CMMC & NIST Compliance

Defense Industry suppliers must now demonstrate compliance with CMMC and NIST 800-171 guidelines for CUI & FCI handling

CMMC and NIST Demand Proper Information Handling and Sharing Practices for CUI and FCI

With the migration to the Cloud, BYOD, and COVID19 creating a world-wide remote workforce, there truly is no perimeter anymore. Now more than ever, we need a seamless way to adapt our cyber defenses to also look towards the inside and proactively secure data.

For government and defense industry, the solution also has to scale to meet the demands of both the DOD and the critical infrastructure players and map to critical controls laid out in NIST 800-171, 800-53, and CMMC – primarily CMMC Levels 3-5.

How Zero Trust Provides the Key to Success

Extending a Zero Trust approach used for system and application access to file access and sharing ensures compliance with CMMC standards for collaboration of Federal Control Information (FCI) and Controlled Unclassified Information (CUI).  Attribute-based access control (ABAC) is a Zero Trust security model that evaluates attributes (or characteristics of data and/or users), rather than roles, to determine access. It uses a data-centric security approach that evaluates each file’s attributes including security classification and permissions, as well as user attributes such as security clearance, time of day, location, and device to determine who is able access, as well edit and download files.

This gives agencies granular, real-time control over the access of information by adjusting security in real-time to determine whether the user should be given access to the requested information based on all of these parameters at that point in time. If the user scenario does not match, or appears suspicious, then access is denied, or a restricted view of the data is provided. For example, if an authenticated user is trying to access a sensitive file they own, but it is outside of business hours and they are using a BYOD device in another country, file access will be denied – effectively thwarting a hacker using stolen credentials.

Secure CUi and FCI Across Microsoft 365 Apps and File Shares with NC Protect

In a world of information sharing, and collaboration that leverages the full Microsoft stack for almost all Federal and DOD environments, including our coalition partners, NC Protect is fully integrated with Microsoft 365 apps including SharePoint, Teams, Yammer, OneDrive, Exchange, as well as Nutanix Files, Dropbox and Windows files shares to centrally secure your collaboration to meet and enforce CMMC requirements.

How NC Protect Can Help with CMMC & NIST Compliance

The NC Protect solution provides dynamic data-centric security to automatically find, classify and secure unstructured data on-premises, in the cloud and in hybrid environments. NC Protect dynamically adjusts data access and protection based on real-time comparison of data and user attributes to make sure that users view, use, and share files according to your agency’s regulations and policies.

Using a solution like NC Protect that utilizes attribute based access and control (ABAC) policies has many benefits and affords granular data security to not only ensure compliance with CMMC capabilities to meet Level 3-5 requirements but also ensure operational security by delivering a seamless ABAC solution to deliver and share information to our coalition partners.

The key to this, is NC Protect’s ability to scan the Microsoft environment, add metadata tagging to the documents or leverage MIP sensitivity labels, it then evaluates both data and user attributes against policies to determine appropriate access, usage and sharing rights. A complete audit trail of all document access is logged and can be reported on using Azure Sentinel or Splunk. This level of granular control is the key to attaining CMMC Level 3 – 5.

Benefits of NC Protect for CMMC Compliance:

  • Discover and report on where PII exists in systems including, file shares, SharePoint and Microsoft 365 apps for auditing purposes.
  • Automatically classify, restrict access to and control distribution of CUI and FCI.
  • Evaluate both data and user attributes against policies to determine appropriate access, usage and sharing rights.
  • Redact sensitive/classified information, such as keywords or phrases, in Word, Excel, PowerPoint and PDF, or when the file is presented in the Secure Reader.
  • Encrypt PII at rest and in transit across a range of applications, email, portable devices and storage media.
  • Audit the entire lifecycle of a document, including who accessed PII and what they did with it, for analysis Azure Sentinel or Splunk.

​Let’s Get the Conversation Started

Learn how to leverage NC Protect for secure, policy-based access and sharing in Microsoft apps to comply with NIST and CMMC requirements.