Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty

Published Aug 19 2020 09:00 AM 12.7K Views
Microsoft

This article is the fourth of a series in the Microsoft Tech Community Public Sector Blog that explores myths of deploying Microsoft Cloud Services into the *US Sovereign Cloud with Azure Government and Microsoft 365 Government (GCC High).

 

We will focus on the myth that Controlled Unclassified Information (CUI) does not require data sovereignty.  This article is written through the lens of requirements to protect CUI in the context of the U.S. Department of Defense for national security, such as in alignment with the Defense Industrial Base (DIB) and the Cybersecurity Maturity Model Certification (CMMC).

 

Executive Summary

 

Microsoft has prescribed the *US Sovereign Cloud with Azure Government and Microsoft 365 Government (GCC High) to protect Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) consistently.  Our rationale is that CUI includes International Traffic in Arms Regulation (ITAR) regulated data, and the U.S. Department of Defense (DoD) requires Defense Federal Acquisition Regulation Supplement clause 252.204-7012 (DFARS 7012) to protect it.  We only accommodate that contractually across Azure, Office 365, and Dynamics 365 in the US Sovereign Cloud, built in a fully isolated environment that is both physically and logically separated.  All services in the US Sovereign Cloud are contained within an accreditation boundary supporting US Export Controls requiring screened US persons and data sovereignty in the Continental United States (CONUS).

 

*For more information on the US Sovereign Cloud, please refer to the Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

 

Preface

 

If only I had a quarter for every time I’ve had to explain why we have a “Maybe” for CUI and CDI in clouds other than the US Sovereign Cloud.

 

Our mantra is clear.  I quote this from the compliance Jedi Master @Shawn_Veney:

 

If you find your organization manages so many types of CUI, and is perhaps thinking of taking on new work and adding to that challenge; then sometimes it is easier to adopt a high watermark strategy to accomplish your data protection goals. This trade off recognizes that your solution may exceed requirements for a specific type of data; but provides confidence you likely have addressed your aggregate requirements. This is ideal when your internal classification and marking efforts may not be where you would like them yet.

 

Throughout this article, I will explain why we have a definitive “Yes” for CUI and CDI in the US Sovereign Cloud.  In what will be one of my most hotly contested articles to date, this is intended to spark a debate on how CUI data protection practices apply holistically.  I intend to keep this initial argument high level, as there are a million nuances that may be deliberated indefinitely.  That said, the “thesis” of this article should be debated passionately as an industry.

 

At the end of the day, Microsoft offers multiple clouds from Commercial to GCC to GCC High to DoD and even to Azure Government Secret.  In other words, we can satisfy many risk profiles and offer you a cloud that best aligns with your organization’s risk posture.  We will not police you, nor will we demand you choose one cloud over another.  We will be very clear on where we provide contractual obligations.  Hence why we are only confident in saying “Yes” to CUI in the US Sovereign Cloud.

 

Summary

 

The CUI Program is an ever-evolving initiative to standardize the markings and data protection practices across Federal agencies to facilitate sharing of sensitive information, transcending individual agencies.  CUI includes markings that span many categories and groupings.  The groupings consist of everything from Financial and Privacy data, all the way up to Export Controlled and Intelligence data.  Individual agencies have their own requirements for CUI, resulting in additional rules that govern the data protection practices of CUI.  For example, the DoD defines standards in the Cloud Computing (CC) Security Requirements Guide (SRG), in DFARS 7012, and in the Cybersecurity Maturity Model Certification (CMMC) to protect CUI.

 

CUI is defined by a program that includes all categories under a single umbrella.  Not all CUI markings are protected precisely the same way.  However, it can be untenable to discern the various restrictions for CUI given consolidated language used by standards and regulations.  In addition, the complicated array of markings are often not applied effectively.  As a result, the reduced risk data protection strategy is to opt for the highest watermark possible for protection of CUI, rather than risk it by adopting a lower control set.  CUI has export-controlled data as a common high watermark, to include ITAR regulated data.  ITAR has a data sovereignty requirement.

 

In other words, CUI effectively requires data sovereignty.

 

What is Controlled Unclassified Information?

 

If you have not read the CUI History from the National Archives and Records Administration (NARA), I highly recommend it.  It’s a short read, and helpful for context.

 

https://www.archives.gov/cui/cui-history

 

To summarize, before the advent of CUI, there were a myriad of autonomous Federal agencies and departments that had each developed its own practices for protecting sensitive information.  This non-conformity made it extremely difficult to share information with transparency throughout the Federal government and its stakeholders, such as the Defense Industrial Base (DIB).

 

The CUI program is an ever-evolving initiative to standardize the markings and data protection practices across Federal agencies to facilitate sharing of sensitive information, transcending individual agencies.  Ultimately, NARA oversees the CUI Program and is primarily scoped to the Federal executive branch agencies.  Major contributors to the program include the DoD, the Department of Energy (DoE), the Department of Homeland Security (DHS), the Department of State (DoS), etc.  NARA defines CUI as:

 

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

 

Presidential executive orders evolved to a rule published in 2016 called “32 CFR Part 2002 Controlled Unclassified Information”.  You can read about it here in the Federal Register:

 

https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information

 

32 CFR Part 2002 prescribes the CUI Program markings that span many categories and groupings.  The groupings consist of everything from Financial and Privacy data, all the way up to Export Controlled and Intelligence data.  You can find the list here:

 

https://www.archives.gov/cui/registry/category-marking-list

 

 

CUI Registry.png

Illustration 1: Microsoft Summary CUI Registry

 

Is All CUI the Same?

 

It goes without saying that each of the Federal executive branch agencies have had their own requirements for CUI, resulting in additional rules that govern the data protection practices of CUI.  For example, the DoD defines data protection standards in the DoD CC SRG, DFARS 7012, and in the CMMC to protect CUI.  Thus, there does remain a level of autonomy from NARA.

 

For example, the DoD recently released DOD Instruction 5200.48 establishing policies, responsibilities, and procedures for CUI.  It includes a “DOD CUI repository” not accessible by the public.  It is intended to address inconsistent definition and marking requirements specific to the DoD expanding what is outlined in 32 CFR Part 2002.  The DoD CUI Registry outlines an official list of Indexes and Categories to identify CUI, clarifying what has been a common source of confusion.

 

In addition, there are multiple regulations that govern specific categories of CUI.  For example, export-controlled categories may be regulated by ITAR administered by the Department of State Directorate of Defense Trade Controls (DDTC), or by EAR administered by the Department of Commerce’s Bureau of Industry and Security (BIS).

 

In other words, while “CUI” is defined by a standardized program of markings and data protection practices, not all CUI is the same.  Some CUI categories may generally fall into the bucket of Personally Identifying Information (PII), such as Privacy.  Mishandling of other categories may earn you an orange jump suit, such as spilling ITAR regulated data to an unauthorized foreign state actor.

 

To answer the question, “Is All CUI the Same?”  Conclusively No.

 

Is All CUI Protected the Same Way?

 

Since all CUI is not the same, certainly not all categories of CUI are protected precisely the same way. 

 

Without going into analysis paralysis on topics such as CUI Basic versus CUI Specified groups, there is a statement that jumped out at me in 32 CFR Part 2002:

 

"We understand the concerns raised in these comments and agree that the penalties and consequences for failing to adequately protect CUI of some types may differ significantly from failure to protect CUI of other types. That being said, we cannot adjust the definition of CUI to exclude export controlled or other protected information; the Executive Order's definition of CUI is clear and includes all unclassified information that laws, regulations, and Government-wide policies require to have safeguarding or dissemination controls."

 

While we may agree that not all CUI is the same, there is a consensus that all CUI is defined by a program that includes all categories under a single umbrella.  So the question is, how do you differentiate between CUI that is sensitive such as Privacy categories, versus those with damaging national security concerns, such as export-controlled data?  It’s all CUI, right?  Another way to ask the question is, how do you discern the various restrictions for CUI given the complicated array of markings that are not often applied effectively?

 

Many of you reading this, especially the compliance authorities out there, are thinking “yes, it’s all CUI” but “no, not all CUI is protected the same way”.  Technically, you are right.  However, I’ve talked to hundreds of organizations out there ranging from the DoD, to the DIB, the FFRDCs (Federally Funded Research and Development Centers), the UARCs (University Affiliated Research Centers), and beyond.  I honestly do not hear anyone differentiating categories of CUI for purposes of maintaining compliance with individual markings.  When they say “CUI”, they are aggregating all categories together in a comprehensive fashion, not unlike what is described in 32 CFR Part 2002 above.  In addition, most recognize CUI markings are not applied consistently and marking efforts may not be where they would like them yet.  In other words, they have not located all CUI stored in their enterprise information systems.

 

Here is another example from the Cybersecurity Maturity Model Certification (CMMC).  CMMC defines five Levels:

 

  • Level 1: Safeguard Federal Contract Information (FCI)
  • Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI
  • Level 3: Protect Controlled Unclassified Information (CUI)
  • Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threads (APTs)

 

Does anything jump out at you?  It’s NOT this:

 

  • Level 3: Protect Controlled Unclassified Information (CUI) of the non-export-controlled categories
  • Levels 4-5: Protect CUI including export-controlled categories and reduce risk of Advanced Persistent Threats (APTs)

 

Why?  CMMC Levels 3-5 are intended to protect all CUI.  Period.  CMMC does not attempt to differentiate CUI that is export-controlled versus CUI that is not.  If you delve into the CMMC Model Appendices, you will find many references to CUI, none of which qualify what categories of CUI are in scope per Practice or Process.  All categories are in scope for all Practices and Processes in CMMC Levels 3-5.  In fact, if you search for “export”, you will find many references, especially in alignment with the NIST SP 800-171.

 

Assuming you conclude that CMMC is intended to protect CUI regardless of category, you may also conclude export-controlled data, and specifically ITAR data is a common high watermark for compliance. 

