Put CUI Spillage in the Rearview with Microsoft Purview Information Protection (MPIP)

With the CMMC Final Rule published, defense contractors should now be in full pursuit of their CMMC Certifications. Many are asking themselves important questions to ensure they have all their ducks in a row (pro tip: use the CMMC Pathfinder tool).  

Questions like:  

1. Do we comply with the requirements in paragraph B and C of DFARS 252.204-7012?  
2. Have we successfully implemented the 110 Security Controls (320 Assessment Objectives) found in NIST SP 800-171?
3. Are we confident that we'll pass our CMMC assessment so we can continue to win contracts? 

That’s what CMMC all boils down to, right?...

Right!?

What’s missing from these questions? Protecting CUI. 

CMMC is all about protecting CUI. If that’s the priority, then you also have to ask:

1. Do you know how to find CUI within your environment?
2. Do you know how to set up automations to prevent its leakage?
3. Have you weighed the consequences if a CUI leakage were to occur?

In this blog, you'll discover a Microsoft tool to help make your journey to CMMC easier and ensure you are really protecting CUI: Microsoft Purview Information Protection (MPIP).  

The Problem: CMMC Won’t Prevent CUI Spillage, But You Should 

If you built a fence around your yard to keep your dog in, you have created the security-potential to keep your dog safe inside. Your HOA can check that you built it, but that doesn’t mean the dog can’t escape. To ensure that the dog stays safely inside the fence, and to alert you if he does, there’s still more work to do. 

CMMC is designed to ensure that your environment can protect CUI, but it doesn't ensure that it actually will.  

When you create a secure environment that’s CMMC-ready and capable of protecting CUI, you do so under a good faith premise.  

In a CMMC assessment, a CMMC 3rd-Party Assessment Organization (C3PAO) is only assessing the system which will be used to store, process, transmit CUI to see if it can protect CUI in accordance with the appropriate requirements. A C3PAO’s job is to evaluate if you have implemented NIST SP 800-171 in accordance with DFARS 7012 Paragraph B. The C3PAO will not assess if all the CUI your organization has is stored appropriately. C3PAOs are performing assessments under the assumption that the organization they are assessing has presented them with the information system that will be utilized in the execution of contracts and the protection of CUI.  

Whether that will actually happen is another question.  

The Consequences: Penalties for CUI Spillage 

Think of CUI as a flowing river and your information system as dry ground; everywhere the river flows becomes wet, right? That is, unless something is put in place to stop the water from flowing to places where you don’t want it to.  

On your information system, everything that CUI touches becomes “in-scope”. When CUI touches places not provisioned with adequate protections, that’s called spillage. If an organization is storing CUI in a cloud environment without the proper protections for CUI, that is also considered spillage. CUI spillage is addressed in the CMMC requirements under 3.1.3 / AC.L2-3.1.3 – Control CUI Flow, and therefore comes with negative consequences.  If you know about the spillage and do nothing to report it, the penalties can get ugly. Thus, it’s vitally important for organizations to implement and enforce data flow controls for CUI.  

  A big thanks to our partner DEFCERT for the sweet graphic

While it is totally plausible for an organization to define and enforce data flow controls for CUI data, many organizations will lack the necessary resources to establish, maintain, and continuously validate implemented data flow controls.  

Controlling and monitoring your data flow controls makes Microsoft Purview Information Protection (MPIP) a “surprise tool” that can save you a whole lot of headaches and heartburns.  

Microsoft Purview Information Protection (MPIP): Microsoft’s Tool to Prevent CUI Spillage 

So, what is Microsoft Purview Information Protection (MPIP)?

“Microsoft Purview Information Protection is a unification of Microsoft's classification, labeling, and protection services.  It helps organizations discover, classify, and protect sensitive information, regardless of whether it’s at rest or in transit. It is a part of Microsoft 365 E5 Compliance Suite.  It provides unified administration across Microsoft 365, Azure Information Protection, Windows Information Protection, and other Microsoft services.” 

How can you use Microsoft Purview Information Protection?

1. By Performing Microsoft Content Searches

You can’t protect what you don’t know exists. Microsoft Purview’s Content Search Tool allows organizations to create KQL queries or custom lists of words which are often found in files considered CUI Data.   

Using your curated list, your organization can then search through your information system for files which contain the custom list of words, verify their status of CUI, confirm their location on the system, and validate that appropriate protections are applied to the resource.  

This is a HUGE time-saver and is particularly helpful for validating that data flow controls are properly enforced and effective.

2. By Applying Data Sensitivity Labels to Your Organizations Data

With MPIP Sensitivity Labels, users can classify and protect sensitive data, while minimizing impacts to collaboration or user productivity. These data-level protections safeguard content even when it drifts outside of organizational boundaries. Sensitivity Label protections often include: 

• Encryption & controlling need-to-know (NTK) access: 

• • Document Permissions – View, Edit, Print, Full-Control, etc. 

• • Email – Do Not Forward 

• • Access Controls by Entra Group or User Defined Permissions 

• Automated Content Markings – Headers, Footers, Etc. 

3. By Implementing and Enforcing Data Loss Prevention (DLP) Rules

DLP rules enable you to identify, monitor, and automate protections of sensitive information (established through sensitivity labels) across Microsoft 365 services.

With DLP, organizations can mitigate risks of unintended oversharing or data spillage by utilizing capabilities that monitor how data deemed to be sensitive is handled no matter where it goes. Sensitivity labels tell us the that the data is important, and DLP policies dictate interaction with that data based on organizationally configured rules.  

These are just a few examples of ways organization can leverage MPIP to automate their data flow control process and increase CUI visibility. MPIP not only helps assure CMMC assessors that you are capable of protecting CUI, but also helps you actually protect it - avoiding potential incidents of unauthorized access of CUI data spillage.  

Now, instead of depending on human-driven processes to confirm that data flow enforcement is successful, your organization can dedicate efforts to the many other processes needed to protect CUI. 

Want to hear more about how MPIP might help your organization with CMMC compliance and protect CUI? Reach out to us below and someone will follow up with you shortly.