How to Migrate to GCC High Without Expanding Scope by Accident

Why Migrations Create Temporary Scope Chaos

A GCC High migration sounds like a straightforward infrastructure move: stand up a new tenant, copy the data, decommission the old one. In practice, it is a multi-month project during which both environments are live, both contain CUI, and neither is in its final documented state.

That interim period is where scope expands unintentionally. Systems that were never supposed to be part of the assessment boundary get pulled in because they touched CUI during the transition. Legacy connectors keep syncing data to the old tenant after cutover. Coexistence tools create bridges between Commercial and GCC High that become permanent fixtures nobody remembers to remove.

This is not hypothetical. Organizations regularly schedule C3PAO assessments three to six months after migration, assuming the new environment will be stable by then. What they discover is that the old tenant still has active mailboxes, SharePoint sites with residual CUI, OneDrive accounts with synced copies, and Intune policies that were never ported. Each of these is a system that stores, processes, or transmits CUI — and each one is now inside the assessment boundary whether the SSP accounts for it or not.

The solution is not to delay the assessment indefinitely. It is to plan the migration as a compliance event from day one — with scope control, evidence preservation, and decommission verification built into every phase.

Pre-Migration Scoping and Dependency Inventory

Before a single mailbox moves, you need a complete map of everything that touches CUI in the current environment — and everything that will touch CUI in the target environment. The goal is to define the migration boundary as precisely as the assessment boundary.

This means inventorying far more than mailboxes and SharePoint sites. It means identifying every system, integration, and data flow that interacts with CUI.

The Migration Sequence: Identity, Mail, Files, Collaboration, Devices, Logging

Order matters. A GCC High migration is not a parallel lift-and-shift — it is a sequential dependency chain where each layer depends on the one before it. Getting the sequence wrong creates orphaned configurations, broken integrations, and CUI in limbo.

Common Missteps: Coexistence, Duplicate Repositories, Legacy Connectors

The most damaging migration mistakes are not technical failures. They are decisions — or non-decisions — that leave artifacts from the old environment alive and in scope long after the migration is supposed to be complete.

Every one of these missteps has the same consequence: a system, data store, or data flow that your SSP does not describe but that an assessor will discover. The fix is not to hope the assessor doesn't look. The fix is to build a decommission checklist that is as detailed as the migration plan — and execute it completely before the assessment.

How to Preserve Evidence and Configurations During Cutover

A migration destroys the evidence that proves your old environment was compliant. Conditional access policies, DLP rules, transport rules, audit logs, Intune baselines — all of these exist in the Commercial tenant. When that tenant is decommissioned, the evidence goes with it.

If your CMMC assessment covers the period before, during, or after migration, you need to preserve a record of your control posture at every stage.

• Export all conditional access policies from the Commercial tenant as JSON before decommission. Store the exports in your evidence vault with timestamps.
• Screenshot or export DLP policy configurations — including trigger conditions, actions, and exception lists — from the Commercial tenant before they are deleted.
• Export Exchange transport rules from both tenants. Document which rules were active during the coexistence window and which were activated post-cutover.
• Download the Unified Audit Log from the Commercial tenant for the full migration period. Retain it for at least the same duration as your standard audit log retention policy. Store it in the GCC High environment or a FedRAMP-authorized archive.
• Export Intune device compliance and configuration profiles from Commercial before re-enrollment. Document which devices were enrolled, their compliance state at cutover, and when they were re-enrolled in GCC High.
• Capture sensitivity label configurations from Microsoft Purview in the Commercial tenant. Labels are tenant-specific and must be recreated in GCC High — verify that the recreated labels have identical settings.
• Hash critical evidence files using SHA-256 at the time of export. Store the hashes alongside the evidence. This proves the evidence was captured at a specific point in time and has not been altered.

Interim-State Risks and How to Document Them

There is no migration that happens instantaneously. For some period — days to weeks — your organization will be operating in a state that does not match either the pre-migration SSP or the post-migration SSP. This interim state is a compliance risk that must be acknowledged and managed, not ignored.

The recommended approach is to create a Migration Security Addendum to your SSP — a temporary document that describes the interim-state architecture, the controls in effect during the transition, the timeline for reaching the target state, and the specific risks accepted during the window. This addendum should include:

• Start and end dates for the migration window, by workload (identity, mail, files, devices, logging)
• Which controls are temporarily degraded — for example, if endpoint DLP is not yet configured in GCC High, document that gap and the compensating control (e.g., conditional access restricting access to managed devices only)
• Which systems are temporarily in scope that will not be in the final assessment boundary — for example, the Commercial tenant during coexistence
• How CUI is protected during the transition — which tenant is authoritative for CUI at each phase, and what prevents CUI from existing in both simultaneously
• Rollback criteria — under what conditions the migration is paused or reversed, and what the compliance posture looks like if that happens

If a C3PAO assessment occurs during or shortly after migration, this addendum is the document that explains why your environment doesn't perfectly match the SSP — and why that deviation was planned, controlled, and temporary. Without it, every discrepancy is an unexplained finding.

Post-Migration Validation Checklist

Migration is not complete when the data arrives in GCC High. Migration is complete when the old environment is fully decommissioned, the new environment matches the SSP, and every control can be demonstrated to an assessor. This checklist covers what must be verified before declaring the migration done.

The Bottom Line

A GCC High migration is the right decision for most defense contractors handling CUI. But the migration itself is a compliance event that, if executed carelessly, creates more scope than it eliminates. The contractors who migrate cleanly are the ones who treat decommission as seriously as deployment — who build a migration manifest, preserve evidence at every phase, document the interim state, and verify that the old environment is completely cold before an assessor arrives.