I'm working IT for a smallish engineering firm, and I've been trying to get the ball rolling on getting us set up for compliance. The company is about 80 people right now but it seems like we keep growing. Currently, maybe 10 people do government work. Currently we're on commercial Business 365, and working on at least being Level 1, but with the goal to eventually try to prep for Level 2.

A thought I had, to possibly save a little money, is to create a GCC tenant for the sole purpose of doing Federal work, along with devices that are only used with those accounts and the corresponding work.. Since the number of people actually participating in it is so small, maybe it would work? I'm not sure if the controls are intended to be company wide, or just for those who work with CUI. Otherwise, we should probably do a full migration to GCC? High shouldn't be necessary I think, as we don't work with ITAR or EAC

Any advice is welcome, thanks in advance!