 

This article is not about how to become CMMC compliant.  This article is specifically focused on CUI.  However, there is something to be said about the stated requirements for a CMMC Certified Third-Party Assessor Organization (C3PAO) that uses an external cloud service provider to store, process, or transmit CUI.  This is quoted from the CMMC Accreditation Body (CMMC AB) website:

 

the C3PAO shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) High baseline and in particular, Impact Level (IL4)

 

If the cloud service provider is not DoD CC SRG IL4 authorized, it becomes the responsibility of the C3PAO to provide an independent assessment to address the gaps to become compliant.  Most CSPs will not allow ad-hoc third parties to perform assessments on their data centers.  Even if they did allow an assessment, it is untenable to make the commercial CSP compliant with FedRAMP and IL4 without significant engineering efforts by the CSP. Trust me, we would not have invested an extraordinary amount to build the US Sovereign Cloud if we could have simply pulled it off in Commercial with a few compensating controls.

 

The point is, this CMMC AB requirement for FedRAMP High and IL4 to protect CUI does not qualify what categories of CUI are in scope.

 

Sidebar: The language of requiring an IL4 cloud is nuanced when applied to the DIB and with C3PAOs, as IL4 only applies to Federal information systems.  IL4 is not an authorization the DoD will provide to a non-Federal entity, nor is it for a CSP cloud environment not in use directly by the DoD.  DFARS 7012 is what applies to non-Federal information systems. I am assuming the intent is to drive the selection of a cloud that has been authorized by the DoD, as opposed to a cloud that is only authorized with FedRAMP.  For example, Microsoft Azure Government has a Provisional Authorization for DoD CC SRG IL4, with many services now at IL5.

 

Speaking of IL4, read this excerpt from DoD CC SRG 3.2.4 Level 4:

 

CUI contains a number of categories, including, but not limited to the following: • Export Controlled--Unclassified information concerning items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.

 

It goes on to define the specific requirements for ITAR.  In this case, IL4 is specifically placing an emphasis on CUI to explicitly scope in export-controlled data and how to protect it.

 

Thesis:  Not all CUI markings are protected precisely the same way.  However, it can be untenable to discern the various restrictions for CUI given consolidated language used by standards and regulations.  In addition, the complicated array of markings are often not applied effectively.  As a result, the reduced risk data protection strategy is to opt for the highest watermark possible for protection of CUI, rather than risk it by adopting a lower control set.

             

Does All CUI Have a NOFORN Requirement?

 

Another way to describe data sovereignty, is what may be referred to as “NOFORN".  NOFORN stands for “NO FOReign Nationals”.  In other words, NOFORN applies to sensitive data that is not releasable to foreign nationals, governments, nor non-US persons.

 

I led this article clearly stating not all CUI requires similar handling, such as a NOFORN requirement.  However, is it that simple?  The above conclusion is that CUI has export-controlled data as a common high watermark of data protection practices, to include ITAR regulated data.  ITAR has a NOFORN requirement.  Since ITAR is a high bar for compliance, it comes along with a stringent set of requirements for data sovereignty. Using that logic, CUI in aggregate does have an effective NOFORN requirement.

 

Allow me to pull on that string a bit.  I’ve heard a very clear decree that any company certified at a CMMC Level 3 or above, is trusted for data handling of “CUI”.  I have not seen any additional qualifications such as “are you CMMC Level 3 *and* ITAR compliant?”  It’s implicit the company protects all categories of CUI, including ITAR export-controlled data.

 

Let’s assume you have two different companies.  The first is a company that frequently works with export-controlled data and has a System Security Plan (SSP) in place to protect data with NOFORN requirements.  They have deployed their information systems in the Microsoft US Sovereign Cloud with Azure Government and Microsoft 365 GCC High.  They have the contractual amendment from Microsoft to support ITAR with NOFORN and have established a clear accreditation boundary for protection of export-controlled data natively within their information systems.

 

The second company does not handle export-controlled data frequently.  They establish an SSP to accommodate protection of export-controlled data using special End-To-End Encryption.  They have deployed their information systems in commercial clouds that are not natively compliant for ITAR regulations.  However, they pass their CMMC assessment for Level 3 because they have established a human-based process for marking and specially encrypting data before it’s saved to the commercial cloud, relying on people to pre-determine export-controlled data.  It’s not a problem for them though, as they rarely deal with it.

 

Do the two companies have equivalent risk profiles, as they both have certifications for CMMC Level 3?  The short answer is definitively no.  The second company has a tremendously higher risk of non-compliance and spillage relying on the human factor to protect export-controlled data. 

 

In addition, most export-controlled data does not begin its life as such.  Most begin simply as intellectual property, such as documents generated during a research and development project.  It’s not until that data progresses through a lifecycle and exchange with the DoD before it gets properly marked as export-controlled (if ever – hello DoD Instruction 5200.48!).  If you are saving that data in a commercial cloud unprotected (not opaque to the Cloud Service Provider), you subsequently end up with a deemed export without the fault of the original document author.  As such, it is imperative to protect all intellectual property by specially encrypting virtually everything that may potentially become CUI in the future.  It goes without saying that is a much easier thing to do if the information systems they use natively support ITAR and NOFORN without the additional End-To-End Encryption applied by the human element.

 

Here is final example.  I’ve talked to many of the DIB with numerous sub-contractors.  They do not personally know all their tier 3+ sub-contractors in their supply chain.  They rely on a system of checks and balances throughout the tiers to ensure each sub-contractor levels deep is compliant and is obligated to protect their crown jewels.  If CMMC is intended to establish a level of trust that any vendor certified at a Level 3 is compliant for data handling of CUI, they should not have to additionally qualify protection of export-controlled data.  However, they absolutely do care if the vendor has an accreditation boundary that supports ITAR and NOFORN natively.  These DIB may not accept the second company that is in any ole commercial cloud without native compliance.  After all, they themselves would not have gone to all the trouble and expense of using the ITAR compliant cloud if it’s not that important.

 

Conclusion: CUI Effectively Requires Data Sovereignty

 

Microsoft has prescribed the US Sovereign Cloud with Azure Government and Microsoft 365 GCC High to protect CUI and CDI consistently.  Our rationale is that CUI does include ITAR regulated data, and the DoD requires DFARS 7012 to protect it.  We only accommodate that contractually across Azure, Office 365, and Dynamics 365 in the US Sovereign Cloud.  It’s that simple.  It’s true that you may demonstrate compliance for CUI in our Commercial or GCC cloud offerings, but you will not get a contractual obligation from Microsoft to protect an aggregate of CUI anywhere else other than in the US Sovereign Cloud.  It will be your sole responsibility to prove and maintain compliance for it in other clouds.

 

 

Appendix

 

Please follow me here and on LinkedIn

 

Here are my additional blog articles:


 

Blog Title

Aka Link

Accelerating CMMC compliance for Microsoft cloud (in depth review)

https://aka.ms/CMMCResponse

Updated! Microsoft CMMC Acceleration Program Update – January 2021

http://aka.ms/CMMCAccelerationProgramUpdate

History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government

https://aka.ms/AA632wo

Gold Standard! Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings 

https://aka.ms/MSGovCompliance

The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In

https://aka.ms/AA6frar

Microsoft US Sovereign Cloud Myth Busters - A Global Address List (GAL) Can Span Multiple Tenants

https://aka.ms/AA6seih

Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants

https://aka.ms/AA6vf3n

Microsoft US Sovereign Cloud Myth Busters - Active Directory Does Not Require Restructuring

https://aka.ms/AA6xn69

Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty (This One)

https://aka.ms/CUISovereignty

New! Microsoft expands qualification of contractors for government cloud offerings

https://aka.ms/GovCloudEligibility 

 

2 Comments
Frequent Visitor

@RichardWakeman - Great article as always! You do a great job of walking through some of the regulatory pieces that can be very complex at times.

 

A few points that I wanted to raise regarding ITAR data. As we have discussed on previous posts, in many instances ITAR data is authorized for use by non-US persons/companies under agreements or licenses. So while NOFORN may be the case for some data, there is a significant amount of ITAR data that is authorized for access by non-US persons. In addition, the updates to the ITAR earlier this year remove the explicit requirement for data to reside in the US if it meets certain criteria. The criteria being: 

(i) Unclassified; (ii) Secured using end-to-end encryption; (iii) Secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES-128); (iv) Not intentionally sent to a person in or stored in a country proscribed in § 126.1 of this subchapter or the Russian Federation; and (v) Not sent from a country proscribed in § 126.1 of this subchapter or the Russian Federation.

However, with that update, they also updated the definition of "release" to include providing "access information" to a foreign person. Previously if you could prove that there was no access, it was not considered a "release" (Microsoft's copious logging was great for this). Microsoft has always been forthcoming that there is no standing access to customer data by MS employees and access is only granted on a limited, time-bound basis when needed. If that is accurate, and a customer has Lockbox turned on in both O365 and Azure, then a "release" would not occur, even in a Commercial environment until a customer approves a lockbox request (pending the controlled data being in a service covered by Lockbox). Would you agree? 

 

One additional challenge that I have seen is around the "level" of export-controlled data that should be caught by the CUI tag. Technically, EAR99 data is "export-controlled" to embargoed countries or 9E991 data is "export-controlled" if going to a military end-user in China. That same data could be going to the Airbus A320 line in Tianjin and not be considered "export-controlled."

 

Due to this, I would agree with setting controls to the high watermark that you mention. However, this complicates the issue as to how to work efficiently across a multi-national organization in one of the sovereign environments. This is where some type of federation between Commercial and Gov would be very beneficial. If environments could be managed through a single window, and a single identity could be synced, that would open up some new architecture possibilities.   

