cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Protection of CUI in SharePoint

Anon414
Copper Contributor

‎Aug 25 2020 09:33 AM

‎Aug 25 2020 09:33 AM

Protection of CUI in SharePoint

Is there a secure and compliant way to store and process data in SharePoint (FIPS validated cryptography, access controls, etc)? Does this require a GCC or GCC high license for this function?
6,601 Views
0 Likes
2 Replies
Reply
2 Replies
Sergio Cossio

‎Aug 25 2020 09:50 AM

‎Aug 25 2020 09:50 AM

Re: Protection of CUI in SharePoint

Tenants should read and understand control implementation by the CSP and what remains the customers responsibility to do in regards to securing CUI. This is enabled under GCC and GCCH and documented in each System Security Plan.

0 Likes
Reply
best response confirmed by Sarah.Gilbert (Community Manager)
Anupam_K_Gupta

‎Aug 25 2020 10:02 AM

‎Aug 25 2020 10:02 AM

Solution

Re: Protection of CUI in SharePoint

@Anon414 , from the questions you're posting, it looks to me like you're grappling with how to store data in O365 and if it will be compliant with CDI and ITAR data categories - what we affectionately call CUI, or segments of CUI.

It's my own view, and I think for  many others, that it's just about impossible to segregate one type of CUI from another.  The possibility of the spill is always there.  And unless you can clearly articulate that you won't ever work on NOFORN or ITAR type of contracts, then my guidance to you would be lean towards GCCH.  It's purpose built for ITAR controls and fabric is secured - check out the SSP as Sergio mentioned.

You will have to do "other" things in order to secure your own tenant - like monitoring in Sentinel or PIM/PAM (Privedged Access Management) and JIT (Just in time, or conditional access).  You'll also want to tag your special data types so you can track it in the environment to the best extent possible.  All of those are the security practices you'll have to engage in with CMMC.


1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Sarah.Gilbert (Community Manager)
Anupam_K_Gupta

‎Aug 25 2020 10:02 AM

‎Aug 25 2020 10:02 AM

Solution

Re: Protection of CUI in SharePoint

@Anon414 , from the questions you're posting, it looks to me like you're grappling with how to store data in O365 and if it will be compliant with CDI and ITAR data categories - what we affectionately call CUI, or segments of CUI.

It's my own view, and I think for  many others, that it's just about impossible to segregate one type of CUI from another.  The possibility of the spill is always there.  And unless you can clearly articulate that you won't ever work on NOFORN or ITAR type of contracts, then my guidance to you would be lean towards GCCH.  It's purpose built for ITAR controls and fabric is secured - check out the SSP as Sergio mentioned.

You will have to do "other" things in order to secure your own tenant - like monitoring in Sentinel or PIM/PAM (Privedged Access Management) and JIT (Just in time, or conditional access).  You'll also want to tag your special data types so you can track it in the environment to the best extent possible.  All of those are the security practices you'll have to engage in with CMMC.


View solution in original post

1 Like
Reply