08-25-2020 09:33 AM
08-25-2020 09:50 AM
Tenants should read and understand control implementation by the CSP and what remains the customers responsibility to do in regards to securing CUI. This is enabled under GCC and GCCH and documented in each System Security Plan.
08-25-2020 10:02 AMSolution
@Anon414 , from the questions you're posting, it looks to me like you're grappling with how to store data in O365 and if it will be compliant with CDI and ITAR data categories - what we affectionately call CUI, or segments of CUI.
It's my own view, and I think for many others, that it's just about impossible to segregate one type of CUI from another. The possibility of the spill is always there. And unless you can clearly articulate that you won't ever work on NOFORN or ITAR type of contracts, then my guidance to you would be lean towards GCCH. It's purpose built for ITAR controls and fabric is secured - check out the SSP as Sergio mentioned.
You will have to do "other" things in order to secure your own tenant - like monitoring in Sentinel or PIM/PAM (Privedged Access Management) and JIT (Just in time, or conditional access). You'll also want to tag your special data types so you can track it in the environment to the best extent possible. All of those are the security practices you'll have to engage in with CMMC.