 

Microsoft

Hi @Jonathan_Priganc Thank you for the feedback!  The key to protecting export controlled data is enabling End-to-End Encryption (E2EE) that prohibits unauthorized access where only intentional parties have access to decrypt and view the data in plain text.  You are correct there are valid scenarios where non-US persons may be authorized.  This is especially true for multi-national companies that may even have foreign site-based export control licenses.  It is common to give the non-US persons access to a tenant where CUI resides and ensure conditional access control policies enforce data protection appropriately.  There are even examples where customers are connecting from OCONUS locations and networks and still well within compliance.  After all, it is a shared responsibility model, such as ensuring the end-points are protected.

 

In the US Sovereign Cloud, Microsoft can offer an ITAR SLA as we may enforce that only authorized users (on our side) may ever access your data from CONUS-based locations and networks, such as offering Screened US Persons for support incidents where engineers are given access to your data (under your authority). 

 

It is possible to leverage compensating controls such as Customer Lockbox in Commercial to prevent non-US persons from having access to your data.  However, Customer Lockbox is not available in all services across Office 365, Azure, Dynamics 365, etc. and it does not infer a "screened" US Person (such as screening for the DDTC).  Ultimately, it's not a full-proof scheme across all Commercial Services.  In addition, not all services support E2EE with a customer-managed key.  Many do, but not all.  Thus, it becomes your responsibility to ensure the services you use support your compliance policies.  And for those that don't, you must leverage a client-based E2EE scheme that makes your data opaque to the CSP.  The risk of course, is that export controlled data may slip through the cracks. 

 

With the US Sovereign Cloud, the native support reduces the risk of the unintentional export happening at the CSP, as the added Customer Lockbox and E2EE is not strictly required.  Although, many customers still leverage Customer Lockbox there as well, for coverage of auditing and reporting requirements in NIST 800-171 and CMMC L3+.  And customers also leverage E2EE as well, especially for sharing scenarios where the data may leave the system boundary.

 

This all said, many customers have decided to implement their own compensating controls and find an acceptable amount of risk using Commercial or GCC.  And this is all in context of U.S. export controls.  Introduce Canadian CCG, UK Official-Sensitive, AU Protected, etc. etc. and your only choice may become compensating controls in Commercial Multi-Geo in order to use the cloud.  But that discussion is highly nuanced and contract-based agreements for cloud use.

