How a $150M+ Construction Firm Escaped VMware Licensing, Moved to a Microsoft Hybrid Cloud, and Hit NIST 800-171 Readiness for Government Contracts

The Challenge

Our client, a $150M+ commercial construction firm, was hit with two pressures at the same time: 1. VMware licensing costs spiked dramatically after the Broadcom acquisition, turning a predictable line item into a budget problem. 2. Leadership wanted to pursue federal and state government construction contracts — which required demonstrable alignment with NIST SP 800-171 and a credible security posture. Their existing environment was not ready for either move: • Production workloads ran on aging VMware hosts with renewal quotes that no longer made business sense • No formal gap assessment, SSP, or POA&M against NIST 800-171 • Identity, email, and file sharing were partially in Microsoft 365 but not configured to a controlled standard • Backups, DR, and access controls were inconsistent across job sites and the corporate office • No clear story to tell a contracting officer about how the company protected sensitive project data They needed a path that solved the cost problem and the compliance problem at the same time — without disrupting active job sites.

Our Approach

TRNSFRM ran the engagement using our IT Resilience Framework: Assess, Build, Transform. Assess • Full NIST SP 800-171 gap assessment across all 110 controls • Inventoried every VMware workload, its dependencies, and its real performance profile • Built the System Security Plan (SSP) and POA&M, prioritized by risk and contract requirements • Modeled total cost of ownership: status-quo VMware renewal vs. Microsoft hybrid cloud Build — Microsoft Hybrid Cloud • Designed a hybrid architecture using Azure for elastic and DR workloads, with right-sized on-prem Hyper-V for latency-sensitive systems • Migrated VMs off VMware in waves, with cutover windows scheduled around active project deliverables • Standardized identity on Microsoft Entra ID with conditional access, MFA, and privileged access workflows • Hardened Microsoft 365 (email, Teams, SharePoint, OneDrive) with DLP, data labeling, and retention aligned to NIST controls • Re-architected backup and DR with tested restore runbooks across both Azure and on-prem NIST 800-171 Remediation • Closed POA&M items across access control, audit/accountability, configuration management, incident response, and system/communications protection • Deployed centralized logging, EDR, and 24x7 monitoring tied to documented IR procedures • Wrote and rolled out the policy stack and user training required by the framework • Produced a defensible package — SSP, POA&M, evidence — to support contract bids and customer security questionnaires

The Outcome

The client exited their VMware footprint, stood up a Microsoft hybrid cloud, and reached NIST 800-171 readiness without disrupting active construction projects. • 100% of VMware workloads migrated off the platform on schedule • Hybrid architecture deployed across Azure and on-prem Hyper-V, sized to actual workload demand • NIST SP 800-171 gap assessment completed and POA&M remediated to a contract-ready posture • Microsoft 365 hardened with conditional access, MFA, DLP, and centralized logging • Backup and DR rebuilt with tested, documented recovery procedures • Now eligible to bid on federal and state government construction work — opening a new revenue channel The firm replaced an unpredictable licensing problem and a compliance blind spot with infrastructure that supports growth into regulated markets.

Services Delivered

• Cybersecurity Operations
• Governance & Compliance
• Managed IT
• vCIO

Related resources

Book Your Strategy Call Today

No pressure. No sales pitch. Just a conversation with an expert to map out your risks, gaps, and next steps toward compliance and security.

Walk away with a written risk snapshot. No NDA, no sales pitch — or we'll send you a $50 Amazon gift card.

Not ready to book? Get Your Cyber Score — free, 2 minutes.