This 27m video discusses time and money saving CUI Marking and Labeling Solutions / techniques (and automation!) to meet NIST 800-171 & CMMC CUI Marking and CUI Labeling Requirements featuring subject matter expert – Carl Johnson!
[embedyt] https://www.youtube.com/watch?v=Bivt3kVuIHI[/embedyt]The correct banner marking for unclassified documents with CUI is …
We discuss how to mark media with necessary cui marking and distribution limitations, with our friend and Microsoft security professional, Carl Johnson. Carl has over 22 years of experience working with SharePoint, Teams, Azure, Information Protection, and Data Loss Protection. And his focus is on high compliance and regulatory organization. We will be discussing some of the CUI marking and labeling solutions within requirements of CMMC and NIST 800-171.
What are some of the pains and challenges of handling CUI?
Most of the emails and calls I receive are from federal contractors. They’re looking at CMMC or related DFARS and NIST 800-171 requirements. They seek to understand how to manage and organize the information they’ve accumulated over the years within an unstructured environment. They need to protect CUI and are concerned about handling this information from a regulatory perspective. They’re looking for solutions for CUI Labels to mark media with necessary CUI marking and distribution limitations. They want to understand the available automated and manual techniques.
Let’s take a step back for a moment – what exactly is CUI?
CUI was first developed and created by the DOD and stands for Controlled Unclassified Information. Let’s say you’re a federal contractor and you have all these documents sitting in libraries or in folders. But there’s no system for CUI labeling or CUI marking. It isn’t clear then, whether the information is considered to be controlled unclassified information. It only appears as specific to your industry. For instance, I deal with many aerospace companies. They are required to report to the government what they export to other countries and how they’re marking those documents. So it’s related to specific DoD CUI markings and CUI labels requirements.
Why do we need to mark and label CUI? What are some of the requirements?
The DOD /CMMC now requires CUI markings & labeling for federal contractors who handle CUI information and classified information. They’re required to treat CUI with “white gloves.” From the DOD’s perspective, marking is essential is for audit purposes. You must quickly be able to tell that auditor
- what information is confidential,
- what information relates to FOUO (“For Official Use Only”),
- or what information you’re sharing with external parties outside your organization.
More importantly, it would be best to have a risk score associated with how many of these documents. A great example is, you work with FEMA as a federal contractor. And you possess information about a cash payout or a resident’s personal information. All that information needs to be categorized somehow, so it doesn’t get into the wrong hands.
CUI marking and CUI labels, what are the biggest challenges?
We have tons of technology that does CUI marking very well. But, before you can do any marking, you need to train your staff to identify what needs marking versus what does not. For CUI marking, people don’t typically think about the need to mark documents. Accordingly, the biggest challenge is getting your people involved. And training them to understand the importance of marking and how that impacts your company.
The second biggest challenge is deciding what to do with those thousands of documents accumulated over the past 10-15 years. Where exactly is the line where it says you no longer have to worry about marking archive documents? Those are the biggest challenges. From a financial perspective, it takes many resources to go back and mark all those documents. But somebody has to do it.
Can CUI marking and CUI labels solutions be done automatically?
Absolutely! I’ve been with Microsoft for the last 20-something years in the cybersecurity world. The biggest challenge is: “How do we automate as many tasks as possible”? The last thing you want is a user to manually input form information because it may not be accurate. The same is true about marking. We can train AIP inside of Azure Information Protection (AIP) to scan the documents and look for identifiable information and determine whether or not that should be marked.
The second way is to create templates for your organization. Create essential new documents from templates that are pre-labeled (confidential, unclassified, financial). Users can’t create documents withoug markings. By creating templates that run throughout your whole organization, no one can create a regular, blank document. They would have to select from one of the templates; that way, you can make it at the very lowest level of categorization, rather than having none at all. I think that’s the best way to automate. It’s about training the staff to teach them the importance of why we’re doing this. Even before you roll out an Azure Information Protection or a labeling/marking program for your organization.
What’s the high level process of automated CUI marking and labeling solutions?
The first step is to inventory what we have inside the organization. If we’re talking about a federal contractor, there might be many proposals. Proposals have CUI. And depending on the stage of the proposal, there might be much financial information involved.
The second step is looking at what Microsoft has built-in. Microsoft has done an amazing job of creating labeling and marking templates, so you don’t have to recreate the wheel. Depending on your budget and available resources, I may say to you: “Let’s use the built-in templates that Microsoft has already created.” If you’re a medium-large organization, you’ll have a more complex environment. You’ll need to create custom markings and custom labeling. For example, suppose you have a finance department. In that case, you also might have financial matters in Europe, Asia, Australia, and others. They all have different requirements regarding labeling, marking, and regulations. So, we might need to create sub-labels to help you with those other countries or locales.
Is there an easy method of doing CUI inventory?
It reminds me of back in the day when I worked at a supermarket. Management would say once or twice a year that we had to inventory the entire store. It’s similar to when you’re working with an inventory of files you’ve had for 10-15 years. I always advise that you get the business units themselves – the stakeholders – involved in inventorying their information. We could use tools and do scans to understand what’s there. But in my opinion, the best recipe is first to allow the users to identify the information.