%3CLINGO-SUB%20id%3D%22lingo-sub-1612416%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20US%20Sovereign%20Cloud%20Myth%20Busters%20-%20CUI%20Effectively%20Requires%20Data%20Sovereignty%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1612416%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F276160%22%20target%3D%22_blank%22%3E%40RichardWakeman%3C%2FA%3E%26nbsp%3B-%20Great%20article%20as%20always!%20You%20do%20a%20great%20job%20of%20walking%20through%20some%20of%20the%20regulatory%20pieces%20that%20can%20be%20very%20complex%20at%20times.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20few%20points%20that%20I%20wanted%20to%20raise%20regarding%20ITAR%20data.%20As%20we%20have%20discussed%20on%20previous%20posts%2C%20in%20many%20instances%20ITAR%20data%20is%20authorized%20for%20use%20by%20non-US%20persons%2Fcompanies%20under%20agreements%20or%20licenses.%20So%20while%20NOFORN%20may%20be%20the%20case%20for%20some%20data%2C%20there%20is%20a%20significant%20amount%20of%20ITAR%20data%20that%20is%20authorized%20for%20access%20by%20non-US%20persons.%20In%20addition%2C%20the%3CA%20href%3D%22https%3A%2F%2Fwww.federalregister.gov%2Fdocuments%2F2019%2F12%2F26%2F2019-27438%2Finternational-traffic-in-arms-regulations-creation-of-definition-of-activities-that-are-not-exports%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20updates%20to%20the%20ITAR%20earlier%20this%20year%3C%2FA%3E%20remove%20the%20explicit%20requirement%20for%20data%20to%20reside%20in%20the%20US%20if%20it%20meets%20certain%20criteria.%20The%20criteria%20being%3A%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E(i)%20Unclassified%3B%20(ii)%20Secured%20using%20end-to-end%20encryption%3B%26nbsp%3B(iii)%20Secured%20using%20cryptographic%20modules%20(hardware%20or%20software)%20compliant%20with%20the%20Federal%20Information%20Processing%20Standards%20Publication%20140-2%20(FIPS%20140-2)%20or%20its%20successors%2C%20supplemented%20by%20software%20implementation%2C%20cryptographic%20key%20management%2C%20and%20other%20procedures%20and%20controls%20that%20are%20in%20accordance%20with%20guidance%20provided%20in%20current%20U.S.%20National%20Institute%20for%20Standards%20and%20Technology%20(NIST)%20publications%2C%20or%20by%20other%20cryptographic%20means%20that%20provide%20security%20strength%20that%20is%20at%20least%20comparable%20to%20the%20minimum%20128%20bits%20of%20security%20strength%20achieved%20by%20the%20Advanced%20Encryption%20Standard%20(AES-128)%3B%26nbsp%3B%3CSPAN%3E(iv)%20Not%20intentionally%20sent%20to%20a%20person%20in%20or%20stored%20in%20a%20country%20proscribed%20in%20%C2%A7%E2%80%89126.1%20of%20this%20subchapter%20or%20the%20Russian%20Federation%3B%20and%26nbsp%3B(v)%20Not%20sent%20from%20a%20country%20proscribed%20in%20%C2%A7%E2%80%89126.1%20of%20this%20subchapter%20or%20the%20Russian%20Federation.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CSPAN%3EHowever%2C%20with%20that%20update%2C%20they%20also%20updated%20the%20definition%20of%20%22release%22%20to%20include%20providing%20%22access%20information%22%20to%20a%20foreign%20person.%20Previously%20if%20you%20could%20prove%20that%20there%20was%20no%20access%2C%20it%20was%20not%20considered%20a%20%22release%22%20(Microsoft's%20copious%20logging%20was%20great%20for%20this).%20Microsoft%20has%20always%20been%20forthcoming%20that%20there%20is%20no%20standing%20access%20to%20customer%20data%20by%20MS%20employees%20and%20access%20is%20only%20granted%20on%20a%20limited%2C%20time-bound%20basis%20when%20needed.%20If%20that%20is%20accurate%2C%20and%20a%20customer%20has%20Lockbox%20turned%20on%20in%20both%20O365%20and%20Azure%2C%20then%20a%20%22release%22%20would%20not%20occur%2C%20even%20in%20a%20Commercial%20environment%20until%20a%20customer%20approves%20a%20lockbox%20request%20(pending%20the%20controlled%20data%20being%20in%20a%20service%20covered%20by%20Lockbox).%20Would%20you%20agree%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOne%20additional%20challenge%20that%20I%20have%20seen%20is%20around%20the%20%22level%22%20of%20export-controlled%20data%20that%20should%20be%20caught%20by%20the%20CUI%20tag.%20Technically%2C%20EAR99%20data%20is%20%22export-controlled%22%20to%20embargoed%20countries%20or%209E991%20data%20is%20%22export-controlled%22%20if%20going%20to%20a%20military%20end-user%20in%20China.%20That%20same%20data%20could%20be%20going%20to%20the%20Airbus%20A320%20line%20in%20Tianjin%20and%20not%20be%20considered%20%22export-controlled.%22%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EDue%20to%20this%2C%20I%20would%20agree%20with%20setting%20controls%20to%20the%20high%20watermark%20that%20you%20mention.%20However%2C%20this%20complicates%20the%20issue%20as%20to%20how%20to%20work%20efficiently%20across%20a%20multi-national%20organization%20in%20one%20of%20the%20sovereign%20environments.%20This%20is%20where%20some%20type%20of%20federation%20between%20Commercial%20and%20Gov%20would%20be%20very%20beneficial.%20If%20environments%20could%20be%20managed%20through%20a%20single%20window%2C%20and%20a%20single%20identity%20could%20be%20synced%2C%20that%20would%20open%20up%20some%20new%20architecture%20possibilities.%26nbsp%3B%20%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1612475%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20US%20Sovereign%20Cloud%20Myth%20Busters%20-%20CUI%20Effectively%20Requires%20Data%20Sovereignty%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1612475%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F432242%22%20target%3D%22_blank%22%3E%40Jonathan_Priganc%3C%2FA%3E%26nbsp%3BThank%20you%20for%20the%20feedback!%26nbsp%3B%20The%20key%20to%20protecting%20export%20controlled%20data%20is%20enabling%20End-to-End%20Encryption%20(E2EE)%20that%20prohibits%20unauthorized%20access%20where%20only%20intentional%20parties%20have%20access%20to%20decrypt%20and%20view%20the%20data%20in%20plain%20text.%26nbsp%3B%20You%20are%20correct%20there%20are%20valid%20scenarios%20where%20non-US%20persons%20may%20be%20authorized.%26nbsp%3B%20This%20is%20especially%20true%20for%20multi-national%20companies%20that%20may%20even%20have%20foreign%20site-based%20export%20control%20licenses.%26nbsp%3B%20It%20is%20common%20to%20give%20the%20non-US%20persons%20access%20to%20a%20tenant%20where%20CUI%20resides%20and%20ensure%20conditional%20access%20control%20policies%20enforce%20data%20protection%20appropriately.%26nbsp%3B%20There%20are%20even%20examples%20where%20customers%20are%20connecting%20from%20OCONUS%20locations%20and%20networks%20and%20still%20well%20within%20compliance.%26nbsp%3B%20After%20all%2C%20it%20is%20a%20shared%20responsibility%20model%2C%20such%20as%20ensuring%20the%20end-points%20are%20protected.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20US%20Sovereign%20Cloud%2C%20Microsoft%20can%20offer%20an%20ITAR%20SLA%20as%20we%20may%20enforce%20that%20only%20authorized%20users%20(on%20our%20side)%20may%20ever%20access%20your%20data%20from%20CONUS-based%20locations%20and%20networks%2C%20such%20as%20offering%20Screened%20US%20Persons%20for%20support%20incidents%20where%20engineers%20are%20given%20access%20to%20your%20data%20(under%20your%20authority).%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20is%20possible%20to%20leverage%20compensating%20controls%20such%20as%20Customer%20Lockbox%20in%20Commercial%20to%20prevent%20non-US%20persons%20from%20having%20access%20to%20your%20data.%26nbsp%3B%20However%2C%20Customer%20Lockbox%20is%20not%20available%20in%20all%20services%20across%20Office%20365%2C%20Azure%2C%20Dynamics%20365%2C%20etc.%20and%20it%20does%20not%20infer%20a%20%22screened%22%20US%20Person%20(such%20as%20screening%20for%20the%20DDTC).%26nbsp%3B%20Ultimately%2C%20it's%20not%20a%20full-proof%20scheme%20across%20all%20Commercial%20Services.%26nbsp%3B%20In%20addition%2C%20not%20all%20services%20support%20E2EE%20with%20a%20customer-managed%20key.%26nbsp%3B%20Many%20do%2C%20but%20not%20all.%26nbsp%3B%20Thus%2C%20it%20becomes%20your%20responsibility%20to%20ensure%20the%20services%20you%20use%20support%20your%20compliance%20policies.%26nbsp%3B%20And%20for%20those%20that%20don't%2C%20you%20must%20leverage%20a%20client-based%20E2EE%20scheme%20that%20makes%20your%20data%20opaque%20to%20the%20CSP.%26nbsp%3B%20The%20risk%20of%20course%2C%20is%20that%20export%20controlled%20data%20may%20slip%20through%20the%20cracks.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20the%20US%20Sovereign%20Cloud%2C%20the%20native%20support%20reduces%20the%20risk%20of%20the%20unintentional%20export%20happening%20at%20the%20CSP%2C%20as%20the%20added%20Customer%20Lockbox%20and%20E2EE%20is%20not%20strictly%20required.%26nbsp%3B%20Although%2C%20many%20customers%20still%20leverage%20Customer%20Lockbox%20there%20as%20well%2C%20for%20coverage%20of%20auditing%20and%20reporting%20requirements%20in%20NIST%20800-171%20and%20CMMC%20L3%2B.%26nbsp%3B%20And%20customers%20also%20leverage%20E2EE%20as%20well%2C%20especially%20for%20sharing%20scenarios%20where%20the%20data%20may%20leave%20the%20system%20boundary.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20all%20said%2C%20many%20customers%20have%20decided%20to%20implement%20their%20own%20compensating%20controls%20and%20find%20an%20acceptable%20amount%20of%20risk%20using%20Commercial%20or%20GCC.%26nbsp%3B%20And%20this%20is%20all%20in%20context%20of%20U.S.%20export%20controls.%26nbsp%3B%20Introduce%20Canadian%20CCG%2C%20UK%20Official-Sensitive%2C%20AU%20Protected%2C%20etc.%20etc.%20and%20your%20only%20choice%20may%20become%20compensating%20controls%20in%20Commercial%20Multi-Geo%20in%20order%20to%20use%20the%20cloud.%26nbsp%3B%20But%20that%20discussion%20is%20highly%20nuanced%20and%20contract-based%20agreements%20for%20cloud%20use.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1597726%22%20slang%3D%22en-US%22%3EMicrosoft%20US%20Sovereign%20Cloud%20Myth%20Busters%20-%20CUI%20Effectively%20Requires%20Data%20Sovereignty%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1597726%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20article%20is%20the%20fourth%20of%20a%20series%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FPublic-Sector-Blog%2Fbg-p%2FPublicSectorBlog%22%20target%3D%22_blank%22%3EMicrosoft%20Tech%20Community%20Public%20Sector%20Blog%3C%2FA%3E%20that%20explores%20myths%20of%20deploying%20Microsoft%20Cloud%20Services%20into%20the%20*US%20Sovereign%20Cloud%20with%20Azure%20Government%20and%20Microsoft%20365%20Government%20(GCC%20High).