Howdy,
Our fearless community manager (Thomas Deely) asked me to speak about MITRE's external collaboration experience, and I wanted to focus on two topics: compliance considerations around CUI storage, and tactics for overcoming situations where external organizations block Box. Wanted to see if these will resonate with members of the Federal roundtable - or, perhaps, you'll see them as solved problems?
Let me break them apart:
On the compliance side, internal discussions primarily focused on the level of attestation that we could provide for external customers and their computing devices. DFARS instructs us that devices accessing CUI have to have screen locks, up-to-date antivirus, etc... can we really be assured of that for *external* (unmanaged) users? Ironically, the conversation then swung to the employee experience - must we absolutely prohibit employees from accessing Box from a non-corporate device?
On the Box-blockage side, we've been noticing that some organizations (primarily in the DOD domain) block Box - and other cloud storage providers - out of fear of data exfiltration. We've made some inroads, but definitely curious to see what others have done in this space - and whether it is worth combining forces.
Very open to see if these topics are of interest, and whether there are questions that you can think of ahead of time.
Stan Drozdetski
Extranet Service Manager
MITRE