Aerospace and defense business meets new federal regulations with Microsoft 365 and Summit 7

Published on May 15, 2020

Summary

Integration Innovation, Inc. (I3), a leading engineering, and technology services company in the Aerospace and Defense industry, worked with Summit 7 Systems (S7) to deploy a Microsoft 365 US Government Community (GCC) High Tenant with the intention of meeting NIST 800-171, and Controlled Unclassified Information (CUI) and International Traffic in Arms Regulations (ITAR) requirements.

Challenge

I3 was conducting its operations on Google’s G-Suite platform and used disparate file shares for unique standalone projects or business units. Additionally, this 500-person business needed advanced security features found in Microsoft 365 to defend against increasing cyber-attacks and meet the compliance requirements of Defense Acquisition Regulation Supplement (DFARS) 252.204-7012. I3 wanted a platform with native identity and device management capabilities, along with a partner to guide them through securing information systems used to support the Department of Defense (DoD).

Another complexity facing I3 and their deployment into Microsoft 365 GCC High was the spectrum of sensitive data their user base interacted with on a regular basis. I3’s compliance requirements included data and document labeling mandates. To meet these compliance requirements, I3 needed to migrate from Google’s G-Suite platform and their disparate file shares to a more secure FedRAMP Moderate cloud platform and configure a unified labeling strategy.

Strategy

To be compliant with DFARS, on-premises and cloud systems must be hosted on a DISA Level 4 and FedRAMP Moderate certified environment. Summit 7 addressed the first hurdle for DFARS and NIST transformation by suggesting the Microsoft 365 GCC High platform as part of the Agreement for Online Services-Government (AOS-G) program. This environment uniquely meets FedRAMP High and allows proper incident reporting to the DoD, unlike other cloud platforms, such as Google’s G-Suite.

I3 and S7 mapped the 110 security controls within NIST to more than 750 respective configurations within GCC High, Azure Government, and Enterprise Mobility Security (EM+S). The solution included an initial configuration of Azure Active Directory (AAD) and AAD Connect, along with Multifactor Authentication to complete a NIST compliant identity management approach. Additionally, I3 established Data Loss Prevention (DLP) policies, Advanced Threat Protection (ATP), and Azure Information Protection (AIP) policies to label CUI properly and apply adequate security to documents and data. I3’s solution concluded with an Enterprise Mobility – Intune rollout with Mobile Device Management (MDM) and Mobile Application Management (MAM) profiles and policies, along with Conditional Access Policies.

A concern I3 faced handling CUI within a cloud platform is the number of places data and content can be stored across Microsoft Teams, OneDrive, SharePoint, and more. NIST requires businesses to secure sensitive data within all containers, restrict access to it, know who is accessing it and when, alert administrators when bad actors are attempting to access it, and more.

By configuring the Microsoft 365 GCC High tenant, workloads within the platform, and EM+S products like AIP, I3’s users can more freely store CUI across their data estate (Microsoft 365, Azure Government, and unique workloads integrated for On Premises and Hybrid architecture) without concern of failing a regulatory audit. Moreover, I3 benefited from this solution by allowing their users to use the platform to its fullest without compromising compliance. I3’s user base increased Teams usage quarter over quarter within the 12 months after deployment, which continues to date.

Results

With the NIST Implementation Solution, I3 realized benefits from consolidating information systems, integrating authentication across all data sources, and providing a single pane of security without the need for multiple security products and vendors. I3 was able to reduce its cloud and security vendor portfolio from five to one because Summit 7 was able to provide the right licensing and services to meet its security and compliance goals.

Without S7’s expertise, I3 was expecting to hire additional staff at nearly $300,000 in expenses and dedicate thousands of additional hours in research and planning to migrate from their existing Google environment and to properly secure their new Office 365 environment to NIST standards. At project completion, the I3 lead explained that, “Moving to a new cloud environment was necessary, albeit daunting with the number of control complexities and data sources. Summit 7 handled our implementation and compliance with ease.”