A key vertical within the Defense Industrial Base (DIB) is the manufacturing sector. One of the unique aspects of this vertical with respect to security and compliance, is that not all workers are found sitting in an office cube behind a computer. Some employees, such as those who work on the shop floor, do not spend their day answering e-mail, working spreadsheets, or updating Word documents. These firstline workers typically do not possess a dedicated company-owned device (i.e. a laptop/desktop) but still need access to company content.
In addition, manufacturers within the DIB regularly encounter Controlled Unclassified Information (CUI) which subject the content to CMMC 2.0. Also, in many cases, this data is also subject to International Trafficking and Arms Regulations (ITAR) requirements which adds a layer of data sovereignty restrictions to the data.
Providing the appropriate level of access, and where appropriate, restricting access to data is key to finding the right balance between security and compliance, costs, and employee workflow requirements. Considering the costs of a Microsoft 365 E5, or even the Microsoft E3 license, organizations can save substantial amounts on licensing costs IF they can restrict access appropriately.
Setting Boundaries
The key to deploying strategies that involve lower-level licenses while meeting compliance requirements is to carefully review what information users will have access to and how they need to access it. By clearly defining the level and method of access, you can determine who is, and who is not authorized to access CUI. This, combined with effective governance strategies can lower costs and reduce the attack surface while maintaining compliance.
As organizations evaluate the proper strategy, they must consider the employees’ role, the data they should access, and, just as importantly, the data they could access. Some questions to guide the conversation include:
- What workloads do employees need access to?
- In what situations will (or could) they be exposed to CUI?
- What devices do they use to access data?
- How will authentication and authorization to devices be managed to ensure auditability is maintained?
- Do they need to communicate outside the organization?
- How will you protect the flow of CUI within the Microsoft 365 system?
- Are there on-premises hosted systems they need to access for CUI or ITAR data?
- How will you detect and respond to unintended spillage?
This blog will walk through several user scenarios and also suggest strategies to meet the use-cases. We’ll consider scenarios that go from the least amount of access to the most access.
Example #1: No Access
In some cases, companies decide that users simply do not need access to company content. The nature of their job doesn’t require them to have an email account, access to Teams or SharePoint. This is simple and straightforward, as no access means no licensing is needed.
Benefits: Reduces user counts, IT Costs, administrative burden and attack surface.
Drawbacks: Maintaining communications with employees can prove to be difficult. Simple administrative messages (i.e. benefits, scheduling, company notices) relies on maintaining personal email addresses and navigating any concerns around sending privacy related information to employees.
License Impact: No licenses are needed.
Example #2: Internal E-mail Only
We see many cases where a company establishes an e-mail account for employees, but communications are limited to internal communications. The goal here is to maintain a channel to communicate administrative notices and reduce the risk for external spillage, while not incurring the expense of a full license. In this scenario, the company will likely prohibit downloads and restrict devices that can access e-mail.
Benefits: Companies establish a channel of communications, mostly for administrative notices and internal workflows. Prohibiting external communications (both send and receive) maintains the system boundary as data is not transferred outside of the organization and reduces the attack surface from external threats.
Drawbacks: Employees do not have access to OneDrive, Teams or SharePoint which prohibits them from participating in collaborative functions. For example, a company intranet or process redesign team is not an option for these employees.
Licensing Impact: Users can be assigned an e-mail only license with either Exchange Online Plan 1 or Plan 2 depending on whether Data Loss Prevention or e-Discovery is required.
Example #3 – First Line Worker Access – No CUI
From a practical perspective, many companies want and need all employees to have some level of access to company content. However, given the nature of their role, they may not need access to CUI data within Microsoft 365.[1] In this scenario, access is enabled to Microsoft 365 services such as e-mail, OneDrive, Teams, and SharePoint. However, administrative measures must be deployed to ensure these users are not exposed to CUI. Technologies used to support this include:
- Data Loss Prevention
- Data Labeling and Classification
- Workspace Policies and Insight (third-party solution)
- Security Groups
This is perhaps the hardest scenario to deploy because the organization is essentially setting a system boundary within the Microsoft 365 environment and must configure methods to actively prevent internal users from accessing CUI.
Benefits: Employees can participate in non-CUI related activities and collaboration
Drawbacks: There is significant administrative burden to establish and maintain system boundaries within the interior of the environment. Monitoring and response to CUI access alerts can be time consuming. Third-party tools may be necessary to ensure governance is enforced.
Licensing Impact: The firstline worker licenses (F3) can be deployed to achieve access, but additional services may be required to maintain CUI system boundaries, especially at the workspace level. The F5 Security + Compliance is also recommended.
Example #4 – Firstline Worker CUI Access
In this scenario, employees have access to the full suite of collaboration services (e-mail, OneDrive, Teams, SharePoint) and are authorized to access CUI data.[2] This allows the organization to maintain the system boundaries at the perimeter of the Microsoft 365 environment and significantly eases the administrative burden of regulating the flow of CUI within the environment.
Benefits: Significant reduction of administrative burden allowing focus to be on managing and protecting the entire environment.
Drawbacks: More expensive from a licensing perspective but still much less than an E5/G5.
Licensing impact: Beyond the standard Microsoft F3 license, additional licenses such as the F5 Security + Compliance license are required to bring its capabilities to the security and compliance equivalence of G5.
Bonus! Example #5: Teams Only
As the collaborative side of Microsoft Teams gains adoption, many work roles and use-cases can evolve from e-mail into chat-based communications. Teams offers the advantage of persistent chat as well as expanded capabilities such as file access, Planner and more.
With this approach, companies must adjust policies around workplace communications and make sure they are compliant with all HR-related requirements. However, this approach brings the organization into today’s preferred communication methods for the younger generation and can enhance productivity.
Benefits: Teams becomes the go-to source for broadcast, one-to-many, and one-to-one communications with employees. With a “modern” approach to work, companies can foster collaboration and achieve greater productivity improvements, especially with younger workers.
Drawbacks: This approach requires a cultural shift away from dependence on e-mail for communications. Changing culture is hard. Depending on whether these users have access to CUI data, there will either be governance challenges or licensing costs.
Licensing Impact – No CUI: IF users are not authorized to access CUI, then the F1 license is a starting point. However, this will present system boundary and governance challenges to ensure that workers cannot access CUI. Note: auditors will want to see proof that these users cannot access CUI.
Licensing Impact – CUI Authorized: If the user is authorized to access CUI, there will be an additional license cost to augment the F1 license and add the capabilities required to achieve a compliant profile.
Not every employee needs a full Microsoft 365 G5 license. However, the more you restrict access to data with the goal of reducing licensing costs, the more you will increase the administrative burden to enforce policies, and/or progressively limit the employees access to corporate resources.
Finding the right balance between security, compliance, business requirements, and licensing starts with evaluating the data users can and need to access. Combined with the appetite and ability to enforce system boundaries within the Microsoft 365 environment, the right licensing strategy can be deployed to achieve that balance.
Our team at C3 Integrated Solutions has worked with over 150 defense industry clients to help meet this challenge and we can help you design the right licensing strategy for all of your employees. Contact us today at info@c3isit.com to learn how we can help you build the right strategy.
[1] Employees may still access CUI-related content such as drawings, technical specifications, etc from file shares or other sources.
[2] While users may not need access to CUI regularly, they are protected in the event that they are exposed to CUI.
Bill Wootton is the Founder and President of C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Bill is passionate about bringing cyber-awareness, and cyber-maturity to the nation’s Defense Industrial Base, working with clients to help them achieve CMMC and NIST 800-171 compliance by providing MSP, security and Office 365 integration services.