There are a lot of questions surrounding the upcoming DFARS requirements for DoD Contractors. What does it mean for your business? What happens if you're not compliant in time? To help guide you through the process, here are some questions and answers that you may need to know.
35. What are your thoughts on using a product like Duo for MFA vs. Microsoft's MFA?
Duo and other 3rd Party MFA solutions can be a great solution if needed. Microsoft's MFA solution works great if you are primarily cloud focused and don't have a need for MFA to other IT systems.
36. Is it possible to isolate CUI to a SharePoint collection and make that the boundary? That way it would only allow E3 licensed users to use that collection and be compliant?
No, this is not an appropriate method for compliance. You must focus on securing the information system as a whole, not a specific container within the information system.
37. What is the difference between E3 and E1?
The short answer is that E3 has many features such as Data Loss Prevention as a part of the base license and this and other features are not available as add on licenses to the E1.
38. Where in NIST is DLP called out?
The need for DLP is called out as part of the controls within the Incident Response, System and Communications Protection and, depending on interpretation, portions of System and Information Integrity.
39. Why is E3 considered the base Office365 plan? For example, besides lacking Lockbox add on, what makes Essentials not a viable platform? As you know, with Essentials, enterprise Mobility + Security E3/E5 can be added. Obviously, Office365 Business Essentials represents a more cost effective solution for small business users under 300 users. Does it all revolve around the lack of Lockbox?
The major capabilities that Essentials does not provide are Data Loss Prevention and eDiscovery.
40. In regards to integration of older Office products like Office 2010, does the use of Microsoft "Application Passwords" present a problem with regard to 171 compliance as it bypasses MFA?
Yes, in the strictest sense, application passwords are a bypass of the Multifactor Authentication capabilities within Office 365. If you are moving to Office 365 an have a requirement for MFA, it is highly recommended that you upgrade your clients to Office 2016 as they have the ability to support modern authentication which does support Multifactor Authentication.