There are a lot of questions surrounding the DFARS requirements for DoD Contractors. What does it mean for your business? What happens if you're not compliant in time? (Still not compliant? Check out parts 1-5 of this series) To help guide you through the process, here are some questions and answers that you may need to know.
41. Is there anything in Office 365 that prevents new features from becoming active by default?
Office 365 is a Software as a Service, so you will not be able to avoid new features or configuration options indefinitely. You do have some control over how quickly you receive changes through the release options settings in Office 365. Microsoft will notify users of significant updates through the Public Roadmap and then through the Office 365 Message Center. As part of your tenant administration, you can choose Targeted Release (Ring 3) or Standard Release (Ring 4). The default for feature release is Standard.
Please keep in mind that these release settings do not affect the Office 365 Clients. This is a separate release channel that must be managed. Managing Office 365 requires new patterns and practices within an IT organization as well as a concerted effort to maintain leading edge knowledge about the direction that Microsoft is headed from both a feature and security standpoint. Failure to maintain this knowledge may result in a poor user experience and unintended expansion of your organization's attack surface.
42. I am moving as much as I can to Office 365, but what about my systems with CUI that can't go into Office 365? If I have servers in my facility today that have CUI, do I have to move them to a new environment?
Yes. All components of an Information System that processes CUI must be properly secured to NIST 800-171 standard, regardless of their location in Office 365 or on premises.
43. Are the Office 365 default policies compliant with NIST 800-171?
No. Office 365 may be configured to NIST 800-171 standards, but it takes an appropriate mixture of policy, feature selection, licensing, and configuration to ensure that you are properly configured.
44. Are there any updates on Office 365 GCC High with respect to feature limitations or user minimums?
Microsoft is constantly updating the feature set in GCC High. As an example, just recently all of the administration consoles have appeared. The 500 user count minimum is still in effect, but there is an active movement within the GCC High team to drop the user minimums, although specific levels and timing have not been officially released.
45. Is there guidance addressing labeling by the government? CUI vs. Procurement "sensitive"?
Please see the marking guidance released from the government here:
46. How are companies handling mobile devices with CUI? Can Office 365 monitor CUI on personal devices?
Yes, Office 365 can manage CUI on mobile devices (corporate owned or personal) given the appropriate licensing and configuration. We see companies with a range of policies on mobile devices. Some only allow corporate owned devices while others allow both corporate and personal devices. Either method requires the appropriate policies, licensing, and configuration to ensure both security and compliance.
Be sure to subscribe and get notified when there's a new post, or check back soon for the next post in the series!