With the CMMC Final Rule published, defense contractors should now be in full pursuit of their CMMC Certifications. Many are asking themselves important questions to ensure they have all their ducks in a row (pro tip: use the CMMC Pathfinder tool).
Questions like:
That’s what CMMC all boils down to, right?...
Right!?
What’s missing from these questions? Protecting CUI.
CMMC is all about protecting CUI. If that’s the priority, then you also have to ask:
In this blog, you'll discover a Microsoft tool to help make your journey to CMMC easier and ensure you are really protecting CUI: Microsoft Purview Information Protection (MPIP).
If you built a fence around your yard to keep your dog in, you have created the security-potential to keep your dog safe inside. Your HOA can check that you built it, but that doesn’t mean the dog can’t escape. To ensure that the dog stays safely inside the fence, and to alert you if he does, there’s still more work to do.
When you create a secure environment that’s CMMC-ready and capable of protecting CUI, you do so under a good faith premise.
In a CMMC assessment, a CMMC 3rd-Party Assessment Organization (C3PAO) is only assessing the system which will be used to store, process, transmit CUI to see if it can protect CUI in accordance with the appropriate requirements. A C3PAO’s job is to evaluate if you have implemented NIST SP 800-171 in accordance with DFARS 7012 Paragraph B. The C3PAO will not assess if all the CUI your organization has is stored appropriately. C3PAOs are performing assessments under the assumption that the organization they are assessing has presented them with the information system that will be utilized in the execution of contracts and the protection of CUI.
Whether that will actually happen is another question.
Think of CUI as a flowing river and your information system as dry ground; everywhere the river flows becomes wet, right? That is, unless something is put in place to stop the water from flowing to places where you don’t want it to.
On your information system, everything that CUI touches becomes “in-scope”. When CUI touches places not provisioned with adequate protections, that’s called spillage. If an organization is storing CUI in a cloud environment without the proper protections for CUI, that is also considered spillage. CUI spillage is addressed in the CMMC requirements under 3.1.3 / AC.L2-3.1.3 – Control CUI Flow, and therefore comes with negative consequences. If you know about the spillage and do nothing to report it, the penalties can get ugly. Thus, it’s vitally important for organizations to implement and enforce data flow controls for CUI.
While it is totally plausible for an organization to define and enforce data flow controls for CUI data, many organizations will lack the necessary resources to establish, maintain, and continuously validate implemented data flow controls.
Controlling and monitoring your data flow controls makes Microsoft Purview Information Protection (MPIP) a “surprise tool” that can save you a whole lot of headaches and heartburns.
So, what is Microsoft Purview Information Protection (MPIP)?
“Microsoft Purview Information Protection is a unification of Microsoft's classification, labeling, and protection services. It helps organizations discover, classify, and protect sensitive information, regardless of whether it’s at rest or in transit. It is a part of Microsoft 365 E5 Compliance Suite. It provides unified administration across Microsoft 365, Azure Information Protection, Windows Information Protection, and other Microsoft services.”
You can’t protect what you don’t know exists. Microsoft Purview’s Content Search Tool allows organizations to create KQL queries or custom lists of words which are often found in files considered CUI Data.
Using your curated list, your organization can then search through your information system for files which contain the custom list of words, verify their status of CUI, confirm their location on the system, and validate that appropriate protections are applied to the resource.
This is a HUGE time-saver and is particularly helpful for validating that data flow controls are properly enforced and effective.
With MPIP Sensitivity Labels, users can classify and protect sensitive data, while minimizing impacts to collaboration or user productivity. These data-level protections safeguard content even when it drifts outside of organizational boundaries. Sensitivity Label protections often include:
DLP rules enable you to identify, monitor, and automate protections of sensitive information (established through sensitivity labels) across Microsoft 365 services.
These are just a few examples of ways organization can leverage MPIP to automate their data flow control process and increase CUI visibility. MPIP not only helps assure CMMC assessors that you are capable of protecting CUI, but also helps you actually protect it - avoiding potential incidents of unauthorized access of CUI data spillage.
Now, instead of depending on human-driven processes to confirm that data flow enforcement is successful, your organization can dedicate efforts to the many other processes needed to protect CUI.
Want to hear more about how MPIP might help your organization with CMMC compliance and protect CUI? Reach out to us below and someone will follow up with you shortly.