Protection of CUI via email

Question

Is there a secure and compliant way to transfer CUI using Outlook (SC.3.177 requires FIPS validated cryptography)? Does this require a GCC or GCC high license if you are only using this function?

anupam_k_gupta · Answer

Anon414&nbsp;- great question.Let me point you to a few sources:https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-fips-140-2?view=o365-worldwidehttps://docs.microsoft.com/en-us/microsoft-365/compliance/email-encryption?view=o365-worldwidehttps://docs.microsoft.com/en-us/microsoft-365/compliance/ome-advanced-message-encryption?view=o365-worldwideThese services are built using Azure Rights Management Services which do support FIPS 140-2 requirements.https://docs.microsoft.com/en-us/azure/information-protection/what-is-azure-rmsRegarding your question plans and GCC vs. GCCH, you'll want to think through the details, especially when you consider spills and managing data traversing environments.Here's a great&nbsp;RichardWakeman&nbsp;article for your consideration:

The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In

https://aka.ms/AA6frar

Paul Meacham&nbsp;or&nbsp;Sergio Cossio&nbsp;- would you have any guidance on plans and services?

richardwakeman · Answer

Anon414&nbsp;and Anupam_K_Gupta, the big question is if the email may have technical content or attachments that may constitute export controlled data, such as ITAR data.&nbsp; GCC High is where you will get contractual support for ITAR.&nbsp; I touch on this in&nbsp;Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants.

Forum Discussion

Protection of CUI via email

Share

Resources