SOLVED

Protection of CUI in SharePoint

%3CLINGO-SUB%20id%3D%22lingo-sub-1611294%22%20slang%3D%22en-US%22%3EProtection%20of%20CUI%20in%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1611294%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-subject-wrapper%20lia-component-subject%20lia-component-message-view-widget-subject-with-options%22%3E%3CSPAN%3EIs%20there%20a%20secure%20and%20compliant%20way%20to%20store%20and%20process%20data%20in%20SharePoint%20(FIPS%20validated%20cryptography%2C%20access%20controls%2C%20etc)%3F%20Does%20this%20require%20a%20GCC%20or%20GCC%20high%20license%20for%20this%20function%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1611409%22%20slang%3D%22en-US%22%3ERe%3A%20Protection%20of%20CUI%20in%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1611409%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3ETenants%20should%20read%20and%20understand%20control%20implementation%20by%20the%20CSP%20and%20what%20remains%20the%20customers%20responsibility%20to%20do%20in%20regards%20to%20securing%20CUI.%20This%20is%20enabled%20under%20GCC%20and%20GCCH%20and%20documented%20in%20each%20System%20Security%20Plan.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1611456%22%20slang%3D%22en-US%22%3ERe%3A%20Protection%20of%20CUI%20in%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1611456%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431747%22%20target%3D%22_blank%22%3E%40Anon414%3C%2FA%3E%26nbsp%3B%2C%20from%20the%20questions%20you're%20posting%2C%20it%20looks%20to%20me%20like%20you're%20grappling%20with%20how%20to%20store%20data%20in%20O365%20and%20if%20it%20will%20be%20compliant%20with%20CDI%20and%20ITAR%20data%20categories%20-%20what%20we%20affectionately%20call%20CUI%2C%20or%20segments%20of%20CUI.%3CBR%20%2F%3E%3CBR%20%2F%3EIt's%20my%20own%20view%2C%20and%20I%20think%20for%26nbsp%3B%20many%20others%2C%20that%20it's%20just%20about%20impossible%20to%20segregate%20one%20type%20of%20CUI%20from%20another.%26nbsp%3B%20The%20possibility%20of%20the%20spill%20is%20always%20there.%26nbsp%3B%20And%20unless%20you%20can%20clearly%20articulate%20that%20you%20won't%20ever%20work%20on%20NOFORN%20or%20ITAR%20type%20of%20contracts%2C%20then%20my%20guidance%20to%20you%20would%20be%20lean%20towards%20GCCH.%26nbsp%3B%20It's%20purpose%20built%20for%20ITAR%20controls%20and%20fabric%20is%20secured%20-%20check%20out%20the%20SSP%20as%20Sergio%20mentioned.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20will%20have%20to%20do%20%22other%22%20things%20in%20order%20to%20secure%20your%20own%20tenant%20-%20like%20monitoring%20in%20Sentinel%20or%20PIM%2FPAM%20(Privedged%20Access%20Management)%20and%20JIT%20(Just%20in%20time%2C%20or%20conditional%20access).%26nbsp%3B%20You'll%20also%20want%20to%20tag%20your%20special%20data%20types%20so%20you%20can%20track%20it%20in%20the%20environment%20to%20the%20best%20extent%20possible.%26nbsp%3B%20All%20of%20those%20are%20the%20security%20practices%20you'll%20have%20to%20engage%20in%20with%20CMMC.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor
Is there a secure and compliant way to store and process data in SharePoint (FIPS validated cryptography, access controls, etc)? Does this require a GCC or GCC high license for this function?
2 Replies
Highlighted

Tenants should read and understand control implementation by the CSP and what remains the customers responsibility to do in regards to securing CUI. This is enabled under GCC and GCCH and documented in each System Security Plan.

Highlighted
Best Response confirmed by Sarah.Gilbert (Community Manager)
Solution

@Anon414 , from the questions you're posting, it looks to me like you're grappling with how to store data in O365 and if it will be compliant with CDI and ITAR data categories - what we affectionately call CUI, or segments of CUI.

It's my own view, and I think for  many others, that it's just about impossible to segregate one type of CUI from another.  The possibility of the spill is always there.  And unless you can clearly articulate that you won't ever work on NOFORN or ITAR type of contracts, then my guidance to you would be lean towards GCCH.  It's purpose built for ITAR controls and fabric is secured - check out the SSP as Sergio mentioned.

You will have to do "other" things in order to secure your own tenant - like monitoring in Sentinel or PIM/PAM (Privedged Access Management) and JIT (Just in time, or conditional access).  You'll also want to tag your special data types so you can track it in the environment to the best extent possible.  All of those are the security practices you'll have to engage in with CMMC.