Case Study: Managing CUI Tagging and Protection in SharePoint

NC Protect Seamlessly Manages CUI in SharePoint at this Defense Supply Chain Manufacturer

Organizations in the Defense Industry Base (DIB) form an important part of the supply chain for government and defense. As a result, they store and collaborate on highly sensitive data known as Controlled Unclassified Information (CUI) that is subject to a variety of regulations depending on the nature of the information, including NIST, CMMC and ITAR.

Accidental sharing of or theft of this information can have catastrophic business consequences. Defense contractors have been fined tens of millions of dollars for failing to control access to EAR and ITAR-regulated data. Furthermore, they can impact more than just the bottom line – criminal penalties of 10 to 20 years in prison, depending on the regulation, are also possible.

With high-value information at stake, employing a comprehensive data security solution to safeguard CUI and meet stringent information handling and sharing requirements is an essential part of any DIB security protocols to ensure compliance. This DIB, a global manufacturer of aircraft accessories, needed a more automated way to identify and restrict access to content containing CUI in their SharePoint on-premises environment.

Finding a Simpler Way to Manage CUI Compliance

With several military contracts and non-US-based offices, this DIB has many regulations that they need to follow to ensure CUI in their possession is handled properly.

CUI is government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies, including CMMC, NIST, DFAR and ITAR, among others. As there are fewer controls over CUI as compared to classified information, loss of CUI is one of the most significant risks to national security – making its protection critical.

Managing CUI compliance manually would be extremely difficult to accomplish, so the DIB sought a solution to help automate the identification and classification of CUI in their SharePoint systems and help restrict access to it. Working with Synergy Corporate Technologies, a Microsoft Gold Partner, they chose NC Protect and worked directly with Synergy to evaluate and implement the product.

NC Protect Automates CUI Identification, Classification and Protection

NC Protect fit their requirements and budget with its ability to scan files in SharePoint (Microsoft Office documents, PDFs, Images, etc.) for CUI and automatically classify them according to their CUI level.

The document CUI Level is determined by the affiliated Category Name, Category Marking or Banner Marking as defined by the requirements in 32 CFR Part 2002 “Controlled Unclassified Information”. Documents are classified as Level 1, 2, 3 or “no CUI” based on keywords that map to these requirements, with Level 1 as the most restrictive. Data protection policies are then dynamically applied by NC Protect based on the document’s classification, the Microsoft Entra ID group a user is in and what country the user is in (US or UK).

A user must be in either the US or UK group to see anything with CUI (by default, a user cannot access any CUI). Additionally, users in the UK group are not allowed to see any document classified as Level 1, 2, or 3 if the document has been tagged “export controlled”. If it has an “export license” tag, then UK users may see and access it. See the image below.

The Level 1-3 groups can view documents at their level and below without restrictions in SharePoint (e.g. a Level 2 user won’t see Level 1 documents). The restricted groups work the same but can only open the documents in NC Protect’s secure viewer, which prevents printing, copying, saving/downloading of the file (e.g. a Level 1 Restricted user can only open Level 1 documents in the secure reader). The documents are also digitally watermarked by NC Protect with the current date, current user and CUI Level for additional security and auditing purposes.

NC Protect Provides a LONG-TERM Solution for CUI Management

With plans to move more content into SharePoint, NC Protect ensures it will be seamlessly managed for CUI. The DIB manufacturer can now collaborate with full confidence that CUI is automatically identified, properly classified and restricted based on the CUI compliance guidelines.