Identifying CUI with Microsoft 365 For CMMC

    This blog covers how organizations can adequately identify the CUI in their existing I.T. environment using the Microsoft 365 platform for CMMC compliance.

    6 Minutes Read

    Microsoft Purview enables defense contractors to identify Controlled Unclassified Information in their IT environments in preparation for CMMC 2.0 compliance. The Department of Defense (DoD) requires organizations that handle or process Controlled Unclassified Information (CUI) to adhere to the data protection requirements of the Cybersecurity Maturity Model Certification (CMMC) framework; specifically, all organizations handling CUI will be required to meet CMMC 2.0 Level 2 compliance.

    CMMC is a data-centric standard intended to better protect the Federal Contract Information (FCI) and/or CUI that is distributed to or created by Defense Industrial Base organizations as a part of their contract with the government.

    In this blog, we’re going to cover how these Organizations Seeking Certification (OSC) can adequately identify the CUI in their existing I.T. environment using the Microsoft 365 platform. 

    The CMMC 2.0 maturity levels are defined below.

    CMMC Level Graphic

    When it comes to the CMMC framework, the scope of a CMMC assessment for an Organization Seeking Certification is dictated by the flow of CUI throughout the environment. Properly identifying all the locations where CUI resides within that environment is critical for OSCs who want to successfully pass upcoming CMMC assessments. Unfortunately, many OSCs fail to properly complete this task, leaving CUI with inadequate security and privacy controls, increasing the risk of unauthorized access and/or distribution. Furthermore, organizations have trouble identifying the CUI because of inadequate systems, out-of-date software, and the inability to consolidate efforts across the organization. 

    What Is CUI?

    Controlled Unclassified Information (CUI) is Federal non-classified information that the U.S. Government creates or possesses, or that a non-Federal entity (Defense Industrial Base organizations) receives, possesses, or creates on behalf of the U.S Government.

    CUI is unclassified content that must be protected in a very specific manner both within and outside a government information system; as identified in a law, regulation, or government-wide policy. CUI may require additional safeguarding or dissemination controls to be applied to limit access and exposure to unauthorized individuals.


    Identifying CUI with Microsoft Purview 

    Microsoft Purview is a unified data governance solution that allows organizations to manage and govern their on-premises, multi-cloud, and software as a service (SaaS) data. Microsoft Purview offers a content search capability that OSCs can leverage to perform keyword-driven searches of content within their Microsoft 365 environments to identify CUI. By performing a content search, OSCs can accurately map out their actual data flow and assessment scope, while providing critical information to make informed decisions surrounding the acquisition and implementation of products and services.

    Note: Microsoft Purview is leveraged via the Azure Government platform. The Azure Government infrastructure allows you to manage and secure your organization’s content and line of business applications in order to meet compliance mandates and cost constraints. Moreover, enabling Azure Gov creates a clear strategy for cost reduction and plans for a common identity (Azure Active Directory), unified cloud footprint, and governance for various user and data sets.

    What is Microsoft Purview’s Content Search? 

    One of the functions of Microsoft Purview is referred to as “Content search”. Content search provides a service in which organizations can register specific data sources. During registration, the data remains in its existing location, but a copy of its metadata is added to Microsoft Purview, along with a reference to the data source location. When appropriately leveraged, the features found within Microsoft Purview allow organizations to curate the metadata into dictionaries and catalogs, empowering them to discover, classify, and protect their assets.  

    The Content search tool in the Microsoft Purview compliance portal allows organizations to utilize the catalogs and dictionaries of metadata registered to quickly find an email in Exchange mailboxes, documents in SharePoint and OneDrive, and instant messaging conversations in Microsoft Teams.

    Microsoft Purview Content Search and CMMC Applications 

    CMMC requires organizations to classify their assets into one of five potential categories, and Microsoft Purview gives organizations the ammunition to make this possible. Classifying CUI can define the scope of an organization’s assessment, so it is critical that it is done properly. For each classification, the amount of CMMC requirements that are applicable to the asset varies, and the determining factor for asset classification is the way in which the asset interacts with protected data. Below is a breakdown of the asset categories, their descriptions, and the CMMC assessment requirements associated with the asset.

