[staticassertion]

I have no idea what you're talking about. This has nothing to do with having "better fedramp certs". If you are setting up fedramp or cmmc you will be heavily, heavily pressured and incentivized to do so with Microsoft tooling.

"Better" isn't relevant, which is my entire point. The reason people choose Microsoft isn't "it's better for this", it's because every consultancy out there, every government agency or affiliate, etc, is going to push Microsoft very very hard.

[Spooky23]

I’ve been in the space for 30 years. Nobody is pressuring anyone to buy Microsoft because of FedRAMP, and Microsoft is not even close to having any advantage with respect to FedRAMP vs their competitors.

FedRAMP is demonstration that the solution met some assessment of controls in alignment with NIST 800-53. As a checkbox, it’s almost as dumb as FIPS 140, and like FIPS, you need to asses risk for your implementation regardless of these things.

Microsoft wins deals because their product catalog is well engineered to incentivize bundled subscriptions that drive marginal adoption. The user facing products are better, Entra is generally right there, and that’s a pivot into many other scenarios that drive spend.

[staticassertion]

What's the most common architecture you see for CMMC enclaves, especially those built by outside consulting firms?

[Spooky23]

I don’t work in defense, and neither does FedRAMP.

[staticassertion]

Great, then I'll tell you. It's a bunch of FedRAMP certified Microsoft services.