Posted on

Does your agency cope with citizen information? Read our free ebook “How You Can Manage Federal Citizen Information In Microsoft Teams” today!


This is actually the fifth installment inside a series addressing the difficulties facing the DOD because they transfer to Microsoft 365. Others are here:

The final installment of the blog series addressed the requirement for proper Records Management within each Dod (DoD) agency, especially as remote work diminishes novel and much more commonplace. Metadata mapping, documentation, tagging, and management is crucial however, security must extend governance efforts to make sure compliance after migration. DoD agencies and executive offices will also be being requested presently through the Committee on Military to evaluate how their internal enterprise cybersecurity hygiene matches to the new Cybersecurity Maturity Model Certification (CMMC) standards.

Digital Labelling Pre and post Migration

Organizations moving to Microsoft 365 in the Commercial Virtual Remote (CVR) atmosphere or any other cloud tenants should create a labeling technique for content within the new tenant, but additionally ensure existing tags and labels aren’t lost along the way. A grave concern many agencies face today isn’t the lack of content around it’s the lack of security throughout the transition. Particularly, personal files or file set formerly available to a number of select individuals could gain default permissions and configurations upon migration – departing the file or file set susceptible to much better access or export.

Digital labeling is really a growing complexity in modern organizations and stretches previous physical media needs, whereas protections and policies will be in place and largely adopted among the DoD for pretty much a hundred years. Physical media requires specific labels be relevant to printed documents, storage devices (USB, CD, etc.), and much more. The lifecycle and possible export scenarios of information within the cloud are much more complex and practically numerous.

At Work 365 alone—or Microsoft 365—a user can share personal files from OneNote, SharePoint, OneDrive, and Microsoft Teams or accidently display Controlled Unclassified Information (CUI) using a PowerBI dashboard, for instance. Third-party and native tools exist to treat these scenarios and wish additional strategy discussions.

For example, CUI will need drastically different labeling and protections than classified data or Federal Contract Information (FCI). Your business must define an agenda for every data key in Microsoft 365:

  • What’s going to users have to access this data type? What Microsoft Groups and Teams do these users align with?
  • Which side users access this data type as well as on what devices or endpoints?
  • Must we log interactions with this particular data type?
  • What retention standards affect this data type?

microsoft 365

Unified Labeling in Microsoft 365

For contemporary agencies, lengthy the days are gone where files were maintained behind firewalls or site/folder-level permissions offered because the frontline of defense for data protection. These questions above and also the resulting needs will drive your Unified Labeling policies to safeguard data because it traverses cloud applications and platforms. Unified Labeling may be the Microsoft 365 and Azure native suite of digital tagging tools composed of Azure Information Protection (AIP), Microsoft 365 Retention, and Sensitivity Labels. AIP formerly offered because the engine for labeling in Microsoft 365 GCC High and DoD but has become moving in to the Unified Labeling client this season.

Organizations can make and apply sensitivity labels to files in the Unified Labeling client and lots of other native locations, for example SharePoint or OneDrive. When a sensitivity label is used to some specific file, the file could be instantly encrypted and watermarked, and limitations could be focused on access. A labeled file contains specific metadata that’s then utilized by other effective products within the Microsoft 365 and Azure stack like Loss Of Data Prevention (DLP) to avoid accidental or malicious transmission of sensitive content.

This capacity directly ties into agency-wide needs present in NIST 800-53 and elsewhere. For example, NIST 800-53 claims that a “subject that’s been granted use of details are restricted from passing the data to unauthorized subjects… altering a number of security attributes on subjects… [and] granting its rights with other subjects.”

DoD rules require the use of sensitivity labels to guarantee the right individuals have access to the best files or data in the proper time, but individuals variables can alter. What might be suitable for one person presently might not be suitable for viewing or editing as time passes. Furthermore, users may gain or lose elevated rights within an organization as restructuring occurs or new projects spin up. Therefore, modern document or data management concentrates on item-level security and proper identity management by using Microsoft 365 Groups and proper Azure Active Directory configurations.

Get yourself ready for Unified Labeling in Microsoft 365 DoD

DoD Agencies and particular Offices should map their different access control scenarios to data types and see the way they will apply sensitivity labels and/or third-party tagging technologies. At this moment, a person or administrator can use just one sensitivity label to some file—not multiple. Some organizations may operate without resorting to multi-label scenarios however, many DoD agencies communicate and collaborate around data with several layers of control. Just one file could have CUI-General, FOUO, FOIA, export control, PII, and personnel records. As a result, a subset of users might be allowed to gain access to CUI but don’t need to use of CUI that contains financial or personnel records.

Another consideration for agencies searching to deploy Unified Labeling in Microsoft 365 DoD is feature parity, or even the accessibility to certain abilities when compared to commercially accessible platform. The DoD lately announced the JEDI contract award to Microsoft after several models of arduous protests, which contract and eventual cloud rollout function as a manifestation of optimism for feature parity.

Have questions regarding labeling in M365 DoD? Read this publish: Click To Tweet

Microsoft will result in releasing features to Microsoft 365 GCC, GCC High, and DoD within a short while period after which makes them Generally Available (GA) available platform offering. At this moment, the constraints of Unified Labeling and AIP particularly are highlighted below based on Microsoft’s documentation.

  • Document tracking and revocation are presently unavailable.
  • The classification and labeling add-in are just supported for Microsoft 365 Apps (version 9126.1001 or greater). Office 2010, Office 2013, along with other Office 2016 versions aren’t supported.
  • Information Legal rights Management (IRM) is supported just for Microsoft 365 Apps (version 9126.1001 or greater). Office 2010, Office 2013, along with other Office 2016 versions aren’t supported.
  • Discussing of protected documents and emails to users available cloud isn’t presently available. Includes Microsoft 365 Apps users available cloud, non-Microsoft 365 Apps users available cloud, and users by having an RMS for people license.
  • Information Legal rights Management with SharePoint Online (IRM-protected sites and libraries) is presently unavailable.
  • The Legal rights Management Connector is presently unavailable.
  • The Mobile Phone Extension for AD RMS is presently unavailable.

Lastly, define the brand new labels essential for your command’s enterprise and just what individuals inside your organization can make custom labels. Default labels, proven below, will probably are unsuccessful and wish adjustments or additions:

  • Personal
  • Public
  • General
  • Private
  • Highly private

The Next Finest Export Risk is Digital

A notion persists that users are actually more apt or able to discussing files outdoors from the organization in this new normal. However, before the pandemic, many DoD IT leaders couldn’t provide complete information on the location or digital lifecycle of the sensitive document when requested (who produced the file where, that has utilized the file since origination, where and when could it have been utilized, and just what changes were created on the way or no).

Instructions transitioning to Microsoft 365 must depend on Microsoft’s native abilities along with other third-party applications to secure digital lifecycle of the file at each point on the way and fully monitor export controls for compliance and national security.


Maintain all of our Microsoft 365 coverage by registering to our blog!