Forum Discussion
Protection of CUI via email
Is there a secure and compliant way to transfer CUI using Outlook (SC.3.177 requires FIPS validated cryptography)? Does this require a GCC or GCC high license if you are only using this function?
2 Replies
Anon414 - great question.
Let me point you to a few sources:
https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-fips-140-2?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/compliance/email-encryption?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-advanced-message-encryption?view=o365-worldwide
These services are built using Azure Rights Management Services which do support FIPS 140-2 requirements.
https://docs.microsoft.com/en-us/azure/information-protection/what-is-azure-rms
Regarding your question plans and GCC vs. GCCH, you'll want to think through the details, especially when you consider spills and managing data traversing environments.
Here's a great RichardWakeman article for your consideration:The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In
https://aka.ms/AA6frar
Paul Meacham or Sergio Cossio - would you have any guidance on plans and services?- RichardWakeman
Microsoft
Anon414 and Anupam_K_Gupta, the big question is if the email may have technical content or attachments that may constitute export controlled data, such as ITAR data. GCC High is where you will get contractual support for ITAR. I touch on this in Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants.
