I agree that the article is a bit vague on that. However, at the university I work for, the team that manages our government cloud also works on our public cloud. The compliance team for the GCC environment and the engineering team I am on all report up the same silo.

It is not uncommon for universities to have wholly owned but logically separated research subsidiaries. This solves two problems. One being the elevated level of security needed at the research subsidiaries would not be acceptable to general staff and faculty. The second being the ease of management. The separation makes it easier to delineate where sensitive data can go.

I know what I’m going to bring up in my CMMC compliance call tomorrow.

The university I am an information security engineer for has been working for years to become CMMC level 2 compliant.

Penn State using public cloud (assuming Azure) and the commercial Office 365 would place them about 18-24 months away from being able to pivot to GCC or GCC-High. That is assuming they have the staff and capabilities to do this.

That doesn’t include all of the policies and other paper processes that need to happen.

Hopefully there are consequences for this level of deception.

Doesn't Azure have a separate cloud exclusively for the US goverment? If so why would they use the commercial one?

They do, there is GCC, and GCC-High. There are a number of reasons why, but the most common would probably be the additional cost of resources and staffing.

Feature for feature, the core functionality is the same. There’s more overhead in GCC and some features in public are delayed in implementation.

We had a sales pitch by a MS partner and they made it sound like provisioning/ migrating services to gov cloud was seamless. It makes sense there is overhead involved from compliance. Two years to pivot seems pretty crazy though.

The gov cloud is atleast 10-30% more expensive

Not to mention all the additional access constraints that require folks that use it to be properly credentialed.