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20will%20focus%20on%20the%20myth%20that%20Controlled%20Unclassified%20Information%20(CUI)%20does%20not%20require%20data%20sovereignty.%26nbsp%3B%20This%20article%20is%20written%20through%20the%20lens%20of%20requirements%20to%20protect%20CUI%20in%20the%20context%20of%20the%20U.S.%20Department%20of%20Defense%20for%20national%20security%2C%20such%20as%20in%20alignment%20with%20the%20Defense%20Industrial%20Base%20(DIB)%20and%20the%20Cybersecurity%20Maturity%20Model%20Certification%20(CMMC).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1293422695%22%20id%3D%22toc-hId--1293422695%22%3EExecutive%20Summary%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20has%20prescribed%20the%20*US%20Sovereign%20Cloud%20with%20Azure%20Government%20and%26nbsp%3BMicrosoft%20365%20Government%20(GCC%20High)%20to%20protect%20Controlled%20Unclassified%20Information%20(CUI)%20and%20Covered%20Defense%20Information%20(CDI)%20consistently.%26nbsp%3B%20Our%20rationale%20is%20that%20CUI%20includes%20International%20Traffic%20in%20Arms%20Regulation%20(ITAR)%20regulated%20data%2C%20and%20the%20U.S.%20Department%20of%20Defense%20(DoD)%20requires%20Defense%20Federal%20Acquisition%20Regulation%20Supplement%20clause%20252.204-7012%20(DFARS%207012)%20to%20protect%20it.%26nbsp%3B%20We%20only%20accommodate%20that%20contractually%20across%20Azure%2C%20Office%20365%2C%20and%20Dynamics%20365%20in%20the%20US%20Sovereign%20Cloud%2C%20built%20in%20a%20fully%20isolated%20environment%20that%20is%20both%20physically%20and%20logically%20separated.%26nbsp%3B%20All%20services%20in%20the%20US%20Sovereign%20Cloud%20are%20contained%20within%20an%20accreditation%20boundary%20supporting%20US%20Export%20Controls%20requiring%20screened%20US%20persons%20and%20data%20sovereignty%20in%20the%20Continental%20United%20States%20(CONUS).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%20lia-align-center%22%3E%3CEM%3E*For%20more%20information%20on%20the%20US%20Sovereign%20Cloud%2C%20please%20refer%20to%20the%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FPublic-Sector-Blog%2FUnderstanding-Compliance-Between-Microsoft-365-Commercial-GCC%2Fba-p%2F718445%22%20target%3D%22_blank%22%3E%3CEM%3EUnderstanding%20Compliance%20Between%20Microsoft%20365%20Commercial%2C%20GCC%2C%20GCC-High%20and%20DoD%20Offerings%3C%2FEM%3E%3C%2FA%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1194090138%22%20id%3D%22toc-hId-1194090138%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--613364325%22%20id%3D%22toc-hId--613364325%22%3EPreface%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20only%20I%20had%20a%20quarter%20for%20every%20time%20I%E2%80%99ve%20had%20to%20explain%20why%20we%20have%20a%20%E2%80%9CMaybe%E2%80%9D%20for%20CUI%20and%20CDI%20in%20clouds%20other%20than%20the%20US%20Sovereign%20Cloud.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOur%20mantra%20is%20clear.%26nbsp%3B%20I%20quote%20this%20from%20the%20compliance%20Jedi%20Master%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F339247%22%20target%3D%22_blank%22%3E%40Shawn_Veney%3C%2FA%3E%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%20lia-indent-padding-left-30px%22%3E%E2%80%9C%3CEM%3EIf%20you%20find%20your%20organization%20manages%20so%20many%20types%20of%20CUI%2C%20and%20is%20perhaps%20thinking%20of%20taking%20on%20new%20work%20and%20adding%20to%20that%20challenge%3B%20then%20sometimes%20it%20is%20easier%20to%20adopt%20a%20high%20watermark%20strategy%20to%20accomplish%20your%20data%20protection%20goals.%20This%20trade%20off%20recognizes%20that%20your%20solution%20may%20exceed%20requirements%20for%20a%20specific%20type%20of%20data%3B%20but%20provides%20confidence%20you%20likely%20have%20addressed%20your%20aggregate%20requirements.%20This%20is%20ideal%20when%20your%20internal%20classification%20and%20marking%20efforts%20may%20not%20be%20where%20you%20would%20like%20them%20yet.%3C%2FEM%3E%E2%80%9D%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%20lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThroughout%20this%20article%2C%20I%20will%20explain%20why%20we%20have%20a%20definitive%20%E2%80%9CYes%E2%80%9D%20for%20CUI%20and%20CDI%20in%20the%20US%20Sovereign%20Cloud.%26nbsp%3B%20In%20what%20will%20be%20one%20of%20my%20most%20hotly%20contested%20articles%20to%20date%2C%20this%20is%20intended%20to%20spark%20a%20debate%20on%20how%20CUI%20data%20protection%20practices%20apply%20holistically.%26nbsp%3B%20I%20intend%20to%20keep%20this%20initial%20argument%20high%20level%2C%20as%20there%20are%20a%20million%20nuances%20that%20may%20be%20deliberated%20indefinitely.%26nbsp%3B%20That%20said%2C%20the%20%E2%80%9Cthesis%E2%80%9D%20of%20this%20article%20should%20be%20debated%20passionately%20as%20an%20industry.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20the%20end%20of%20the%20day%2C%20Microsoft%20offers%20multiple%20clouds%20from%20Commercial%20to%20GCC%20to%20GCC%20High%20to%20DoD%20and%20even%20to%20Azure%20Government%20Secret.%26nbsp%3B%20In%20other%20words%2C%20we%20can%20satisfy%20many%20risk%20profiles%20and%20offer%20you%20a%20cloud%20that%20best%20aligns%20with%20your%20organization%E2%80%99s%20risk%20posture.%26nbsp%3B%20We%20will%20not%20police%20you%2C%20nor%20will%20we%20demand%20you%20choose%20one%20cloud%20over%20another.%26nbsp%3B%20We%20will%20be%20very%20clear%20on%20where%20we%20provide%20contractual%20obligations.%26nbsp%3B%20Hence%20why%20we%20are%20only%20confident%20in%20saying%20%E2%80%9CYes%E2%80%9D%20to%20CUI%20in%20the%20US%20Sovereign%20Cloud.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1874148508%22%20id%3D%22toc-hId-1874148508%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-66694045%22%20id%3D%22toc-hId-66694045%22%3ESummary%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20CUI%20Program%20is%20an%20ever-evolving%20initiative%20to%20standardize%20the%20markings%20and%20data%20protection%20practices%20across%20Federal%20agencies%20to%20facilitate%20sharing%20of%20sensitive%20information%2C%20transcending%20individual%20agencies.%26nbsp%3B%20CUI%20includes%20markings%20that%20span%20many%20categories%20and%20groupings.%26nbsp%3B%20The%20groupings%20consist%20of%20everything%20from%20Financial%20and%20Privacy%20data%2C%20all%20the%20way%20up%20to%20Export%20Controlled%20and%20Intelligence%20data.%26nbsp%3B%20Individual%20agencies%20have%20their%20own%20requirements%20for%20CUI%2C%20resulting%20in%20additional%20rules%20that%20govern%20the%20data%20protection%20practices%20of%20CUI.%26nbsp%3B%20For%20example%2C%20the%20DoD%20defines%20standards%20in%20the%20Cloud%20Computing%20(CC)%20Security%20Requirements%20Guide%20(SRG)%2C%20in%20DFARS%207012%2C%20and%20in%20the%20Cybersecurity%20Maturity%20Model%20Certification%20(CMMC)%20to%20protect%20CUI.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECUI%20is%20defined%20by%20a%20program%20that%20includes%20all%20categories%20under%20a%20single%20umbrella.%26nbsp%3B%20Not%20all%20CUI%20markings%20are%20protected%20precisely%20the%20same%20way.%26nbsp%3B%20However%2C%20it%20can%20be%20untenable%20to%20discern%20the%20various%20restrictions%20for%20CUI%20given%20consolidated%20language%20used%20by%20standards%20and%20regulations.%26nbsp%3B%20In%20addition%2C%20the%20complicated%20array%20of%20markings%20are%20often%20not%20applied%20effectively.%26nbsp%3B%20As%20a%20result%2C%20the%20reduced%20risk%20data%20protection%20strategy%20is%20to%20opt%20for%20the%20highest%20watermark%20possible%20for%20protection%20of%20CUI%2C%20rather%20than%20risk%20it%20by%20adopting%20a%20lower%20control%20set.%26nbsp%3B%20CUI%20has%20export-controlled%20data%20as%20a%20common%20high%20watermark%2C%20to%20include%20ITAR%20regulated%20data.%26nbsp%3B%20ITAR%20has%20a%20data%20sovereignty%20requirement.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20other%20words%2C%20CUI%20%3CEM%3E%3CU%3Eeffectively%3C%2FU%3E%3C%2FEM%3E%20requires%20data%20sovereignty.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1740760418%22%20id%3D%22toc-hId--1740760418%22%3EWhat%20is%20Controlled%20Unclassified%20Information%3F%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20not%20read%20the%20CUI%20History%20from%20the%20National%20Archives%20and%20Records%20Administration%20(NARA)%2C%20I%20highly%20recommend%20it.%26nbsp%3B%20It%E2%80%99s%20a%20short%20read%2C%20and%20helpful%20for%20context.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.archives.gov%2Fcui%2Fcui-history%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.archives.gov%2Fcui%2Fcui-history%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20summarize%2C%20before%20the%20advent%20of%20CUI%2C%20there%20were%20a%20myriad%20of%20autonomous%20Federal%20agencies%20and%20departments%20that%20had%20each%20developed%20its%20own%20practices%20for%20protecting%20sensitive%20information.%26nbsp%3B%20This%20non-conformity%20made%20it%20extremely%20difficult%20to%20share%20information%20with%20transparency%20throughout%20the%20Federal%20government%20and%20its%20stakeholders%2C%20such%20as%20the%20Defense%20Industrial%20Base%20(DIB).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20CUI%20program%20is%20an%20ever-evolving%20initiative%20to%20standardize%20the%20markings%20and%20data%20protection%20practices%20across%20Federal%20agencies%20to%20facilitate%20sharing%20of%20sensitive%20information%2C%20transcending%20individual%20agencies.%26nbsp%3B%20Ultimately%2C%20NARA%20oversees%20the%20CUI%20Program%20and%20is%20primarily%20scoped%20to%20the%20Federal%20executive%20branch%20agencies.%26nbsp%3B%20Major%20contributors%20to%20the%20program%20include%20the%20DoD%2C%20the%20Department%20of%20Energy%20(DoE)%2C%20the%20Department%20of%20Homeland%20Security%20(DHS)%2C%20the%20Department%20of%20State%20(DoS)%2C%20etc.%26nbsp%3B%20NARA%20%3CA%20href%3D%22https%3A%2F%2Fwww.archives.gov%2Fcui%2Fabout%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Edefines%20CUI%3C%2FA%3E%20as%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%20lia-indent-padding-left-30px%22%3E%E2%80%9C%3CEM%3EControlled%20Unclassified%20Information%20(CUI)%20is%20information%20that%20requires%20safeguarding%20or%20dissemination%20controls%20pursuant%20to%20and%20consistent%20with%20applicable%20law%2C%20regulations%2C%20and%20government-wide%20policies%20but%20is%20not%20classified%20under%20Executive%20Order%2013526%20or%20the%20Atomic%20Energy%20Act%2C%20as%20amended.