CMMC and NIST Information Handling and Sharing Practices for CUI and FCI in Microsoft 365 & GCC High
Perimeter security practices are no longer viable with the rise of cloud migration, BYOD, and remote work. We need a new approach designed for today’s challenges. A data-centric zero trust approach to more effectively secure data from the inside out Microsoft 365 and GCC High provides the answer.
For the government and defense industry, the solution also has to meet the demands of both the DOD and the critical infrastructure players and map to critical controls laid out in NIST 800-171, NIST 800-53, and CMMC 2.0.
Data-CENTRIC Zero Trust & ABAC Policies Provide the Key
Extending a Zero Trust approach used for system and application access to file access and sharing in Microsoft 365 and GCC High applications ensures compliance with CMMC standards for the secure collaboration of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
By implementing attribute-based access control (ABAC) policies, a Zero Trust security model that evaluates attributes (or characteristics of data and/or users) rather than roles, to determine access to data, you gain greater flexibility and control over sensitive data. ABAC policies evaluate each file’s attributes, including security classification and permissions, as well as user attributes, such as security clearance, time of day, location, and device, to determine who and when a user is able to access, edit, save/download/print and share files.
This gives agencies and defence suppliers granular, real-time control over the access and usage of information by adjusting security in real-time based on specific parameters at that point in time. If the user scenario does not match or appears suspicious, then access is denied, or a restricted view of the data is provided. For example, if an authenticated user is trying to access a sensitive file they own, but it is outside of business hours, and they are using a BYOD device in another country, file access will be denied – effectively thwarting a hacker using stolen credentials.