Microsoft GCC High: A Cloud Service for US Public Sector Customers

Defense Industrial Base is required to implement NIST 800-171 and thus CMMC controls. CMMC’s Media Protection Control Family has a robust set of requirements for compliance. To that effect, Microsoft GCC High offers a cloud service offering that complies with certifications and accreditations required for US public sector customers, such as CJIS Policy, CMMC, ITAR, FedRAMP High, and DFARS 7012. It provides data loss prevention features such as Azure Information Protection (AIP) and Office 365 Advanced Data Governance (ADG). Today we examine how Microsoft GCC High helps with CMMC Media Protection Controls.

GCC High focuses on Data loss prevention (DLP), a strategy that helps organizations prevent unauthorized access, use, disclosure, modification, or deletion of sensitive data. DLP can help organizations comply with legal or regulatory obligations, protect their intellectual property and reputation, and reduce the risk of data breaches or leaks.

Azure Information Protection: A Solution for Classifying and Protecting Data

Azure Information Protection (AIP) is a cloud-based solution that enables organizations to classify and protect their documents and emails by applying labels. Labels can be applied automatically based on content or manually by users. Labels can also enforce encryption, access control, and visual markings. AIP is available for GCC High customers.

AIP helps organizations achieve the following benefits:

  • Consistent and granular classification of data across different sources and platforms

  • Enhanced security and compliance by encrypting data at rest and in transit

  • Reduced human error by automating labeling based on predefined rules or keywords

  • Increased awareness and accountability by applying visual markings such as watermarks or headers to indicate sensitivity level

  • Simplified management and reporting by using a centralized dashboard to monitor and audit data activities

Office 365 Advanced Data Governance: A Solution for Managing Data Lifecycle

Office 365 Advanced Data Governance (ADG) is a cloud-based solution that helps organizations manage their data lifecycle and comply with legal or regulatory obligations. ADG provides features such as retention policies, disposition reviews, import service, event-based retention, records management, and intelligent classification. ADG is also available for GCC High customers.

ADG helps organizations achieve:

  • Improved compliance by preserving data for a specified period of time or based on an event trigger

  • Reduced risk by verifying whether data is eligible for deletion or requires further action

  • Optimized storage by importing legacy data from on-premises sources or third-party cloud services into Office 365 for consistent governance

  • Enhanced efficiency by identifying redundant, obsolete, or trivial data and suggesting actions to delete or archive them

How AIP And ADG Can Help With CMMC Control Family MP: Media Protection

CMMC Control Family MP: Media Protection covers the requirements for protecting information stored on physical media (such as hard drives, USB drives, or CDs) from unauthorized access, use, disclosure, modification, or destruction. CMMC Control Family MP: Media Protection consists of four practices:

  • MP.1.118 - Sanitize media prior to disposal or release for reuse.

  • MP.2.119 - Protect (i.e., physically control) system media containing CUI during transport outside controlled areas.

  • MP.2.120 - Limit access to CUI on system media to authorized users.

  • MP.3.122 - Mark media with necessary CUI markings.

AIP And ADG can help companies comply with these practices by ensuring that sensitive data is properly labeled, encrypted, controlled, retained, and disposed of according to the requirements of the CMMC framework. For example:

  • AIP can automatically label documents containing Controlled Unclassified Information (CUI) based on predefined rules or keywords. It can encrypt CUI documents with Azure Rights Management Service (RMS) And restrict access to authorized users Or devices. It can also apply visual markings such as watermarks Or headers To CUI documents To indicate their sensitivity level and DG can create retention policies to preserve CUI documents for a specified period Of time or based on an event trigger.

  • ADG can create disposition reviews to verify whether CUI documents are eligible for deletion or further action

Practice MP.1.118: Sanitize media prior to disposal or release for reuse.

  • AIP can encrypt data with RMS and revoke access when media is no longer needed.

  • ADG can delete data according to retention policies and disposition reviews.

  • Practice MP.2.119: Protect (i.e., physically control) system media containing CUI during transport outside controlled areas.

    • AIP can encrypt data with RMS and restrict access to authorized users or devices.

    • ADG can preserve data according to retention policies and event-based triggers.

  • Practice MP.2.120: Limit access to CUI on system media to authorized users.

    • AIP can encrypt data with RMS and restrict access to authorized users or devices.

    • ADG can apply records management policies to CUI data and prevent unauthorized modification or deletion.

  • Practice MP.3.122: Mark media with necessary CUI markings.

    • AIP can apply visual markings such as watermarks or headers to indicate sensitivity level.

    • ADG can use intelligent classification to identify CUI data and suggest appropriate labels.

To conclude, Microsoft GCC High offer robust set of tools and data loss prevention features such as AIP and ADG to help US public sector customers comply with CMMC Control Family MP: Media Protection. By using AIP and ADG, organizations can classify, protect, manage, and dispose of their sensitive data on physical and digital media in a secure and compliant manner. Microsoft GCC High is a trusted partner for data governance in the cloud and TechAxia is a trusted and proud partner, offering GCC High implementation and CMMC compliance services.

Need help with GCC High? Reach out to TechAxia to learn more.

Previous
Previous

Best Practices for Implementing CMMC Control Family IR: Incident Response

Next
Next

Understanding CMMC Control Family AC: Access Control with Microsoft GCC High Products