archTIS Partner Case Study
Implementing NC Protect to seamlessly manage CUI in SharePoint at a defense supply chain manufacturer
Manufacturing / Defense Supply Chain
How to automate the management of Controlled Unclassified Information (CUI) to comply with numerous regulations for its safeguarding and dissemination controls.
NC Protect for SharePoint On-Premises
Ensures compliance with CUI information handling requirements
Scans and identifies files with CUI and classifies them according to the CUI level
Restricts who in the organization can access documents containing CUI by classification and geolocation
Controls the type of access allowed: full or read-only
Applies a secure digital watermark with the current date, current user and CUI Level.
Organizations in the Defense Industry Base (DIB) form an important part of the supply chain for government and defense. As a result, they store and collaborate on highly sensitive data known as Controlled Unclassified Information (CUI), that is subject to a variety of regulations depending on the nature of the information including NIST, CMMC and ITAR.
Accidental sharing of or theft of this information can have catastrophic business consequences. Defense contractors have been fined tens of millions of dollars for failing to control access to EAR and ITAR regulated data. Furthermore, they can impact more than just the bottom line - criminal penalties of 10 to 20 years in prison, depending on the regulation, are also possible.
With high value information at stake, employing a comprehensive data security solution to safeguard CUI and meet stringent information handling and sharing requirements is an essential part of any DIBs security protocols to ensure compliance. This DIB, a global manufacturer of aircraft accessories, needed a more automated way to identify and restrict access to conetent containing CUI in their SharePoint ob-premises environement.
Finding a Simpler way to manage CUI Compliance
With several military contracts and non-US based offices, this DIB has many regulations that they need to follow to ensure CUI in their possession is handled properly.
CUI is government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies including CMMC, NIST, DFAR and ITAR, among others. As there are fewer controls over CUI as compared to classified information, loss of CUI is one of the most significant risks to national security - making its protection critical.
Managing CUI compliance manually would be extremely difficult to accomplish, so the DIB sought a solution to help automate the identification and classification of CUI in their SharePoint systems and help restrict access to it. Working with Synergy Corporate Technologies, a Microsoft Gold Partner, they chose NC Protect and worked directly with Synergy to evaluate and implement the product.
NC Protect Automates CUI Identification, Classification and Protection
NC Protect fit their requirements ands budget with its ability to scan files in SharePoint (Microsoft Office documents, PDFs, Images, etc.) for CUI and automatically classify them according to their CUI level.
The document CUI level is determined by the affiliated Category Name, Category Marking or Banner Marking as defined by the requirements in 32 CFR Part 2002 "Controlled Unclassified Information".
Documents are classified as Level 1, 2, 3 or "noCUI" based on keywords that map to these requirements, with Level 1 as the most restrictive. Data protection policies are then dynamically applied by NC Protect based on the document's classification, the Active Directory (AD) group a user is in and what country the user is in (US or UK).
A user must be in either the US or UK group to see anything with CUI (by default a user cannot access CUI). Additionally, users in the UK group are not allowed to see any document classified as Level 1,2 or 3 if the document has been tagged "export controlled"> If it has an "export license" tag, then UK users may see and access it.
The Level 1-3 groups can view documents at their level and below without restrictions in SharePoint (e.g. a Level 2 users wont see Level 1 documents). The restricted groups work the same but can only open the documents in NC Protect's secure viewer which prevents printing, copying, saving/downloading of the file (e.g. a Level 1 restricted user can only open Level 1 documents in the secure reader). The documents are also digitally watermarked by NC Protect with the current date, current user and CUI Level for additional security and auditing purposes.
NC Protect Provides a long term solution for cui management
With plans to move more content into SharePoint, NC Protect ensures it will be seamlessly managed for CUI. The DIB manufacturer can now collaborate with full confidence that CUI is automatically identified, properly classified and restricted based on the CUI compliance guidelines.