%3C%2FEM%3E%E2%80%9D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPresidential%20executive%20orders%20evolved%20to%20a%20rule%20published%20in%202016%20called%20%E2%80%9C32%20CFR%20Part%202002%20Controlled%20Unclassified%20Information%E2%80%9D.%26nbsp%3B%20You%20can%20read%20about%20it%20here%20in%20the%20Federal%20Register%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.federalregister.gov%2Fdocuments%2F2016%2F09%2F14%2F2016-21665%2Fcontrolled-unclassified-information%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.federalregister.gov%2Fdocuments%2F2016%2F09%2F14%2F2016-21665%2Fcontrolled-unclassified-information%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E32%20CFR%20Part%202002%20prescribes%20the%20CUI%20Program%20markings%20that%20span%20many%20categories%20and%20groupings.%26nbsp%3B%20The%20groupings%20consist%20of%20everything%20from%20Financial%20and%20Privacy%20data%2C%20all%20the%20way%20up%20to%20Export%20Controlled%20and%20Intelligence%20data.%26nbsp%3B%20You%20can%20find%20the%20list%20here%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.archives.gov%2Fcui%2Fregistry%2Fcategory-marking-list%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.archives.gov%2Fcui%2Fregistry%2Fcategory-marking-list%3C%2FA%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CUI%20Registry.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213234i623EE92554920C28%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22CUI%20Registry.png%22%20alt%3D%22CUI%20Registry.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EIllustration%201%3A%20Microsoft%20Summary%20CUI%20Registry%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-746752415%22%20id%3D%22toc-hId-746752415%22%3EIs%20All%20CUI%20the%20Same%3F%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20goes%20without%20saying%20that%20each%20of%20the%20Federal%20executive%20branch%20agencies%20have%20had%20their%20own%20requirements%20for%20CUI%2C%20resulting%20in%20additional%20rules%20that%20govern%20the%20data%20protection%20practices%20of%20CUI.%26nbsp%3B%20For%20example%2C%20the%20DoD%20defines%20data%20protection%20standards%20in%20the%20DoD%20CC%20SRG%2C%20DFARS%207012%2C%20and%20in%20the%20CMMC%20to%20protect%20CUI.%20%26nbsp%3BThus%2C%20there%20does%20remain%20a%20level%20of%20autonomy%20from%20NARA.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20the%20DoD%20recently%20released%20%3CA%20href%3D%22https%3A%2F%2Fwww.esd.whs.mil%2FPortals%2F54%2FDocuments%2FDD%2Fissuances%2Fdodi%2F520048p.PDF%3Fver%3D2020-03-06-100640-800%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EDOD%20Instruction%205200.48%3C%2FA%3E%20establishing%20policies%2C%20responsibilities%2C%20and%20procedures%20for%20CUI.%26nbsp%3B%20It%20includes%20a%20%E2%80%9CDOD%20CUI%20repository%E2%80%9D%20not%20accessible%20by%20the%20public.%26nbsp%3B%20It%20is%20intended%20to%20address%20inconsistent%20definition%20and%20marking%20requirements%20specific%20to%20the%20DoD%20expanding%20what%20is%20outlined%20in%2032%20CFR%20Part%202002.%26nbsp%3B%20The%20DoD%20CUI%20Registry%20outlines%20an%20official%20list%20of%20Indexes%20and%20Categories%20to%20identify%20CUI%2C%20clarifying%20what%20has%20been%20a%20common%20source%20of%20confusion.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%2C%20there%20are%20multiple%20regulations%20that%20govern%20specific%20categories%20of%20CUI.%26nbsp%3B%20For%20example%2C%20export-controlled%20categories%20may%20be%20regulated%20by%20ITAR%20administered%20by%20the%20Department%20of%20State%20Directorate%20of%20Defense%20Trade%20Controls%20(DDTC)%2C%20or%20by%20EAR%20administered%20by%20the%20Department%20of%20Commerce%E2%80%99s%20Bureau%20of%20Industry%20and%20Security%20(BIS).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20other%20words%2C%20while%20%E2%80%9CCUI%E2%80%9D%20is%20defined%20by%20a%20standardized%20program%20of%20markings%20and%20data%20protection%20practices%2C%20not%20all%20CUI%20is%20the%20same.%26nbsp%3B%20Some%20CUI%20categories%20may%20generally%20fall%20into%20the%20bucket%20of%20Personally%20Identifying%20Information%20(PII)%2C%20such%20as%20Privacy.%26nbsp%3B%20Mishandling%20of%20other%20categories%20may%20earn%20you%20an%20orange%20jump%20suit%2C%20such%20as%20spilling%20ITAR%20regulated%20data%20to%20an%20unauthorized%20foreign%20state%20actor.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20answer%20the%20question%2C%20%E2%80%9CIs%20All%20CUI%20the%20Same%3F%E2%80%9D%26nbsp%3B%20Conclusively%20No.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1060702048%22%20id%3D%22toc-hId--1060702048%22%3EIs%20All%20CUI%20Protected%20the%20Same%20Way%3F%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESince%20all%20CUI%20is%20not%20the%20same%2C%20certainly%20not%20all%20categories%20of%20CUI%20are%20protected%20precisely%20the%20same%20way.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithout%20going%20into%20analysis%20paralysis%20on%20topics%20such%20as%20CUI%20Basic%20versus%20CUI%20Specified%20groups%2C%20there%20is%20a%20statement%20that%20jumped%20out%20at%20me%20in%2032%20CFR%20Part%202002%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%20lia-align-center%22%3E%3CEM%3E%22We%20understand%20the%20concerns%20raised%20in%20these%20comments%20and%20agree%20that%20the%20penalties%20and%20consequences%20for%20failing%20to%20adequately%20protect%20CUI%20of%20some%20types%20may%20differ%20significantly%20from%20failure%20to%20protect%20CUI%20of%20other%20types.%20That%20being%20said%2C%20we%20cannot%20adjust%20the%20definition%20of%20CUI%20to%20exclude%20export%20controlled%20or%20other%20protected%20information%3B%20the%20Executive%20Order's%20definition%20of%20CUI%20is%20clear%20and%20%3CSTRONG%3E%3CU%3Eincludes%20all%3C%2FU%3E%3C%2FSTRONG%3E%20unclassified%20information%20that%20laws%2C%20regulations%2C%20and%20Government-wide%20policies%20require%20to%20have%20safeguarding%20or%20dissemination%20controls.%22%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20we%20may%20agree%20that%20not%20all%20CUI%20is%20the%20same%2C%20there%20is%20a%20consensus%20that%20all%20CUI%20is%20defined%20by%20a%20program%20that%20includes%20all%20categories%20under%20a%20single%20umbrella.%26nbsp%3B%20So%20the%20question%20is%2C%20how%20do%20you%20differentiate%20between%20CUI%20that%20is%20sensitive%20such%20as%20Privacy%20categories%2C%20versus%20those%20with%20damaging%20national%20security%20concerns%2C%20such%20as%20export-controlled%20data%3F%26nbsp%3B%20It%E2%80%99s%20all%20CUI%2C%20right%3F%26nbsp%3B%20Another%20way%20to%20ask%20the%20question%20is%2C%20how%20do%20you%20discern%20the%20various%20restrictions%20for%20CUI%20given%20the%20complicated%20array%20of%20markings%20that%20are%20not%20often%20applied%20effectively%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20of%20you%20reading%20this%2C%20especially%20the%20compliance%20authorities%20out%20there%2C%20are%20thinking%20%E2%80%9C%3CEM%3Eyes%2C%20it%E2%80%99s%20all%20CUI%3C%2FEM%3E%E2%80%9D%20but%20%E2%80%9C%3CEM%3Eno%2C%20not%20all%20CUI%20is%20protected%20the%20same%20way%3C%2FEM%3E%E2%80%9D.%26nbsp%3B%20Technically%2C%20you%20are%20right.%26nbsp%3B%20However%2C%20I%E2%80%99ve%20talked%20to%20hundreds%20of%20organizations%20out%20there%20ranging%20from%20the%20DoD%2C%20to%20the%20DIB%2C%20the%20FFRDCs%20(Federally%20Funded%20Research%20and%20Development%20Centers)%2C%20the%20UARCs%20(University%20Affiliated%20Research%20Centers)%2C%20and%20beyond.%26nbsp%3B%20I%20honestly%20do%20not%20hear%20anyone%20differentiating%20categories%20of%20CUI%20for%20purposes%20of%20maintaining%20compliance%20with%20individual%20markings.%26nbsp%3B%20When%20they%20say%20%E2%80%9CCUI%E2%80%9D%2C%20they%20are%20aggregating%20all%20categories%20together%20in%20a%20comprehensive%20fashion%2C%20not%20unlike%20what%20is%20described%20in%2032%20CFR%20Part%202002%20above.%26nbsp%3B%20In%20addition%2C%20most%20recognize%20CUI%20markings%20are%20not%20applied%20consistently%20and%20marking%20efforts%20may%20not%20be%20where%20they%20would%20like%20them%20yet.%26nbsp%3B%20In%20other%20words%2C%20they%20have%20not%20located%20all%20CUI%20stored%20in%20their%20enterprise%20information%20systems.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20another%20example%20from%20the%20Cybersecurity%20Maturity%20Model%20Certification%20(CMMC).%26nbsp%3B%20CMMC%20defines%20five%20Levels%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ELevel%201%3A%20Safeguard%20Federal%20Contract%20Information%20(FCI)%3C%2FLI%3E%0A%3CLI%3ELevel%202%3A%20Serve%20as%20transition%20step%20in%20cybersecurity%20maturity%20progression%20to%20protect%20CUI%3C%2FLI%3E%0A%3CLI%3ELevel%203%3A%20Protect%20Controlled%20Unclassified%20Information%20(CUI)%3C%2FLI%3E%0A%3CLI%3ELevels%204-5%3A%20Protect%20CUI%20and%20reduce%20risk%20of%20Advanced%20Persistent%20Threads%20(APTs)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDoes%20anything%20jump%20out%20at%20you%3F%26nbsp%3B%20It%E2%80%99s%20%3CEM%3E%3CU%3ENOT%3C%2FU%3E%3C%2FEM%3E%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ELevel%203%3A%20Protect%20Controlled%20Unclassified%20Information%20(CUI)%20%3CEM%3E%3CU%3Eof%20the%20non-export-controlled%20categories%3C%2FU%3E%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3ELevels%204-5%3A%20Protect%20CUI%20%3CEM%3E%3CU%3Eincluding%20export-controlled%20categories%3C%2FU%3E%3C%2FEM%3E%20and%20reduce%20risk%20of%20Advanced%20Persistent%20Threats%20(APTs)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhy%3F%26nbsp%3B%20CMMC%20Levels%203-5%20are%20intended%20to%20protect%20all%20CUI.%26nbsp%3B%20Period.%26nbsp%3B%20CMMC%20does%20not%20attempt%20to%20differentiate%20CUI%20that%20is%20export-controlled%20versus%20CUI%20that%20is%20not.%26nbsp%3B%20If%20you%20delve%20into%20the%20CMMC%20Model%20Appendices%2C%20you%20will%20find%20many%20references%20to%20CUI%2C%20none%20of%20which%20qualify%20what%20categories%20of%20CUI%20are%20in%20scope%20per%20Practice%20or%20Process.%26nbsp%3B%20All%20categories%20are%20in%20scope%20for%20all%20Practices%20and%20Processes%20in%20CMMC%20Levels%203-5.%26nbsp%3B%20In%20fact%2C%20if%20you%20search%20for%20%E2%80%9Cexport%E2%80%9D%2C%20you%20will%20find%20many%20references%2C%20especially%20in%20alignment%20with%20the%20NIST%20SP%20800-171.