How a Federal Contractor Leveraged Microsoft AIP to Secure CUI

Cleared Systems is a leading Managed Cyber Security Services Provider that helps federal contractors bolster their cyber security. We also help our clients achieve compliance with various federal regulations, like DFARS, CMMC 2.0, ITAR, and standards like the NIST SP 800-171, by leveraging tools like Microsoft AIP. We were recently contracted by a federal contractor who was facing several challenges in managing and protecting CUI in accordance with the NIST SP 800-171 requirements. These challenges included:

  • Classifying CUI according to the applicable categories and subcategories defined by the CUI Registry.
  • Applying appropriate labels and markings to CUI documents and emails.
  • Encrypting CUI at rest and in transit using approved cryptographic methods.
  • Controlling access to CUI based on the principle of least privilege and enforcing multifactor authentication.
  • Tracking and auditing the usage and sharing of CUI within and outside the organization.
  • Implementing policies and procedures for reporting and responding to CUI incidents and breaches.

The federal contractor’s existing systems were not designed to handle these challenges. They relied on manual processes, such as adding watermarks or headers to documents or using password-protected files or folders. These processes were not only time-consuming but also error-prone and inconsistent. Moreover, they did not provide adequate security or visibility into the lifecycle of CUI. The federal contractor needed a solution that would automate and simplify the management and protection of CUI, while ensuring compliance with the NIST SP 800-171 requirements. They also wanted a solution that would integrate seamlessly with their existing systems, such as Microsoft Office 365, SharePoint Online, OneDrive, and Outlook.

Objectives

The objectives of the project were to:

  • Implement a solution that would enable the federal contractor to classify, label, encrypt, track, audit, and dispose of CUI in a secure and compliant manner.
  • Reduce the operational costs and risks associated with manual processes for handling CUI.
  • Increase the productivity and efficiency of the federal contractor’s employees by streamlining their workflows and reducing their workload.
  • Enhance the trust and confidence of the federal contractor’s customers and partners by demonstrating their commitment to protecting their sensitive information

Challenges

The main challenges that our team faced when delivering the solution were:

  • Compliance with Regulations: The contractor needed a solution that would meet all the NIST SP 800-171 requirements for CUI, as well as other relevant federal regulations and standards. A thorough assessment and validation of the solution’s compliance capabilities was necessary.
  • Data Classification, Labeling and Protection: The contractor had a large volume of data that needed to be classified, labeled and protected as CUI. It required a scalable and flexible solution that could handle different types of data and formats.
  • System Compatibility: The federal contractor needed a solution that would be compatible with their existing systems and applications without requiring significant changes or disruptions.
  • User Adoption: The contractor needed a solution that would be easy to use and adopt by their employees without compromising their user experience or performance.
  • Stakeholder Coordination: The federal contractor had multiple stakeholders involved in the project, such as IT administrators, security officers, legal advisors, and end-users. A clear communication and coordination strategy was required to ensure that everyone was on the same page and understood their roles and responsibilities.

Solutions

Cleared Systems chose Microsoft Azure Information Protection (AIP) as the solution for securing CUI for the federal contractor. Microsoft AIP is a cloud-based service that enables organizations to classify, label, protect, monitor, and control their sensitive data. AIP leverages Microsoft’s encryption technology, Azure Rights Management Service (Azure RMS), to protect data at rest and in transit. AIP also integrates with Microsoft’s cloud services, such as Office 365, SharePoint Online, OneDrive for Business, Outlook, Teams, etc., as well as with on-premises systems and applications. Our team implemented AIP for the federal contractor by following these steps:

  • Configuring AIP policies and labels:Cleared Systems created custom AIP policies and labels that matched the CUI categories and subcategories defined by the CUI Registry. For example, we created labels such as “CUI Specified – Export Controlled,” “CUI Basic – PII,” “CUI Basic – Financial,” etc. Our team also configured the AIP policies to apply encryption, access control, watermarking, header/footer insertion, etc., based on the labels. We also enabled automatic classification based on content inspection rules.
  • Deploying AIP clients:Our team deployed AIP clients on all the devices used by the federal contractor’s employees. The AIP clients enabled the federal contractor to classify and label their documents and emails manually or automatically using a simple toolbar or menu. The AIP clients also enabled them to protect their documents and emails using encryption and rights management. We also integrated the AIP client with Office 365 applications such as Word, Excel, PowerPoint, Outlook, etc., and with other applications such as Adobe Acrobat Reader, File Explorer, etc.
  • Enabling AIP scanner:Cleared Systems enabled AIP scanner on the federal contractor’s SharePoint Online and OneDrive for Business sites. The Microsoft AIP scanner automatically scanned the existing and new files stored on these sites and applied the appropriate labels and protection based on the AIP policies. The AIP scanner also generated reports on the files scanned, labeled, and protected.
  • Enabling AIP analytics:We enabled AIP analytics on the Azure portal. The AIP analytics provided them with insights into the usage and sharing of CUI within and outside the organization. The AIP analytics also provided them with alerts and notifications on potential CUI incidents and breaches, such as unauthorized access, data leakage, data loss, etc.

Outcomes

The implementation of Microsoft AIP for the federal contractor resulted in the following outcomes:

  • Improved compliance:The federal contractor was able to meet all the NIST SP 800-171 requirements for CUI, as well as other relevant federal regulations and standards. They were able to classify, label, and protect their CUI data according to the NARA guidelines using AIP’s intuitive and user-friendly interface. The contractor was able to apply labels manually or automatically based on their data content or context. They were able to demonstrate their compliance to their customers and partners using audit logs and reports generated by Microsoft
  • Enhanced security:The contractor was able to protect their CUI from unauthorized access, disclosure, modification, or deletion. They were able to monitor and audit their CUI data lifecycle using AIP’s logging and reporting features. The federal contractor was able to encrypt their CUI at rest and in transit using approved cryptographic methods. They were also able to track who accessed, modified, or shared their CUI data and when and where it was done. This meant they’d be able to control access to their CUI based on the principle of least privilege and enforce multifactor authentication. The contractor could also track the usage and sharing of their CUI within and outside the organization. They were able to implement policies and procedures for reporting and responding to CUI incidents and breaches and generate compliance reports using Microsoft AIP’s templates or custom queries.
  • Increased efficiency:The federal contractor was able to reduce the operational costs and risks associated with manual processes for handling CUI. They were able to automate and simplify the management and protection of CUI using AIP policies, labels, clients, scanner, and analytics. The contractor was able to increase the productivity and efficiency of their employees by streamlining their workflows and reducing their workload.
  • Improved user experience:The federal contractor was able to enhance the user experience of their employees by integrating AIP with their existing systems and applications. They were able to use AIP without requiring significant changes or disruptions to their daily operations. The contractor could use AIP without compromising their performance or functionality.

Share in Social Media

case studies

See More Case Studies

microsoft 365 GCC High

What is GCC High? For ITAR & CMMC 2.0

Microsoft 365 Government Community Cloud (GCC) High is a specialized cloud solution tailored for U.S. federal, state, local, tribal, and territorial government organizations, as well as for contractors who hold or process data subject to specific security regulations. In this article, we will explore the features, benefits, and differences between Microsoft 365 GCC High and other Office 365 offerings.

Learn more
Contact us

Partner with Us for Compliance & Protection

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?
1

Schedule an initial meeting

2

Arrange a discovery and assessment call

3

Tailor a proposal and solution

How can we help you?