I’m a firm believer that if you can delete or remove old data from your system, by all means, do so. Don’t be a hoarder of information if you don’t need to be. That way, you don’t need to worry about being part of an e-discovery or audit. We can use tools to scan, but you want the users to be involved in this process. And tell you which types of forms they use so you can start seeing a pattern. The more I delete, the easier I can program my tools to look for that particular pattern as we scan and begin the labeling process. However, I do need the user’s input first.
What are some Microsoft 365 tools that are good for CUI marking and labeling solutions?
Many customers are using Office 365. And yes, they may have these tools already, But it’s really about the licensing. If you have a Microsoft E3 or E5 license, the Azure Information Protection is already available. Enable it. The one I would recommend if we’re talking about CUI labeling and marking is Azure Information Protection. We would enable it to use your organization’s custom labels and markings.
If you deal with the DOD, the Pentagon, or the Justice Department, you may have specific markings to choose from. Perform this within Azure Information Protection. The technology is the simple part- it’s the planning of the requirements that would take the most time. Once we understand what you’re trying to do, we would advise you on the best method and then go ahead and do the implementation for you. Finally, we would teach you how to do it yourself as you grow and expand.
What do Microsoft AIP, Unified Labeling Platform, and Azure Rights Management do?
For Azure Information Protection, think of it in terms of the display in the encryption. So we’re talking about putting the labels on the documents: Excel files, PowerPoint files, Word document files, and others. Any emails going back and forth require some type of labeling. That’s the first part.
For the second part, let’s think of a scenario where you’re sharing information outside your organization with an untrusted vendor. A vendor that you just started doing business with. Since you don’t know where that information is going, you use the encryption built into your AIP. This ensures that only you and that person will be able to read that email. If that email somehow gets into the wrong hands, it won’t be able to be opened because of the encryption. A lot of people believe that once it leaves your tenant, there’s no longer any encryption, which is not true. The encryption stays on that document. If the other person doesn’t have the right key, they won’t be able to open it. So you’re protected years down the line.
The third part I like to address is the DLP, which is data loss protection. Data loss protection involves scanning your environment to look for things relating to your PII. (personal identity information). Social Security number, date of birth, address, and others. We live in the world of social media, PII can be expanded to look for your geolocation, Twitter username, and Instagram username. We continuously scan to protect both the user and the organization, to ensure no one is sharing our information. Those are the two concepts you really want to understand when we’re talking about DLP and Azure Information Protection.
Unified Labeling Platform – how does it help with CUI marking and labeling solutions? Is it available in Microsoft 365 GCC High?
Most of my customers are dealing with GCC High for CMMC. It’s inside the government tenant for Microsoft Office 365. Unified labeling is being rolled out across all the tenants, compared to before when only commercial tenants had unified labeling. With unified labeling, your whole organization is protected. You create labels and markings at the high level of your organization. They trickle down through all of the Microsoft applications you use.
In the early days of SharePoint, organization had a totally separate labeling labeling on Microsoft files. One would cancel the other out. So now I can look at your organization and have a plan that can protect everything inside of this tenant.
- Your budget is a lot lower because you’re not doing twice the amount of work, and
- You can sleep a little easier knowing that if you’re sharing through SharePoint externally,
It’s protected the same way as if you’re sharing through exchange by sending an email.
Azure Rights Management – can it help CUI management?
Microsoft has really beefed up the rights protection over the years. By using Artificial Intelligence (AI), it identifies what the organization is trying to protect and use that as a template. With rights protection, everything inside of the tenant is protected, and it’s also protected when the information leaves the tenant. So you don’t have to worry about a one-sided protection. Everything is protected- the documents, devices, etc. All of that information you have on your phones or on your tablet devices. You no longer have to worry about the person who was terminated two weeks ago. And whether they still may have information on their phone. With Azure Information Protection, everything that is your property as an organization is protected.
How long will it take to implement these Microsoft 365 tools for CUI marking and labeling solutions?
It depends on how extensive you want the implementation to be and also the complexity of it. If you’re a small-medium business, it would probably be within two weeks. I prefer to understand how an organization does business, especially if you’re doing business with the government. Understanding how you interact with different agencies will allow me to create a template or blueprint for you.
For a larger company, let’s say 500 users and above, you should probably plan for a three-month implementation. Not necessarily because of the size, but more so because of the complexity. You likely have all types of data and information that need to be examined, inventoried, and understood. We want to make the right decision. If we want to automate labeling and automate markings, understanding the typical documents you use helps to create a template. This enables Azure Information Protection to do all the work.
What are some common AIP labels that contractors should use?
For the most part, the one I see the most is FOUO. When you exchange information, and you need those parties to see it but don’t want anyone else to share it. This information is considered “confidential.” It doesn’t necessarily mean confidential from a DOD or federal perspective. But it might be confidential to your organization. For example, your financial information, HR information, information from marketing proposals. A common AIP label specific to DOD / CMMC would be a label named “CUI,” followed by the name of the agency itself. If you’re dealing with multiple agencies, their definition may be a little different from one agency to another.
KLC is a C3PAO company who provides NIST 800-171 and CMMC consulting solutions to defense industrial base companies
Please click here to visit our CMMC services page
and please click here to watch our discussion video about CMMC
Visit Check out our video guide for defense contractors to determine your CUI boundary.
Please visit our YouTube channel for other free resources and cybersecurity discussion topics. LIKE and SUBSCRIBE!
And please visit us on LinkedIn.