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAssuming%20you%20conclude%20that%20CMMC%20is%20intended%20to%20protect%20CUI%20regardless%20of%20category%2C%20you%20may%20also%20conclude%20export-controlled%20data%2C%20and%20specifically%20ITAR%20data%20is%20a%20common%20high%20watermark%20for%20compliance.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20article%20is%20%3CEM%3E%3CU%3Enot%3C%2FU%3E%3C%2FEM%3E%20about%20how%20to%20become%20CMMC%20compliant.%26nbsp%3B%20This%20article%20is%20specifically%20focused%20on%20CUI.%26nbsp%3B%20However%2C%20there%20is%20something%20to%20be%20said%20about%20the%20stated%20requirements%20for%20a%20CMMC%20Certified%20Third-Party%20Assessor%20Organization%20(C3PAO)%20that%20uses%20an%20external%20cloud%20service%20provider%20to%20store%2C%20process%2C%20or%20transmit%20CUI.%26nbsp%3B%20This%20is%20quoted%20from%20the%20CMMC%20Accreditation%20Body%20(CMMC%20AB)%20%3CA%20href%3D%22https%3A%2F%2Fwww.cmmcab.org%2Fc3pao-lp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ewebsite%3C%2FA%3E%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%20lia-align-center%22%3E%E2%80%9C%3CEM%3Ethe%20C3PAO%20shall%20require%20and%20ensure%20that%20the%20cloud%20service%20provider%20meets%20security%20requirements%20equivalent%20to%20those%20established%20by%20the%20Government%20for%20the%20Federal%20Risk%20and%20Authorization%20Management%20Program%20(FedRAMP)%20High%20baseline%20and%20in%20particular%2C%20Impact%20Level%20(IL4)%3C%2FEM%3E%E2%80%9D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20the%20cloud%20service%20provider%20is%20not%20DoD%20CC%20SRG%20IL4%20authorized%2C%20it%20becomes%20the%20responsibility%20of%20the%20C3PAO%20to%20provide%20an%20independent%20assessment%20to%20address%20the%20gaps%20to%20become%20compliant.%26nbsp%3B%20Most%20CSPs%20will%20not%20allow%20ad-hoc%20third%20parties%20to%20perform%20assessments%20on%20their%20data%20centers.%26nbsp%3B%20Even%20if%20they%20did%20allow%20an%20assessment%2C%20it%20is%20untenable%20to%20make%20the%20commercial%20CSP%20compliant%20with%20FedRAMP%20and%20IL4%20without%20significant%20engineering%20efforts%20by%20the%20CSP.%20Trust%20me%2C%20we%20would%20not%20have%20invested%20an%20extraordinary%20amount%20to%20build%20the%20US%20Sovereign%20Cloud%20if%20we%20could%20have%20simply%20pulled%20it%20off%20in%20Commercial%20with%20a%20few%20compensating%20controls.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20point%20is%2C%20this%20CMMC%20AB%20requirement%20for%20FedRAMP%20High%20and%20IL4%20to%20protect%20CUI%20does%20not%20qualify%20what%20categories%20of%20CUI%20are%20in%20scope.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%20lia-align-justify%22%3E%3CSTRONG%3ESidebar%3C%2FSTRONG%3E%3A%20The%20language%20of%20requiring%20an%20IL4%20cloud%20is%20nuanced%20when%20applied%20to%20the%20DIB%20and%20with%20C3PAOs%2C%20as%20IL4%20only%20applies%20to%20Federal%20information%20systems.%26nbsp%3B%20IL4%20is%20not%20an%20authorization%20the%20DoD%20will%20provide%20to%20a%20non-Federal%20entity%2C%20nor%20is%20it%20for%20a%20CSP%20cloud%20environment%20not%20in%20use%20directly%20by%20the%20DoD.%26nbsp%3B%20DFARS%207012%20is%20what%20applies%20to%20non-Federal%20information%20systems.%20I%20am%20assuming%20the%20intent%20is%20to%20drive%20the%20selection%20of%20a%20cloud%20that%20has%20been%20authorized%20by%20the%20DoD%2C%20as%20opposed%20to%20a%20cloud%20that%20is%20only%20authorized%20with%20FedRAMP.%26nbsp%3B%20For%20example%2C%20Microsoft%20Azure%20Government%20has%20a%20Provisional%20Authorization%20for%20DoD%20CC%20SRG%20IL4%2C%20with%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-government%2Fcompliance%2Fazure-services-in-fedramp-auditscope%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Emany%20services%20now%20at%20IL5%3C%2FA%3E.%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESpeaking%20of%20IL4%2C%20read%20this%20excerpt%20from%20DoD%20CC%20SRG%203.2.4%20Level%204%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%20lia-align-center%22%3E%E2%80%9C%3CEM%3ECUI%20contains%20a%20number%20of%20categories%2C%20including%2C%20but%20not%20limited%20to%20the%20following%3A%20%E2%80%A2%20Export%20Controlled--Unclassified%20information%20concerning%20items%2C%20commodities%2C%20technology%2C%20software%2C%20or%20other%20information%20whose%20export%20could%20reasonably%20be%20expected%20to%20adversely%20affect%20the%20United%20States%20national%20security%20and%20nonproliferation%20objectives.%3C%2FEM%3E%E2%80%9D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20goes%20on%20to%20define%20the%20specific%20requirements%20for%20ITAR.%26nbsp%3B%20In%20this%20case%2C%20IL4%20is%20specifically%20placing%20an%20emphasis%20on%20CUI%20to%20explicitly%20scope%20in%20export-controlled%20data%20and%20how%20to%20protect%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20class%3D%22lia-align-justify%20lia-indent-padding-left-30px%22%3E%3CSTRONG%3EThesis%3C%2FSTRONG%3E%3A%26nbsp%3B%20Not%20all%20CUI%20markings%20are%20protected%20precisely%20the%20same%20way.%26nbsp%3B%20However%2C%20it%20can%20be%20untenable%20to%20discern%20the%20various%20restrictions%20for%20CUI%20given%20consolidated%20language%20used%20by%20standards%20and%20regulations.%26nbsp%3B%20In%20addition%2C%20the%20complicated%20array%20of%20markings%20are%20often%20not%20applied%20effectively.%26nbsp%3B%20As%20a%20result%2C%20the%20reduced%20risk%20data%20protection%20strategy%20is%20to%20opt%20for%20the%20highest%20watermark%20possible%20for%20protection%20of%20CUI%2C%20rather%20than%20risk%20it%20by%20adopting%20a%20lower%20control%20set.%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1426810785%22%20id%3D%22toc-hId-1426810785%22%3EDoes%20All%20CUI%20Have%20a%20NOFORN%20Requirement%3F%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20way%20to%20describe%20data%20sovereignty%2C%20is%20what%20may%20be%20referred%20to%20as%20%E2%80%9CNOFORN%22.%26nbsp%3B%20NOFORN%20stands%20for%20%E2%80%9C%3CU%3ENO%3C%2FU%3E%20%3CU%3EFOR%3C%2FU%3Eeign%20%3CU%3EN%3C%2FU%3Eationals%E2%80%9D.%26nbsp%3B%20In%20other%20words%2C%20NOFORN%20applies%20to%20sensitive%20data%20that%20is%20not%20releasable%20to%20foreign%20nationals%2C%20governments%2C%20nor%20non-US%20persons.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20led%20this%20article%20clearly%20stating%20not%20all%20CUI%20requires%20similar%20handling%2C%20such%20as%20a%20NOFORN%20requirement.%26nbsp%3B%20However%2C%20is%20it%20that%20simple%3F%26nbsp%3B%20The%20above%20conclusion%20is%20that%20CUI%20has%20export-controlled%20data%20as%20a%20common%20high%20watermark%20of%20data%20protection%20practices%2C%20to%20include%20ITAR%20regulated%20data.%26nbsp%3B%20ITAR%20has%20a%20NOFORN%20requirement.%26nbsp%3B%20Since%20ITAR%20is%20a%20high%20bar%20for%20compliance%2C%20it%20comes%20along%20with%20a%20stringent%20set%20of%20requirements%20for%20data%20sovereignty.%20Using%20that%20logic%2C%20CUI%20in%20aggregate%20does%20have%20an%20%3CEM%3E%3CU%3Eeffective%3C%2FU%3E%3C%2FEM%3E%20NOFORN%20requirement.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAllow%20me%20to%20pull%20on%20that%20string%20a%20bit.%26nbsp%3B%20I%E2%80%99ve%20heard%20a%20very%20clear%20decree%20that%20any%20company%20certified%20at%20a%20CMMC%20Level%203%20or%20above%2C%20is%20trusted%20for%20data%20handling%20of%20%E2%80%9CCUI%E2%80%9D.%26nbsp%3B%20I%20have%20not%20seen%20any%20additional%20qualifications%20such%20as%20%E2%80%9C%3CEM%3Eare%20you%20CMMC%20Level%203%20*%3CU%3Eand%3C%2FU%3E*%20ITAR%20compliant%3F%3C%2FEM%3E%E2%80%9D%26nbsp%3B%20It%E2%80%99s%20implicit%20the%20company%20protects%20all%20categories%20of%20CUI%2C%20including%20ITAR%20export-controlled%20data.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%E2%80%99s%20assume%20you%20have%20two%20different%20companies.%26nbsp%3B%20The%20first%20is%20a%20company%20that%20frequently%20works%20with%20export-controlled%20data%20and%20has%20a%20System%20Security%20Plan%20(SSP)%20in%20place%20to%20protect%20data%20with%20NOFORN%20requirements.%26nbsp%3B%20They%20have%20deployed%20their%20information%20systems%20in%20the%20Microsoft%20US%20Sovereign%20Cloud%20with%20Azure%20Government%20and%20Microsoft%20365%20GCC%20High.%26nbsp%3B%20They%20have%20the%20contractual%20amendment%20from%20Microsoft%20to%20support%20ITAR%20with%20NOFORN%20and%20have%20established%20a%20clear%20accreditation%20boundary%20for%20protection%20of%20export-controlled%20data%20natively%20within%20their%20information%20systems.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20second%20company%20does%20not%20handle%20export-controlled%20data%20frequently.%26nbsp%3B%20They%20establish%20an%20SSP%20to%20accommodate%20protection%20of%20export-controlled%20data%20using%20special%20End-To-End%20Encryption.%26nbsp%3B%20They%20have%20deployed%20their%20information%20systems%20in%20commercial%20clouds%20that%20are%20not%20natively%20compliant%20for%20ITAR%20regulations.%26nbsp%3B%20However%2C%20they%20pass%20their%20CMMC%20assessment%20for%20Level%203%20because%20they%20have%20established%20a%20human-based%20process%20for%20marking%20and%20specially%20encrypting%20data%20before%20it%E2%80%99s%20saved%20to%20the%20commercial%20cloud%2C%20relying%20on%20people%20to%20pre-determine%20export-controlled%20data.%26nbsp%3B%20It%E2%80%99s%20not%20a%20problem%20for%20them%20though%2C%20as%20they%20rarely%20deal%20with%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20the%20two%20companies%20have%20equivalent%20risk%20profiles%2C%20as%20they%20both%20have%20certifications%20for%20CMMC%20Level%203%3F%26nbsp%3B%20The%20short%20answer%20is%20definitively%20no.%26nbsp%3B%20The%20second%20company%20has%20a%20tremendously%20higher%20risk%20of%20non-compliance%20and%20spillage%20relying%20on%20the%20human%20factor%20to%20protect%20export-controlled%20data.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%2C%20most%20export-controlled%20data%20does%20not%20begin%20its%20life%20as%20such.%26nbsp%3B%20Most%20begin%20simply%20as%20intellectual%20property%2C%20such%20as%20documents%20generated%20during%20a%20research%20and%20development%20project.%26nbsp%3B%20It%E2%80%99s%20not%20until%20that%20data%20progresses%20through%20a%20lifecycle%20and%20exchange%20with%20the%20DoD%20before%20it%20gets%20properly%20marked%20as%20export-controlled%20(%3CEM%3Eif%20ever%20%E2%80%93%20hello%20DoD%20Instruction%205200.48!