    Asset Category  


    CMMC Assessment Requirements 

    Controlled Unclassified Information (CUI) Assets 

    Assets that process, store, or transmit CUI 

    Assess against CMMC practices 

    Security Protection Assets 

    Assets that provide security functions or capabilities to the contractor’s CMMC Assessment Scope, irrespective of whether these assets process, store, or transmit CUI 

    Assess against applicable CMMC practices 


    Contractor Risk Managed Assets 

    Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place. These assets are not required to be physically or logically separated from CUI assets 

    Review the SSP in accordance with practice CA.L2-3.12.4. If appropriately documented, do not assess against other CMMC practices 


    Specialized Assets 

    Assets that may or may not process, store, or transmit CUI. Assets include government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment 

    Review the SSP in accordance with practice CA.L2-3.12.4. If appropriately documented, do not assess against other CMMC practices 


    Out-of-Scope Assets 

    Assets that cannot process, store, or transmit CUI 


    Microsoft Purview Content search is not only beneficial to OSCs trying to identify their data landscape and assessment scope,
    but it can also validate their data flow control capabilities already implemented, which is critical to passing upcoming assessments. CMMC control AC. L2-3.1.3 (Control CUI Flow) ultimately requires organizations to map out the flow of their CUI in accordance with authorizations for distributions approved by the organization. The organization will need to properly demonstrate the effectiveness of the security controls they’ve put in place to limit the distribution of CUI. Using Microsoft Purview Content search, the organization can analyze the search results to validate that the locations identified as having CUI present, match up to the locations authorized to store CUI.

    How to Perform a Content Search Using Microsoft Purview  

    The following step-by-step instructions can be used by organizations to perform searches for CUI within their Microsoft 365 environments using the Content search capabilities of Microsoft Purview: 

    1. Go to (M365 Commercial/GCC) or (M365 GCC-High) and sign in using the credentials of an account that's been assigned the appropriate permissions. 
    2. In the left navigation pane of the compliance portal, click “Content search”. 
    3. On the Content search page, click “new search". 
    4. Type a name for the search - an optional description helps identify the search. 
    5. On the “Locations” page, choose the content locations that you want to search. You can search mailboxes, sites, and public folders.

      1. Exchange mailboxes: Set the toggle to “On” and then click “Choose users, groups, or teams" to specify the mailboxes to place on hold. Use the search box to find user mailboxes and distribution groups. You can also search the mailbox associated with a Microsoft Team (for channel messages) and Office 365 Groups. For more information about the application data stored in mailboxes, see Content stored in mailboxes for eDiscovery. 
      2. SharePoint sites: Set the toggle to “On” and then click "Choose sites" to specify SharePoint sites and OneDrive accounts to place on hold. Type the URL for each site that you want to place on hold. You can also add the URL for the SharePoint site for a Microsoft Team and Office 365 Groups. 
      3. Exchange public folders: Set the toggle to “On” to put all public folders in your Exchange Online organization on hold. You can't choose specific public folders to put on hold. Leave the toggle switch off if you don't want to put a hold on public folders. 
      4. Keep this checkbox selected to search for Teams content for on-premises users. For example, if you search all Exchange mailboxes in the organization and this checkbox is selected, the cloud-based storage used to store Teams chat data for on-premises users will be included in the scope of the search. For more information, see Search for Teams chat data for on-premises users. 
    6. On the “Define your search conditions” page, type a keyword query and add conditions to the search query if necessary. Organizations specifically focused on NIST 800-171 and CMMC 2.0 could use keywords such as CUI, ITAR, EAR, NOFORN, etc.  

      1. Specify keywords, message properties such as sent and received dates, or document properties such as file names or the date that a document was last changed. You can use more complex queries that use a Boolean operator, such as "AND, OR, NOT, and NEAR". If you leave the keyword box empty, all content located in the specified content locations is included in the search results. For more information, see Keyword queries and search conditions for eDiscovery. 
      2. Alternatively, you can click the “Show keyword list” checkbox and type a keyword in each row. If you do this, the keywords on each row are connected by a logical operator (c:s) that is similar in functionality to the "OR" operator in the search query that's created. 

    The information provided in this section has been extracted from the following Microsoft knowledge base article: Overview of Microsoft Purview Content search. 

    Next Steps for DoD Contractors 

    An organization's ability to properly identify CUI could be the single most important factor in successfully achieving a CMMC certification. It is impossible for the organization to properly control the data flow and protect data if they are unable to identify where the data resides. Microsoft Purview enables organizations to uncover factual data landscapes to effectively implement or improve their CUI protection, and policies and controls; ultimately helping organizations supporting the Department of Defense determine an accurate CMMC assessment scope. For more information about Microsoft Purview and handling CUI for CMMC compliance, you can contact Summit 7 here. 

    Jason Sproesser