering a broad range of customer requirements.

“Microsoft Federal is a prime example of the potential in public-private partnerships,” Zander says. “We bring our expertise to key government organizations, offering them advanced, secure solutions to succeed in their missions. Together, we’re shaping the future of network security.”

To align with our Zero Trust principles in FedNet, we started by enhancing device endpoint security using a combination of Microsoft Conditional Access and Microsoft Azure Virtual Desktop (AVD). This provides our teams with secure and controlled virtual access to standard collaboration and productivity capabilities, a shift from the traditional physical machine setup in our corporate environment.

While aligning with our cloud-first strategy, this transition posed challenges.

The virtual environment offered less flexibility than a commercially managed machine, particularly in terms of software installation control. In our commercial environments, users can install a variety of first- and third-party applications to enable them to be productive. To comply with more stringent regulations, we highly regulate what applications can be installed on the virtual client—each piece of software has to be security cleared by our Security Portal for Assessment, Consulting and Engineering (ACE) tool—we had to create controlled processes to qualify each piece of software we deployed in our FedNet environment.

Teams is the lifeblood of collaboration at Microsoft, even a few-second delay in a Teams call hosted in our AVD environment can significantly disrupt the experience for our users in Microsoft Federal, just as it would for any other user.

— Dwight Jones, principal product manager, Microsoft Federal team, Microsoft Digital

Jones poses for a portrait in a studio.
Dwight Jones, principal product manager on the Microsoft Federal team in Microsoft Digital (MSD), was one of a number of Microsoft employees heavily involved in deploying an internal version of FedNet at Microsoft. Jones led MSD’s program, engineering, and support efforts to onboard and scale the secure collaboration environment across Microsoft 365.

Getting to product parity

Getting back to our internal team charged with deploying a version of this platform inside the company, our internal users at Microsoft Federal need more than just robust compute platforms and Zero Trust technology—they require the same modern communication and productivity tools as any of our other employee to manage daily operations effectively. Despite differing security protocols, essential tools like Microsoft Teams and Microsoft Outlook must function just as reliably for our Microsoft Federal users as they do for our CorpNet users.

Take Microsoft Teams meetings, for example.

“Teams is the lifeblood of collaboration at Microsoft, even a few-second delay in a Teams call hosted in our AVD environment can significantly disrupt the experience for our users in Microsoft Federal, just as it would for any other user,” Jones says.

Such technical issues, if unresolved, could hinder business operations and negatively impact user perception of our products. We recognized the need for improvement in how Teams integrated within AVD highlighting key opportunities to accelerate quality of service features across both products that, once implemented, would quickly trickle down to all users of these services.

The complexity of managing change

Not surprisingly, we found that managing change and expectations was as significant a challenge as the technical blockers. The biggest hurdle became managing the cognitive shift when moving between environments, rather than addressing technical gaps. For instance, implementing data loss prevention strategies via document labeling was optional in our commercial environment but mandatory in FedNet to comply with CMMC regulations. This necessitated a new approach to data handling and required significant adjustments from our users. Training users on the rational and procedures for data handling was critical to overcome this barrier to entry for new users.

Our Microsoft Federal environment, while more secure, should not lack any functionality or features compared to the civilian version.

— Dwight Jones, principal product manager, Microsoft Federal team, Microsoft Digital

Experiment, learn, adjust, grow

After establishing the basic functionality needed for our Microsoft Federal employees to most closely match the experience of their counterparts in the larger Microsoft organization, our focus shifted to optimizing the environment. This entailed refining existing solutions and introducing the latest innovations Microsoft is known for.

It was all about feature parity.

“Our Microsoft Federal environment, while more secure, should not lack any functionality or features compared to the civilian version,” Jones says.

A standout feature attracting global corporate interest in FedNet is Microsoft Teams Rooms. This innovative setup combines built-in screens, modern video cameras, eye-tracking technology, and Zero Trust security to revolutionize meeting experiences in Microsoft Teams, specifically tailored for our Microsoft Federal product.

Serving some of the world’s most security-conscious customers grants us unique experiences and insights that benefit our entire business. With exciting features and products, many fueled by Microsoft’s AI innovations, we’re charting a bright future for all our customers, including those in Microsoft Federal. This is how we fulfill our mission to empower every person and organization on the planet to achieve more.

— Jason Zander, executive vice president, Strategic Missions and Technologies

“Secure Teams Rooms is exactly what our internal Microsoft Federal users, and indeed any organization, would desire,” Jones says.

Following this, we began a pilot rollout of Microsoft Teams Rooms in select secure locations, with plans to extend this enriched experience to all employees in the Microsoft Federal environment. By using the same technologies they provide to customers, our employees gain valuable insights and experiences, enhancing their ability to support customers deploying Microsoft Teams Rooms in their organizations.

“Serving some of the world’s most security-conscious customers grants us unique experiences and insights that benefit our entire business,” Zander says. “With exciting features and products, many fueled by Microsoft’s AI innovations, we’re charting a bright future for all our customers, including those in Microsoft Federal. This is how we fulfill our mission to empower every person and organization on the planet to achieve more.”

Microsoft Federal and our experience building a company within a company exemplifies our commitment to empowering customers with secure, compliant, and innovative solutions. By harnessing technologies like Microsoft Teams, Azure, and Microsoft 365, we’re setting new standards for collaboration and security in government and beyond.

Key Takeaways

Here are some things to think about as you consider beefing up your security with a product like our FedNet solution:

  • Zero Trust is now relevant to everyone: Hybrid work, cloud migration, and increased threats make taking a Zero Trust approach to security a prudent consideration in every organization.
  • Lack of leadership alignment is the biggest obstacle to driving Zero Trust agendas: Leadership alignment is critical to driving Zero Trust agendas. It’s important to ensure that all stakeholders are aligned with the Zero Trust vision and understand how it fits into the broader security strategy. This includes executive leadership, IT teams, security teams, and other business units.
  • Zero Trust architecture requires holistic, integrated thinking: Zero Trust architecture requires a holistic, integrated approach that spans people, processes, and technology. It’s important to have a clear understanding of your organization’s assets, data flows, and user behaviors in order to design an effective Zero Trust architecture.

Try it out
Learn more about our Microsoft Federal program and offerings.

Related links

We'd like to hear from you!
Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

Recent