How Subcontractors Can Identify CUI Data in Google Workspace

‍

The US federal government has increasingly focused on supply chain security in recent years, which puts added pressure on subcontractors to not be the weakest link.

Due to the nature of federal contracts, government contractors typically possess data called Controlled Unclassified Information, or CUI, if they supply goods or services directly to the federal government. As a result, subcontractors—and even their subcontractors—often handle some of the same CUI data, which may be subject to various data privacy regulations.

Many subcontractors don’t realize the extent of CUI they possess—until they have to worry about an audit. Items such as contract terms, delivery terms, and product specifications are almost always CUI and deserve special protections. Unfortunately, many times the information isn’t identified or marked appropriately. Even if it is marked, it is often scattered across internal folders and repositories, as well as various cloud services like Google Workspace.

In this blog, we’ll explain how subcontractors can use Egnyte to discover CUI data in Google’s cloud-based collaboration and productivity software.

Why You Should use Egnyte to Protect CUI Data in Google Workspace

Subcontractors need to pay closer attention to data protections these days.The US Department of Defense, working with the National Institute of Standards and Technology (NIST), has developed a series of directives aimed at securing extended supply chains. One of those guidelines, NIST document 800-171, should be of particular importance to subcontractors, because it outlines best practices for protecting CUI outside federal systems. 

However, subcontractors often lack the resources to adequately implement these best practices. Moreover, CUI is notoriously difficult to find because it doesn’t always have the same markers or keywords associated with other regulated data.

That’s where Egnyte comes in. With Egnyte, you can quickly and easily set up custom policies to find CUI, even if it’s mingled with general business information. Egnyte can even find relevant data when it’s not a perfect match for a specific search, making sure you properly classify any files containing sensitive data.

And with the Egnyte platform, you can protect that data too, through safeguards that enforce your security policies and ensure compliance with directives like CMMC and NIST 800-171.

How to Find and Secure CUI data with Egnyte

To get started, you’ll need to use Egnyte’s Content Classification Engine. This powerful tool uses machine learning to classify files, enforce policies, and help you find your content faster.

Add Google Drive to Your Content Sources

In the Egnyte dashboard, open Secure & Govern, and then select the Content Sources tab. Egnyte will monitor files in on-premises and cloud-based sources, including Egnyte file servers and third-party platforms. 

You can pick from cloud services like Amazon S3, Box Storage, and Microsoft Azure Storage. To find CUI data in Google Workspace, click on Add Cloud Source and select Google Drive, which is the de facto storage for Google Workspace.

You’ll then be prompted to enter the appropriate Google credentials.  

Once the integration is complete, Egnyte will have access to the drive and can begin to monitor those assets and enforce policies.

Create Your Keyword List 

CUI varies widely, depending on the business. Because of this, Egnyte can’t create a predefined, universal list of sensitive keywords the same way it does for dozens of US and international security regulations, including GDPR and HIPAA. 

However, you can tailor the policies to suit your specific CUI needs. To do so, create a list that is applicable to your individual business by clicking on the Content Classification tab. Select Custom Keyword List, then click the Add custom keyword list button. 

You can manually enter the keywords, or import them with a simple CSV or text file. And while the system will scan for exact matches to specific keywords, it’s robust enough to cast an even wider net and catch CUI that might otherwise fall through the cracks. For example, it can:

• Identify CUI regardless of capitalization; the system is not case sensitive
• Recognize longer, multi-word phrases
• Find approximate matches that may be related to your chosen keyword
  

Be careful with words like "and" or "it," since they might yield too many hits to be useful. If your policies include marking CUI data in the header or footer, then include "CUI" in the keyword list.  In many cases, that may be all that is needed. 

You can revise the keywords later, and you can also create additional keyword lists.

Create a Policy

Next, go to Policies, which is found under Content Classification, and select Add Custom Policy. You can use a range of predefined and custom policies in Egnyte to classify content and manage content lifecycle. In this case, the custom policy will be used to find CUI data in Google Workspace.

Your new CUI policy can be as broad or as narrow as you choose. However, we recommend you include several related policies at first to make sure Egnyte can find all possible CUI. For example, if you’re working with the DoD or State Department, you should probably go to Sensitive Content Patterns and include several predefined lists of ITAR information.

Under Custom Keyword lists, include all keyword lists you have created that you wish to apply to the policy. If your organization uses standard document properties, or metadata, to identify CUI, you can also set that up as well. This could include information such as the subject or author.

It's also useful to include several types of documents that are likely to have CUI. This could include invoices, org charts, payroll documents, contracts, and more. The Egnyte AI can detect these documents by the way they are formatted and the information they contain. For example, contracts are likely to contain CUI because they may frequently contain product specifications.

You can also include more niche file types, such as .STEP, which is a common CAD file format.

Identify and Protect CUI information 

After you’ve made your selections, save the policy. Egnyte will begin scanning all repositories, including Google, for any information that matches any of the criteria you put into the policy.

After initial scans are complete, Egnyte will report the presence of CUI content on the Sensitive Content tab of the Secure & Govern page. There, you'll see all sensitive data located by Egnyte, and by clicking on an alert, Egnyte will recommend how to manage it.

However, you can do more than just find CUI with Egnyte—you can protect it, too. By selecting the Content Safeguards tab, you can control how your users will share CUI information. 

Here, you can create a safeguard policy aligned to the content policy you already created. It is recommended that you restrict sharing of CUI by only allowing a private link for specific content source users per CMMC and NIST 800-171 guidelines.

‍