%3C%2FEM%3E).%26nbsp%3B%20If%20you%20are%20saving%20that%20data%20in%20a%20commercial%20cloud%20unprotected%20(not%20opaque%20to%20the%20Cloud%20Service%20Provider)%2C%20you%20subsequently%20end%20up%20with%20a%20deemed%20export%20without%20the%20fault%20of%20the%20original%20document%20author.%26nbsp%3B%20As%20such%2C%20it%20is%20imperative%20to%20protect%20all%20intellectual%20property%20by%20specially%20encrypting%20virtually%20everything%20that%20may%20potentially%20become%20CUI%20in%20the%20future.%26nbsp%3B%20It%20goes%20without%20saying%20that%20is%20a%20much%20easier%20thing%20to%20do%20if%20the%20information%20systems%20they%20use%20natively%20support%20ITAR%20and%20NOFORN%20without%20the%20additional%20End-To-End%20Encryption%20applied%20by%20the%20human%20element.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20final%20example.%26nbsp%3B%20I%E2%80%99ve%20talked%20to%20many%20of%20the%20DIB%20with%20numerous%20sub-contractors.%26nbsp%3B%20They%20do%20not%20personally%20know%20all%20their%20tier%203%2B%20sub-contractors%20in%20their%20supply%20chain.%26nbsp%3B%20They%20rely%20on%20a%20system%20of%20checks%20and%20balances%20throughout%20the%20tiers%20to%20ensure%20each%20sub-contractor%20levels%20deep%20is%20compliant%20and%20is%20obligated%20to%20protect%20their%20crown%20jewels.%26nbsp%3B%20If%20CMMC%20is%20intended%20to%20establish%20a%20level%20of%20trust%20that%20any%20vendor%20certified%20at%20a%20Level%203%20is%20compliant%20for%20data%20handling%20of%20CUI%2C%20they%20should%20not%20have%20to%20additionally%20qualify%20protection%20of%20export-controlled%20data.%26nbsp%3B%20However%2C%20they%20absolutely%20do%20care%20if%20the%20vendor%20has%20an%20accreditation%20boundary%20that%20supports%20ITAR%20and%20NOFORN%20natively.%26nbsp%3B%20These%20DIB%20may%20not%20accept%20the%20second%20company%20that%20is%20in%20any%20ole%20commercial%20cloud%20without%20native%20compliance.%26nbsp%3B%20After%20all%2C%20they%20themselves%20would%20not%20have%20gone%20to%20all%20the%20trouble%20and%20expense%20of%20using%20the%20ITAR%20compliant%20cloud%20if%20it%E2%80%99s%20not%20that%20important.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--380643678%22%20id%3D%22toc-hId--380643678%22%3EConclusion%3A%20CUI%20Effectively%20Requires%20Data%20Sovereignty%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20has%20prescribed%20the%20US%20Sovereign%20Cloud%20with%20Azure%20Government%20and%20Microsoft%20365%20GCC%20High%20to%20protect%20CUI%20and%20CDI%20consistently.%26nbsp%3B%20Our%20rationale%20is%20that%20CUI%20does%20include%20ITAR%20regulated%20data%2C%20and%20the%20DoD%20requires%20DFARS%207012%20to%20protect%20it.%26nbsp%3B%20We%20only%20accommodate%20that%20contractually%20across%20Azure%2C%20Office%20365%2C%20and%20Dynamics%20365%20in%20the%20US%20Sovereign%20Cloud.%26nbsp%3B%20It%E2%80%99s%20that%20simple.%26nbsp%3B%20It%E2%80%99s%20true%20that%20you%20may%20demonstrate%20compliance%20for%20CUI%20in%20our%20Commercial%20or%20GCC%20cloud%20offerings%2C%20but%20you%20will%20not%20get%20a%20contractual%20obligation%20from%20Microsoft%20to%20protect%20an%20aggregate%20of%20CUI%20anywhere%20else%20other%20than%20in%20the%20US%20Sovereign%20Cloud.%26nbsp%3B%20It%20will%20be%20your%20sole%20responsibility%20to%20prove%20and%20maintain%20compliance%20for%20it%20in%20other%20clouds.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--514328402%22%20id%3D%22toc-hId--514328402%22%3EAppendix%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20follow%20me%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fv2%2Fviewprofilepage%2Fuser-id%2F276160%22%20target%3D%22_blank%22%3Ehere%3C%2FA%3E%20and%20on%20%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fin%2Fwakeman%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ELinkedIn%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20are%20my%20additional%20blog%20articles%3A%3C%2FP%3E%0A%3CDIV%20style%3D%22direction%3A%20ltr%3B%22%3E%3CBR%20%2F%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20class%3D%22%20lia-align-left%22%20style%3D%22width%3A%20100%25%3B%22%20width%3D%2299.86187845303868%25%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2250.27624309392266%25%22%3E%3CH3%20id%3D%22toc-hId-2102267150%22%20id%3D%22toc-hId-2102267150%22%3E%3CFONT%20color%3D%22%23000080%22%3E%3CSTRONG%3EBlog%20Title%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2249.58563535911602%25%22%3E%3CH3%20id%3D%22toc-hId-294812687%22%20id%3D%22toc-hId-294812687%22%3E%3CFONT%20color%3D%22%23000080%22%3E%3CSTRONG%3EAka%20Link%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2250.27624309392266%25%22%3E%3CP%3EAccelerating%20CMMC%20compliance%20for%20Microsoft%20cloud%20(in%20depth%20review)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2249.58563535911602%25%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FCMMCResponse%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FCMMCResponse%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2250.27624309392266%25%22%3E%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CEM%3E%3CSTRONG%3EUpdated!%26nbsp%3B%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FFONT%3EMicrosoft%20CMMC%20Acceleration%20Program%20Update%20%E2%80%93%20January%202021%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2249.58563535911602%25%22%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2FCMMCAccelerationProgramUpdate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2FCMMCAccelerationProgramUpdate%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2250.27624309392266%25%22%3E%3CP%3EHistory%20of%20Microsoft%20Cloud%20Service%20Offerings%20leading%20to%20the%20US%20Sovereign%20Cloud%20for%20Government%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2249.58563535911602%25%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAA632wo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FAA632wo%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2250.27624309392266%25%22%3E%3CP%3E%3CSTRONG%3E%3CFONT%20color%3D%22%23FFCC00%22%3E%3CI%3EGold%20Standard!%3C%2FI%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FSTRONG%3EUnderstanding%20Compliance%20Between%20Microsoft%20365%20Commercial%2C%20GCC%2C%20GCC-High%20and%20DoD%20Offerings%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2249.58563535911602%25%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FMSGovCompliance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FMSGovCompliance%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2250.27624309392266%25%22%3E%3CP%3EThe%20Microsoft%20365%20Government%20(GCC%20High)%20Conundrum%20-%20DIB%20Data%20Enclave%20vs%20Going%20All%20In%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2249.58563535911602%25%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAA6frar%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FAA6frar%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2250.27624309392266%25%22%3E%3CP%3EMicrosoft%20US%20Sovereign%20Cloud%20Myth%20Busters%20-%20A%20Global%20Address%20List%20(GAL)%20Can%20Span%20Multiple%20Tenants%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2249.58563535911602%25%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAA6seih%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FAA6seih%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2250.27624309392266%25%22%3E%3CP%3EMicrosoft%20US%20Sovereign%20Cloud%20Myth%20Busters%20-%20A%20Single%20Domain%20Should%20Not%20Span%20Multiple%20Tenants%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2249.58563535911602%25%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAA6vf3n%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FAA6vf3n%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2250.27624309392266%25%22%3E%3CP%3EMicrosoft%20US%20Sovereign%20Cloud%20Myth%20Busters%20-%20Active%20Directory%20Does%20Not%20Require%20Restructuring%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2249.58563535911602%25%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FAA6xn69%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FAA6xn69%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2250.27624309392266%25%22%3E%3CP%3EMicrosoft%20US%20Sovereign%20Cloud%20Myth%20Busters%20-%20CUI%20Effectively%20Requires%20Data%20Sovereignty%20(%3CEM%3EThis%20One%3C%2FEM%3E)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2249.58563535911602%25%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FCUISovereignty%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FCUISovereignty%3C%2FA%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%2250.27624309392266%25%22%3E%3CP%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CEM%3E%3CSTRONG%3ENew!%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FFONT%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EMicrosoft%20expands%20qualification%20of%20contractors%20for%20government%20cloud%20offerings%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2249.58563535911602%25%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FGovCloudEligibility%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FGovCloudEligibility%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1597726%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Graphic%203.png%22%20style%3D%22width%3A%20998px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213237i79FB3DB7E76E038A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Graphic%203.png%22%20alt%3D%22Graphic%203.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20will%20focus%20on%20the%20myth%20that%20Controlled%20Unclassified%20Information%20(CUI)%20does%20not%20require%20data%20sovereignty.%26nbsp%3B%20This%20article%20is%20written%20through%20the%20lens%20of%20requirements%20to%20protect%20CUI%20in%20the%20context%20of%20the%20U.S.%20Department%20of%20Defense%20for%20national%20security%2C%20such%20as%20in%20alignment%20with%20the%20Defense%20Industrial%20Base%20(DIB)%20and%20the%20Cybersecurity%20Maturity%20Model%20Certification%20(CMMC).%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1597726%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECMMC%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edefense%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFederal%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Jan 08 2021 02:06 PM
Updated by: