CMMC & NIST Compliance in Microsoft 365

Defense Industry suppliers must now demonstrate compliance with CMMC and NIST 800-171 guidelines for CUI & FCI handling

CMMC and NIST Information Handling and Sharing Practices for CUI and FCI in Microsoft 365

With the migration to the Cloud, BYOD, and COVID19 creating a world-wide remote workforce, there truly is no perimeter anymore. Now more than ever, we need a seamless way to adapt our cyber defenses to also look towards the inside and proactively secure data.

For government and defense industry, the solution also has to scale to meet the demands of both the DOD and the critical infrastructure players and map to critical controls laid out in NIST 800-171, NIST 800-53, and CMMC.

How Data-CENTRIC Zero Trust ABAC Policies Provide the Key to Success

Extending a Zero Trust approach used for system and application access to file access and sharing ensures compliance with CMMC standards for collaboration of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  Attribute-based access control (ABAC) is a Zero Trust security model that evaluates attributes (or characteristics of data and/or users), rather than roles, to determine access. It uses a data-centric security approach that evaluates each file’s attributes including security classification and permissions, as well as user attributes such as security clearance, time of day, location, and device to determine who is able access, as well edit and download files.

This gives agencies granular, real-time control over the access of information by adjusting security in real-time to determine whether the user should be given access to the requested information based on all of these parameters at that point in time. If the user scenario does not match, or appears suspicious, then access is denied, or a restricted view of the data is provided. For example, if an authenticated user is trying to access a sensitive file they own, but it is outside of business hours and they are using a BYOD device in another country, file access will be denied – effectively thwarting a hacker using stolen credentials.

Secure CUi and FCI Across Microsoft 365 Apps, SharePoint On-Premises and File Shares with NC Protect

In a world of information sharing, and collaboration that leverages the full Microsoft stack for almost all Federal and DOD environments, including our coalition partners, NC Protect is fully integrated with Microsoft 365 apps including SharePoint, Teams, Yammer, OneDrive, Exchange, SharePoint On-Premises as well as Nutanix Files, Dropbox and Windows files shares to centrally secure your collaboration to meet and enforce CMMC requirements.

Case Study

Learn how this Defense Manufacturer uses NC Protect to identify and restrict access to content containing CUI.


The NC Protect solution provides dynamic data-centric security to automatically find, classify and secure unstructured data on-premises, in the cloud and in hybrid environments. NC Protect dynamically adjusts data access and protection based on real-time comparison of data and user attributes to make sure that users view, use, and share files according to your agency’s regulations and policies.

Using a solution like NC Protect that utilizes attribute based access and control (ABAC) policies has many benefits and affords granular data security to not only ensure compliance with CMMC capabilities to meet information security requirements, but also ensure operational security by delivering a seamless ABAC solution to deliver and share information to our coalition partners.

The key to this, is NC Protect’s ability to scan the Microsoft environment, add metadata tagging to the documents or leverage MIP sensitivity labels, it then evaluates both data and user attributes against policies to determine appropriate access, usage and sharing rights. A complete audit trail of all document access is logged and can be reported on using Microsoft Sentinel or Splunk.

This level of granular access and usage control and auditing is the key to attaining CMMC and NIST compliance.

Benefits of NC Protect for CMMC & NIST Compliance in Microsoft 365:

  • Discover and report on where PII exists in systems including, file shares, SharePoint and Microsoft 365 apps for auditing purposes.
  • Automatically classify, restrict access to and control distribution of CUI and FCI.
  • Evaluate both data and user attributes against policies to determine appropriate access, usage and sharing rights.
  • Redact sensitive/classified information, such as keywords or phrases, in Word, Excel, PowerPoint and PDF, or when the file is presented in the Secure Reader.
  • Embeds CUI Designation Indicator markings including Owner Name, Controlled By, Category, Distribution/Limited Dissemination Control and POC, as well as headers/footers into documents as a watermark. 
  • Encrypt PII at rest and in transit across a range of applications, email, portable devices and storage media.
  • Audit the entire lifecycle of a document, including who accessed PII and what they did with it, for analysis and upstream actions in Microsoft Sentinel or Splunk.




NC Protect for Public Sector Brochure


Video: Applying CUI Markings with NC Protect


White Paper: CMMC 2.0


NC Protect ITAR Case Study

​Let’s Get the Conversation Started

Learn how to leverage NC Protect for secure, policy-based access and sharing in Microsoft 365 apps to comply with NIST and see how we can help get your data security best practices ready for CMMC 2.0 requirements.