Marines

HomeNewsMessagesMessages Display

PROPER SAFEGUARDING OF CUI WITHIN MICROSOFT 365 (M365)
Date Signed: 2/18/2025 | MARADMINS Number: 071/25
PRINT
MARADMINS : 071/25

R 181812Z FEB 25
MARADMIN 071/25  
MSGID/GENADMIN/CMC DCI WASHINGTON DC// 
SUBJ/PROPER SAFEGUARDING OF CUI WITHIN MICROSOFT 365 (M365)// 
REF /A/DODI 8510.01// 
REF /B/SECNAVINST 5239.3C//
REF /C/MCO 5239.2B// 
NARR/REF A IS THE RISK MANAGEMENT FRAMEWORK FOR DEPARTMENT OF 
DEFENSE (DOD) SYSTEMS. REF B IS DEPARTMENT OF THE NAVY (DON) 
CYBERSECURITY POLICY. REF C IS MARINE CORPS CYBERSECURITY POLICY// 
POC/W. J. BUSH/CIV/DCI IC4 CY/COMM 571-256-8869/EMAIL: 
WILLIAM.BUSH(AT)USMC.MIL// 
POC/B. J. BIENZ/CIV/DCI IC4 CY/COMM: 703-439-7489/EMAIL: 
BONNIE.BIENZ(AT)USMC.MIL// 
POC/L. A. DARKE/CIV/DCI IC4 ICC/COMM: 571-256-9086/EMAIL: 
LEONARD.DARKE(AT)USMC.MIL// 
GENTEXT/REMARKS/1.  Purpose.  This message reminds users of the need 
to properly safeguard and protect CUI introduced into or through the 
Microsoft 365 (M365) office productivity and collaboration suite. 
2.  Situation.   
2.a.  The current system configurations and settings of M365 are set 
to enable maximum productivity of users of the Marine Corps 
Enterprise Network - Niprnet (MCEN-N)/unclassified.  While the M365 
system is capable of hosting CUI up to and including impact level 5 
Data, it is incumbent on individual users to ensure that required 
controls are implemented to provide the appropriate level of 
protection beyond environment baseline configurations.  Examples 
where CUI requires additional protections are in the cases of 
personally identifiable information (PII) and personal health 
information (PHI). 
2.b.  Additionally, the power platform, which is accessed via M365, 
must be assessed for risk to the network. 
3.  Action. 
3.a.  MCEN-N users who generate or introduce cui into M365 are 
reminded of their responsibility for implementing required 
cybersecurity controls for their data.  These include, but are not 
limited to, appropriate implementation of file access controls for 
files containing PII and implementation of access and audit controls 
for PHI.  Failure to apply necessary controls may result in 
unplanned or unannounced removal of files from the network. 
3.b.  The program executive officer for digital and the supporting 
information system security manager for the M365 suite on the 
MCEN-N/Unclassified network will submit updated authorization 
documentation which includes the power platform suite of 
capabilities with associated cybersecurity controls, to the Marine 
Corps authorizing official for review, assessment, and certification 
no later than 31 May 2025. 
3.c.  No later than 31 May 2025, the United States Marine Corps 
authorizing official designated representative will publish guidance 
in accordance with ref (c) concerning risk management activities in 
support of development within the power platform to include 
remediation of already developed applications.  
4.  Direct all questions to message point of contacts. 
5.  Request widest dissemination of this message by addressees to 
subordinate commands. 
6.  Release authorized by Lieutenant General Melvin G. Carter, 
Headquarters Marine Corps, Deputy Commandant for Information.//