Controlled Unclassified Information Compliance with Microsoft 365

Department of Defense contractors must meet Controlled Unclassified Information (CUI) requirements on the corporate data they are working with. As more regulations keep coming from the government, companies leveraging Microsoft 365 (M365) have been trying to figure out the best approach to meet the requirements within their environment. Learn how you can meet controlled unclassified information compliance with Microsoft 365.

We have been able to fulfill this requirement via solutions we built within Microsoft 365 which works on both Commercial and Government Community Cloud (GCC) tenants. In this blog, I will specifically address the topic of ensuring that CUI emails can only be sent to CUI eligible recipients using out-of-the-box capabilities.

The first key item is to have structured and up-to-date citizenship data for all your workers within your source Human Resources Information System (HRIS). Since this data is separate from the technical implementation and this process will be time-consuming, you should absolutely kick this off early on while you work on a technical implementation in the meantime.

As most organizations are still on their journey to the cloud, let’s assume here that you are in hybrid mode with on-premises Active Directory (AD) identities synced to Azure AD.

As a next step, you will document your workflow and implementation processes from your HRIS system to a target where data can be easily leveraged within Microsoft Cloud. Specifically, this will allow you to sync your CUI citizenship eligibility data to an on-premises AD.

For this purpose, you can leverage an unused on-premises AD attributes, synced via Azure AD Connect. If your company must meet other countries’ requirements and you want to minimize the number of custom attributes for this, you can use a single attribute to accommodate all use cases.

Lastly, you can leverage Mail Flow rules in Exchange Online to block non-CUI eligible recipients from receiving CUI content.

Keep in mind that you might require an audited bypass method that your users might need to use in some instances. We also believe it is important for the user to be able to check on CUI eligibility for their internal recipient prior to sending a CUI email. Withum has been able to customize both Outlook on the web and Outlook Desktop clients to provide that capability to end users.

As you can see, the solution has multiple moving pieces: one involving HR and a population effort of the CUI eligibility data and the other one being the technical implementation. Let’s not forget that piloting this in your environment will be key to a successful implementation along with end-user guides, training sessions and communication plans.

This implementation can be a lengthy process timewise so please plan accordingly when setting up expectations. Ensure your tenant is compliant when going through an audit by kicking this process off early on. Finally, you can rest assured that M365 is the proper toolset to meet your compliance requirement.