In a 2018 report provided by the National Defense Industrial Association (NDIA), researchers found companies “severely underestimate(d) the costs of becoming compliant by as much as a factor of 10”. The burden of compliance is significant yet important, and businesses are considering ways to secure their information systems without breaking the bank. One area of cost savings at first glance: email only users. These individuals will likely only need a corporate email, which would reasonably lead IT leadership to purchase an Exchange Only license and carry on.

However, we advise contractors purchase Office 365 Advanced Threat Protection (ATP) and Enterprise Mobility + Security (EM+S) in addition to their Exchange license as a best practice for NIST 800-171 compliance. Without the proper understanding of NIST compliance requirements, it is easy to misinterpret the need for ATP & EM+S licensing. It is also reasonable to think consultants are trying to make a quick dollar by upselling.

Assuming these individuals are not entirely self-serving, let’s dive into this a little more using a friendly campfire analogy. S’mores. Purchasing an Exchange Only license is like having a s’more without the marshmallow & the graham. The marshmallow & the graham are necessary for the security and protection of the chocolate. They are the quintessential vessels that encompass and bring cohesion to the s’more as a whole. S’more explanation below.

What is Office 365 ATP & what are its benefits?

Office 365 ATP (the graham) is a cloud-based email filtering service that helps protect your company against unknown viruses and malware by providing substantial zero-day protection and includes features to protect your company from harmful links in real time. These capabilities are critical to meeting the NIST 800-171 control family 3.14 System and Information Integrity. Lastly, ATP and the other services within the EM+S stack are 'running' in Azure Government. Therefore, all data processing, scanning, and alerting mechanisms take place in the same DISA SRG Impact Level 5 (IL5) environment. Many third-party solutions are running analysis on your environments with computing in another country that does not meet your compliance requirements. It is important to finally note ATP cannot simply meet compliance requirements by 'turning it on'.

The ATP license has powerful reporting and URL trace capabilities that give administrators insight and clarity into the kind of attacks happening in your organization. The reporting capabilities, moreover, can cover the "actions of individual system users [to] be uniquely traced to those users so they can be held accountable for their actions" (NIST 800-171). ATP covers most Exchange architectures – rather on premises, Exchange Online, or Hybrid if configured properly. Listed below are some of the primary ways you can use ATP for email protection in your organization:

Provide time-of-click verification of URLs for malicious content in emails messages and continuous checks on email attachments for malicious content

Access the latest insights, recommendations, and alerts from a single pane dashboard provided by ATP

Attack Simulator features allow your team to run real-time assessments and identify new vulnerabilities (see NIST 800-171 3.11 Control Family). IT leadership can conduct phishing attacks, password-spray attacks, and brute-force attacks - not in GCC High yet - from the Security and Compliance Center and use the results of these simulated events to train employees (3.2 Control Family).

Two of the most powerful aspects of ATP are Safe Links and ATP Safe Attachments. Both features have the potential to protect your users at varying levels of cybersecurity awareness, and your data. With ATP Safe Attachments, all messages and attachments that do not have a known or pre-understood malware/virus signature will be routed to an environment where ATP can use various analysis techniques to detect malicious or harmful intent. If no harmful content or suspicious activity is found, the message and attachment will be released for delivery to the user’s mailbox. It’s like having your own personal TSA agent to search your emails and attachments before it lets them fly to your inbox.

What is EM+S and how can it help?

Microsoft defines their EM+S (the marshmallow) license as “An intelligent mobility management and security platform.” This license will help protect and secure your organization in ways that are vital to not only becoming NIST 800-171 compliant but also securing your employees and organization. EM+S is the perfect marshmallow because it provides the cohesive products you need to have a unified security front. Products included in EM+S, such as Intune, can keep your data S'more together by protecting your content when accessed on varying endpoints and applications (used to meet 3.1.1, 3.1.2, and 3.1.18). AAD and Multi-Factor Authentication are essential to identity-based security, and all user activities are tied to a specific identity and the validation of that identity.

Take AIP for example, Azure Information Protection allows your users to apply labels to various information sources including PowerPoint, Outlook (email files), Word and Excel. Labeling (physically and digitally) is vital to protecting CUI. Explicitly, 3.8 Control Family requires contractors to "limit access to CUI on system media to authorized users", and 3.1 "control CUI posted or processed on publicly accessible systems". It's unreasonable to expect a business to meet these requirements without some form of digital labeling.

Say, for instance, an email only user or even a full user wants to send an email with company proprietary or CUI Data. With AIP, he/she can apply a label (pre-designed by the administrator) to classify and protect the document. These labels can additionally include visible markings such as watermarks, footers or headers. If the user marks the file as “Confidential” and then “Classify and Protect” the document, the digital marking will allow document tracking to control and monitor who can access a document and when. Then, if it is suspected that a file might be put to wrong use, or distributed inappropriately, an administrator can revoke access to that document. This entire process can be automated as well based off of certain conditions.

In addition to AIP, all the features listed below are available with the Enterprise Mobility + Security license (some feature parity deviates in GCC High:(

Azure Active Directory

Microsoft Intune

Microsoft Cloud App Security

Azure Information Protection

Multi-Factor Authentication

Advanced Threat Analytics

Azure Advanced Threat Protection

Microsoft Privileged Identity Manager

A Quick Word on MCAS from Ben Curry

A Fair Shake

Admittedly, there are other third party software products that can handle elements of ATP and EM+S; yet, the introduction of these third party tools into your security and compliance strategy will likely incur more costs and risk. Administrators and managers within the organization will have to manage the individual integration points with the existing active directory, information systems, authentication products, etc.

The company will also be responsible for any updates, vendor relationships, and implementations per each individual product. Lastly, your compliance posture could be impacted by third party SaaS offerings hosting your security data for alerting and analytics in a non-compliant environment (i.e. not FedRAMP Moderate or not supportive of DFARS 7012 paragraphs C-G).

Through Microsoft or third party products, your Cybersecurity Maturity Model Certification (CMMC) level will greatly depend upon your organization's ability to stop threats across the enterprise. Don't allow email, or email-only users, to be your weakest link.

About the Author

Shawn is an enterprise communications and collaboration professional. Prior to Summit 7 Systems, Shawn supported NASA’s End User Service Office as a communications strategist and has served as a publications lead within various defense and aerospace companies. He graduated from the University of Alabama in Huntsville with undergraduate degrees in Physics and Communications, and Tennessee Tech University's MBA program in 2017. It is this technical know-how and ability to convey various subject matters to, both, technical and non-technical audiences that brought him to Summit 7 Systems. In addition, Shawn is a super user of Microsoft SharePoint and Office 365 and possesses a high degree of ITIL process improvement experience.