In a 2018 report provided by the National Defense Industrial Association (NDIA), researchers found contractors “severely underestimate(d) the costs of becoming compliant by as much as a factor of 10”. The burden of compliance is significant yet important, and contractors are considering ways to secure their information systems without breaking the bank. One area of cost savings at first glance: Users supporting the Department of Defense (DoD) directly and working on Government furnished machines and systems. These individuals will likely only need a corporate email, which would reasonably lead IT leadership to purchase an Exchange Only license and carry on.
However, we advise contractors purchase Microsoft Defender for Office 365 (Defender for Office 365) and Enterprise Mobility + Security (EM+S) in addition to their Exchange license as a best practice for NIST 800-171 compliance. (In October 2020, the name Office 365 ATP was changed to Microsoft Defender for Office 365. Learn more about the name change here.) Without the proper understanding of NIST compliance requirements, it is easy to misinterpret the need for Defender for Office 365 & EM+S licensing. It is also reasonable to think consultants are trying to make a quick dollar by upselling.
Consultants Like These
Assuming the above individuals are not entirely self-serving, let’s dive into this a little more using a friendly campfire analogy. S’mores. Purchasing an Exchange Only license is like having a s’more without the marshmallow & the graham. The marshmallow & the graham are necessary for the security and protection of the chocolate. They are the quintessential vessels that encompass and bring cohesion to the s’more as a whole. S’more explanation below.
What is Defender for Office 365 & what are its benefits?
Defender for Office 365 (the graham) is a cloud-based email filtering service that helps protect your company against unknown viruses and malware by providing substantial zero-day protection and includes features to protect your company from harmful links in real time. These capabilities are critical to meeting the NIST 800-171 control family 3.14 System and Information Integrity. Although, it is important to understand Defender for Office 365 cannot simply meet compliance requirements by 'turning it on'.
The Defender for Office 365 license has powerful reporting and URL trace capabilities that give administrators insight and clarity into the kind of attacks happening in your organization. The reporting capabilities, moreover, can cover the "actions of individual system users [to] be uniquely traced to those users so they can be held accountable for their actions" (NIST 800-171). Defender for Office 365 covers most Exchange architectures – rather on premises, Exchange Online, or Hybrid if configured properly. Listed below are some of the primary ways you can use Defender for Office 365 for email protection in your organization:
- Provide time-of-click verification of URLs for malicious content in emails messages and continuous checks on email attachments for malicious content
- Access the latest insights, recommendations, and alerts from a single pane dashboard provided by Defender for Office 365
- Attack Simulator features allow your team to run real-time assessments and identify new vulnerabilities (see NIST 800-171 3.11 Control Family). IT leadership can conduct phishing attacks, password-spray attacks, and brute-force attacks - not in GCC High yet - from the Security and Compliance Center and use the results of these simulated events to train employees (3.2 Control Family).
Two of the most powerful aspects of Defender for Office 365 are Safe Links and Safe Attachments. Both features have the potential to protect your users at varying levels of cybersecurity awareness, and your data. With Safe Attachments, all messages and attachments that do not have a known or pre-understood malware/virus signature will be routed to an environment where Defender for Office 365 can use various analysis techniques to detect malicious or harmful intent. If no harmful content or suspicious activity is found, the message and attachment will be released for delivery to the user’s mailbox. It’s like having your own personal TSA agent to search your emails and attachments before it lets them fly to your inbox.
What is EM+S and how can it help?
Microsoft defines their EM+S (the marshmallow) license as “An intelligent mobility management and security platform.” This license will help protect and secure your organization in ways that are vital to not only becoming NIST 800-171 compliant but also securing your employees and organization. EM+S is the perfect marshmallow because it provides the cohesive products you need to have a unified security front. Products included in EM+S, such as Intune, can keep your data S'more together by protecting your content when accessed on varying endpoints and applications (used to meet 3.1.1, 3.1.2, and 3.1.18). AAD and Multi-Factor Authentication are essential to identity-based security, and all user activities are tied to a specific identity and the validation of that identity.
Take AIP for example, Azure Information Protection allows your users to apply labels to various information sources including PowerPoint, Outlook (email files), Word and Excel. Labeling (physically and digitally) is vital to protecting CUI. Explicitly, 3.8 Control Family requires contractors to "limit access to CUI on system media to authorized users", and 3.1 "control CUI posted or processed on publicly accessible systems". It's unreasonable to expect a business to meet these requirements without some form of digital labeling.
Say, for instance, an email only user or even a full user wants to send an email with company proprietary or CUI Data. With AIP, he/she can apply a label (pre-designed by the administrator) to classify and protect the document for the user. These labels can additionally include visible markings such as watermarks, footers or headers. If the user marks the file as “Confidential” and then “Classify and Protect” the document, the digital marking will allow document tracking to control and monitor who can access a document and when. Then, if it is suspected that a file might be put to wrong use, or distributed inappropriately, an administrator can even revoke access to that document. This entire process can be automated as well based off of certain conditions.
In addition to AIP, all the features listed below are available with the Enterprise Mobility + Security license (some feature parity deviates in GCC High):
- Azure Active Directory
- Microsoft Intune
- Microsoft Cloud App Security
- Azure Information Protection
- Multi-Factor Authentication
- Advanced Threat Analytics
- Microsoft Defender for Identity
- Microsoft Privileged Identity Manager
A Quick Word on MCAS from Ben Curry
A Fair Shake
Admittedly, there are other third party software products that can replace elements of Defender for Office 365 and EM+S; yet, the introduction of these third party tools into your security and compliance strategy will likely incur more costs and risk. Administrators and managers within the organization will have to manage the individual integration points with the existing active directory, information systems, authentication products, etc.
The company will also be responsible for any updates, vendor relationships, and implementations per each individual product. Lastly, your compliance posture could be impacted by third party SaaS offerings hosting your security data for alerting and analytics in a non-compliant environment (i.e. not FedRAMP Moderate or not supportive of DFARS 7012 paragraphs C-G).
Through Microsoft or third party products, your Cybersecurity Maturity Model Certification (CMMC) level will greatly depend upon your organization's ability to stop threats across the enterprise. Don't allow email, or email-only users, to be your weakest link.