HSPLS-Background.jpg
archTIS-logo-2021_Teal.png

archTIS Partner Case Study

Summary Data

Implementing NC Protect to seamlessly manage CUI in SharePoint at a defense supply chain manufacturer

Industry

Aerospace.png

Manufacturing / Defense Supply Chain

Geography

USA.png

USA

United-Kingdom.png

UK

Australia.png

Australia

Consulting

CMMC-COE-logo.png

CMMC Compliance

CUI-White.png

CUI Management

technologies

dd6m9ua-33b0ac57-85fa-40f2-b8ad-6fd77d7b

SharePoint

archTIS-White.png

archTIS

Challenges/Goals

  • How to automate the management of Controlled Unclassified Information (CUI) to comply with numerous regulations for its safeguarding and dissemination controls.

Solution/Approach

  • NC Protect for SharePoint On-Premises

Benefits

  • Ensures compliance with CUI information handling requirements

  • Scans and identifies files with CUI and classifies them according to the CUI level

  • Restricts who in the organization can access documents containing CUI by classification and geolocation

  • Controls the type of access allowed: full or read-only

  • Applies a secure digital watermark with the current date, current user and CUI Level.

Background

Organizations in the Defense Industry Base (DIB) form an important part of the supply chain for government and defense. As a result, they store and collaborate on highly sensitive data known as Controlled Unclassified Information (CUI), that is subject to a variety of regulations depending on the nature of the information including NIST, CMMC and ITAR.

Accidental sharing of or theft of this information can have catastrophic business consequences. Defense contractors have been fined tens of millions of dollars for failing to control access to EAR and ITAR regulated data. Furthermore, they can impact more than just the bottom line - criminal penalties of 10 to 20 years in prison, depending on the regulation, are also possible.

With high value information at stake, employing a comprehensive data security solution to safeguard CUI and meet stringent information handling and sharing requirements is an essential part of any DIBs security protocols to ensure compliance. This DIB, a global manufacturer of aircraft accessories, needed a more automated way to identify and restrict access to conetent containing CUI in their SharePoint ob-premises environement.

Finding a Simpler way to manage CUI Compliance

With several military contracts and non-US based offices, this DIB has many regulations that they need to follow to ensure CUI in their possession is handled properly.

CUI is government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies including CMMC, NIST, DFAR and ITAR, among others. As there are fewer controls over CUI as compared to classified information, loss of CUI is one of the most significant risks to national security - making its protection critical. 

Managing CUI compliance manually would be extremely difficult to accomplish, so the DIB sought a solution to help automate the identification and classification of CUI in their SharePoint systems and help restrict access to it. Working with Synergy Corporate Technologies, a Microsoft Gold Partner, they chose NC Protect and worked directly with Synergy to evaluate and implement the product.

NC Protect Automates CUI Identification, Classification and Protection

NC Protect fit their requirements ands budget with its ability to scan files in SharePoint (Microsoft Office documents, PDFs, Images, etc.) for CUI and automatically classify them according to their CUI level. 

The document CUI level is determined by the affiliated Category Name, Category Marking or Banner Marking as defined by the requirements in 32 CFR Part 2002 "Controlled Unclassified Information".

Documents are classified as Level 1, 2, 3 or "noCUI" based on keywords that map to these requirements, with Level 1 as the most restrictive. Data protection policies are then dynamically applied by NC Protect based on the document's classification, the Active Directory (AD) group a user is in and what country the user is in (US or UK).

A user must be in either the US or UK group to see anything with CUI (by default a user cannot access CUI). Additionally, users in the UK group are not allowed to see any document classified as Level 1,2 or 3 if the document has been tagged "export controlled"> If it has an "export license" tag, then UK users may see and access it. 

The Level 1-3 groups can view documents at their level and below without restrictions in SharePoint (e.g. a Level 2 users wont see Level 1 documents). The restricted groups work the same but can only open the documents in NC Protect's secure viewer which prevents printing, copying, saving/downloading of the file (e.g. a Level 1 restricted user can only open Level 1 documents in the secure reader). The documents are also digitally watermarked by NC Protect with the current date, current user and CUI Level for additional security and auditing purposes.

NC Protect Provides a long term solution for cui management

With plans to move more content into SharePoint, NC Protect ensures it will be seamlessly managed for CUI. The DIB manufacturer can now collaborate with full confidence that CUI is automatically identified, properly classified and restricted based on the CUI compliance guidelines.

Images

archTIS Case Study - Images