CMMC & NIST Compliance in Microsoft 365 & GCC High

Defense Industry suppliers must now demonstrate compliance with CMMC 2.0, NIST 800-171 and NIST 800-53 guidelines for handling CUI and FCI

CMMC and NIST Information Handling and Sharing Practices for CUI and FCI in Microsoft 365 & GCC High

Perimeter security practices are no longer viable with the rise of cloud migration, BYOD, and remote work. We need a new approach designed for today’s challenges. A data-centric zero trust approach to more effectively secure data from the inside out Microsoft 365 and GCC High provides the answer.

For the government and defense industry, the solution also has to meet the demands of both the DOD and the critical infrastructure players and map to critical controls laid out in NIST 800-171, NIST 800-53, and CMMC 2.0.

Data-CENTRIC Zero Trust & ABAC Policies Provide the Key

Extending a Zero Trust approach used for system and application access to file access and sharing in Microsoft 365 and GCC High applications ensures compliance with CMMC standards for the secure collaboration of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

By implementing attribute-based access control (ABAC) policies, a Zero Trust security model that evaluates attributes (or characteristics of data and/or users) rather than roles, to determine access to data, you gain greater flexibility and control over sensitive data. ABAC policies evaluate each file’s attributes, including security classification and permissions, as well as user attributes, such as security clearance, time of day, location, and device, to determine who and when a user is able to access, edit, save/download/print and share files.

This gives agencies and defence suppliers granular, real-time control over the access and usage of information by adjusting security in real-time based on specific parameters at that point in time. If the user scenario does not match or appears suspicious, then access is denied, or a restricted view of the data is provided. For example, if an authenticated user is trying to access a sensitive file they own, but it is outside of business hours, and they are using a BYOD device in another country, file access will be denied – effectively thwarting a hacker using stolen credentials.

NC Protect SecureS CUi & FCI Across Microsoft 365, GCC High, SharePoint On-Premises & File Shares

NC Protect enhances the security capabilities across your complete stack in a world that leverages Microsoft applications for most Federal, DOD and supply chain environments. Secure government and defense-related collaboration to meet and enforce CMMC, NIST, ITAR and other requirements using a central policy engine. It is fully integrated with Microsoft 365 and GCC High apps, including SharePoint, OneDrive, Office and Exchange, SharePoint on-premises, Windows file shares, Nutanix Files and NetApp ONTAP.

Case Study

Learn how this Defense Manufacturer uses NC Protect to identify and restrict access to content containing CUI.


NC Protect is a complementary solution that adds dynamic data-centric capabilities to automatically find, classify and secure unstructured data on-premises, in the cloud and hybrid environments. It dynamically adjusts data access and protection based on real-time comparison of data and user attributes to make sure that users view, use, and share files according to your regulations and policies.

Using a solution like NC Protect that utilizes attribute-based access and control (ABAC) policies has many benefits. It provides granular data security to ensure compliance with CMMC capabilities to meet information security requirements and operational security by delivering a seamless ABAC solution to deliver and share information to our coalition partners.

The key to this is NC Protect’s ability to scan the Microsoft environment, add metadata tagging to the documents or leverage MIP sensitivity labels; it then evaluates both data and user attributes against policies to determine appropriate access, usage and sharing rights. A complete audit trail of all document access is logged and can be reported on using Microsoft Sentinel or Splunk.

This level of granular access, usage control and auditing is the key to attaining CMMC and NIST compliance.

Benefits of NC Protect for CMMC & NIST Compliance in Microsoft 365:

  • Discover and report on where sensitive data (PII, PHI, CUI, FCI, etc.) exists in systems, including file shares, SharePoint and Microsoft 365 apps for auditing purposes.
  • Automatically classify, restrict access to and control distribution of CUI and FCI.
  • Evaluate both data and user attributes against policies to determine appropriate access, usage and sharing rights.
  • Redact sensitive/classified information, such as keywords or phrases, in Word, Excel, PowerPoint and PDF, or when the file is presented in the Secure Reader.
  • Embeds CUI visual markings, including Headers, Footer and CUI Designation Indicator labels, including Owner Name, Controlled By, Category, Distribution/Limited Dissemination Control and POC, as well as headers/footers into documents as a persistent watermark. 
  • Encrypt PII at rest and in transit across various applications, email, portable devices and storage media.
  • Audit the entire lifecycle of a document, including who accessed PII and what they did with it, for analysis and upstream actions in Microsoft Sentinel or Splunk.




NC Protect for Government & Defense Brochure


Video: Applying CUI Markings with NC Protect


White Paper: CMMC 2.0


NC Protect ITAR Case Study

​Let’s Get the Conversation Started

Learn how to leverage NC Protect for secure, policy-based access and sharing of sensitive data in Microsoft 365, GCC and GCC High to comply with NIST and prepare for CMMC 2.0 requirements.