Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Reports
Settings and Resources
Additional Resources
Glossary of TermsRabbitMQ LogsHow to Remove All RabbitMQ and Erlang Artifacts from Previous Installations (v13-v13.5)Service Task Type 10Can a Spirion Agent be set to run as "low priority"?Tips: How can I monitor pagefile usage during a scan?Tips: What are the Best Practices to Optimize Memory Usage During Scans?Tips: How does Despeckle interact with other OCR settings like Deskew?Tips: How to find the Outlook Folder GUIDs to use?Tips: How do I handle permission issues with Folder GUID scanning?Tips: What are common errors when Folder GUID permissions are insufficient?Tips: How to automate retrieving Folder GUIDs for multiple usersWhat permissions are needed for service accounts scanning GUIDs?What are the risks of scanning Email (Exchange) Public Folders in large organizations?Can I scan both Cached and Online Exchange Stores simultaneously?Tips: What are best practices for scanning large (Exchange) mailboxes?Tips: What are the Best Ways to Handle Duplicate Results from Scans of (Email) Public Folders?What are common mistakes when configuring Global Ignore Lists?Tips: How does scanning Online Archives affect scan duration?How can I optimize scan policies for Online Archives?What does a report for health information look like?How do I customize data types in the health information report?How do I test my custom RegEx before deployment?How to Install and Set Up the PostgreSQL ClientWhat Common File Types are Supported?Test Data for Local Spirion ClientWhat Version is My Spirion Sensitive Data Platform?What is Residual Data and Why is it Important?
FERPA
CCPA
CMMC
How does Agent-side Redaction of CMMC Data Work?Are There RegEx Examples of Common CMMC Data Types?
HIPAA
Release Notes
Reporting API
Customer Support Articles

How does Agent-side Redaction of CMMC Data Work?

In the context of CMMC (Cybersecurity Maturity Model Certification), Agent-Side Redaction is a critical security control that ensures your compliance efforts do not accidentally create new security risks.

CMMC Agent-side redaction is a "Privacy by Design" feature where the Spirion Search Agent masks or hides sensitive portions of a data match before that information is ever transmitted to the Spirion Console or stored in the SaaS database.

Why Agent-Side Redaction is Vital for CMMC

Under CMMC (specifically Level 2 and 3), CUI (Controlled Unclassified Information) must be protected at rest and in transit. If your Spirion Agent finds a piece of CUI (like a part number, a technical specification, or a contract identifier) and sends the full, unencrypted string to the Console for a report, the Console itself may now be "in scope" for CMMC.

Agent-side redaction prevents this "scope creep" by ensuring that the sensitive data never leaves the local machine in a readable format.

How It Works (The Technical Flow)

  1. Discovery: The Search Agent (running locally on a workstation or server) identifies a match for a CMMC Data Type (e.g., an ITAR Technical Drawing Number).
  2. Redaction Rule Applied: The Agent checks its Agent Policy. If redaction is enabled for that Data Type, the Agent applies a mask (e.g., replacing characters with * or X).
  3. Shipping: The Agent ships the redacted snippet (e.g., ITAR-XXXX-99) to the Spirion Console.
  4. Storage & Display: The Console stores and displays only the redacted version. The full, original value remains only in the source file on the local machine.

Key Benefits for CMMC Compliance

1. Maintaining the "CUI Boundary"

CMMC requires you to define and defend a "CUI Boundary."

By using agent-side redaction, you ensure that your Spirion Management Plane (the Console and its database) stays outside the CUI boundary. This simplifies your audit because you don't have to prove that the Spirion Console meets the same rigorous CUI storage requirements as your primary file servers.

2. Meeting "Least Privilege" (Control AC.L2-3.1.1)

CMMC mandates that only authorized users see CUI.

  • Without Redaction: Any IT admin with access to the Spirion Console could see raw CUI snippets from across the entire company.
  • With Redaction: The admin can see that CUI exists and where it is, but they cannot see the actual sensitive content. This maintains the principle of least privilege.

3. Secure Audit Evidence

When a CMMC auditor (C3PAO) asks for proof that you are finding and securing CUI, you can show them your Scan Results reports. Because the data is redacted, you can safely hand over these reports without worrying about "Data Spill" (unauthorized disclosure of CUI).

Configuration Tips for CMMC

  • Partial vs. Full Redaction: For CMMC, Partial Redaction is usually best. For example, showing DWG-XXXX-55 allows a project manager to recognize which project the file belongs to so they can triage it, without exposing the full, sensitive drawing ID.
  • Enable in the Agent Policy: Redaction is configured at the Agent Policy level. You can have different redaction rules for different groups of machines (e.g., "Full Redaction" for executive laptops, but "Partial Redaction" for the engineering enclave).
  • Redact the "Match Evidence": Ensure you are redacting the "Match Evidence" (the snippet of text surrounding the find), as this context often contains as much sensitive CUI as the match itself.

Summary

Agent-side redaction for CMMC is about Risk Isolation. It allows you to gain 100% visibility into where your CUI is located without the risk of centralizing that sensitive data in your reporting platform. It is the difference between a "Security Tool" and a "Security Liability."

Was this article helpful?

Powered by Product Fruits