Forum Discussion
Solved
Protection of CUI in SharePoint
Is there a secure and compliant way to store and process data in SharePoint (FIPS validated cryptography, access controls, etc)? Does this require a GCC or GCC high license for this function?
Anon414 , from the questions you're posting, it looks to me like you're grappling with how to store data in O365 and if it will be compliant with CDI and ITAR data categories - what we affectionately call CUI, or segments of CUI.
It's my own view, and I think for many others, that it's just about impossible to segregate one type of CUI from another. The possibility of the spill is always there. And unless you can clearly articulate that you won't ever work on NOFORN or ITAR type of contracts, then my guidance to you would be lean towards GCCH. It's purpose built for ITAR controls and fabric is secured - check out the SSP as Sergio mentioned.
You will have to do "other" things in order to secure your own tenant - like monitoring in Sentinel or PIM/PAM (Privedged Access Management) and JIT (Just in time, or conditional access). You'll also want to tag your special data types so you can track it in the environment to the best extent possible. All of those are the security practices you'll have to engage in with CMMC.
Anupam_K_Gupta
Microsoft
MicrosoftAnon414 , from the questions you're posting, it looks to me like you're grappling with how to store data in O365 and if it will be compliant with CDI and ITAR data categories - what we affectionately call CUI, or segments of CUI.
It's my own view, and I think for many others, that it's just about impossible to segregate one type of CUI from another. The possibility of the spill is always there. And unless you can clearly articulate that you won't ever work on NOFORN or ITAR type of contracts, then my guidance to you would be lean towards GCCH. It's purpose built for ITAR controls and fabric is secured - check out the SSP as Sergio mentioned.
You will have to do "other" things in order to secure your own tenant - like monitoring in Sentinel or PIM/PAM (Privedged Access Management) and JIT (Just in time, or conditional access). You'll also want to tag your special data types so you can track it in the environment to the best extent possible. All of those are the security practices you'll have to engage in with CMMC.
