Data Protection Requirements

Microsoft Purview Information Protection addresses four fundamental problems in regulated data environments:

1. Discovery — Where is sensitive data? Content Explorer maps labeled content across SharePoint, OneDrive, Exchange, and Teams. The Purview Information Protection Scanner extends coverage to on-premises file shares.
2. Classification — What is it? Sensitivity labels create a consistent taxonomy that travels with files regardless of location or sharing state.
3. Flow Control — Where can it go? Data Loss Prevention (DLP) policies enforce boundary constraints — blocking external shares, email forwards, or clipboard paste based on label or content match.
4. Encryption — Even if data leaves the boundary, sensitivity label encryption makes it unreadable without the right Entra ID identity and an active license in the issuing tenant.

GCC High

CMMC Scope

For CMMC Level 2, Purview addresses the following controls within the information protection domain:

CMMC Practice	Purview Mechanism
AC.L2-3.1.3 (CUI Flow Control)	DLP policies prevent CUI from being sent to external recipients, uploaded to non-approved services, or shared with users outside the tenant boundary.
SC.L2-3.13.11 (FIPS Encryption)	Sensitivity label encryption uses AES-256 and RSA-2048 through Microsoft's FIPS 140-2 validated cryptographic modules. Encryption is document-level and persists independent of storage location.
SC.L2-3.13.16 (CUI at Rest)	Labels applying encryption protect CUI at rest in SharePoint, OneDrive, Exchange mailboxes, and Teams — including items in shared drives and archived conversations.
MP.L2-3.8.1 (Media Protection)	Sensitivity labels persist when CUI is exported to USB or local disk. Intune Device Control (configured in Chapter 10) restricts unencrypted export to removable media.
MP.L2-3.8.7 (Removable Media)	Defender for Endpoint Device Control provides the enforcement layer; Purview Endpoint DLP provides the data-awareness layer — triggering policy based on label or content match during copy-to-USB events.

CUI Label Taxonomy

The DoD CUI Registry defines over 20 categories. For most DIB organizations, a practical starting taxonomy covers the categories that appear most frequently in engineering and program management workflows:

Label	Scope	Encryption
Public	Approved for public release; no restrictions.	None
Internal	Internal business information not cleared for external release.	None
CUI	Controlled Unclassified Information — default label for unmarked CUI.	Required — AES-256 via sensitivity label
CUI // SP-CTI	Controlled Technical Information — engineering drawings, specifications, test data.	Required
CUI // SP-EXPT	Export Controlled — ITAR/EAR-regulated technical data.	Required

Start with CUI, not the full registry

Attempting to implement all 20+ CUI sub-categories at initial deployment creates user confusion and drives low adoption. Start with the three encrypted labels (CUI, SP-CTI, SP-EXPT). Users can request additional sub-categories as the program matures. A CMMC assessor needs to see that CUI is labeled and encrypted — not that every category is pre-built on day one.

GCC High Purview is Sovereign — Verify Your Portal URL

Purview in GCC High uses sovereign endpoints. Confirm that your compliance portal URL is compliance.microsoft.us. If it resolves to compliance.microsoft.com, sensitivity label encryption keys may be managed in the commercial cloud, which is out of scope for CUI. Verify your Azure Information Protection service endpoint in the Purview admin center before deploying labels.

Commercial

NIST SP 800-171 Rev. 3 Scope

For organizations voluntarily aligning to NIST SP 800-171 Rev. 3, Purview addresses the following security requirements within the information protection domain:

NIST SP 800-171 Rev. 3 Requirement	Purview Mechanism
3.1.3 (Information Flow Control)	DLP policies prevent sensitive data from being sent to external recipients, uploaded to non-approved cloud services, or shared outside the organization.
3.13.11 (FIPS Cryptography)	Sensitivity label encryption uses AES-256 and RSA-2048 through Microsoft's FIPS 140-2 validated cryptographic modules. Encryption persists at the document level regardless of storage location.
3.13.16 (Confidentiality at Rest)	Labels applying encryption protect sensitive data at rest in SharePoint, OneDrive, Exchange mailboxes, and Teams — including archived and shared content.
3.8.1 (Media Protection)	Sensitivity labels persist when data is exported to USB or local disk. Intune Device Control restricts unencrypted export to removable media.
3.8.7 (Removable Storage Devices)	Defender for Endpoint Device Control blocks unauthorized write access to removable media; Purview Endpoint DLP provides content-awareness triggering based on label or sensitive information type match.

Sensitive Data Label Taxonomy

Commercial organizations have more flexibility in label taxonomy than CMMC-scoped environments. The goal is a taxonomy that maps to how your organization actually describes its sensitive data — not to a regulatory registry. A practical starting taxonomy for most commercial M365 deployments:

Label	Scope	Encryption
Public	Approved for external release.	None
General	Internal business information; low risk if disclosed.	None
Confidential	Business-sensitive data — financials, HR records, strategy documents. Default label for internal content.	Optional (recommended for external shares)
Highly Confidential	Data requiring strict access control — M&A activity, executive communications, regulated PII/PHI.	Required — AES-256 via sensitivity label

Fewer labels drive higher adoption

Purview deployments consistently show that taxonomies with more than 5 labels result in poor adoption and significant mis-labeling. Start with Public, General, Confidential, and Highly Confidential. Add sub-labels (e.g., Confidential // Legal, Confidential // Finance) only after baseline adoption is established across the organization.