A Third of Revenue on the Line: Cascade’s High-Stakes Compliance Mandate
Cascade Environmental, a nationwide environmental drilling company headquartered in Bothell, Washington, faced a critical inflection point. With over 40 offices across the U.S. and a small but agile IT team, Cascade needed to ensure that the sensitive data tied to its field operations—particularly CMMC-regulated job site and worksite assessments—remained protected as it evaluated Microsoft 365 Copilot.
Challenge: Sensitive Data Leaks Loomed as Copilot Rolled Out
As Cascade Environmental prepared to introduce Microsoft 365 Copilot across departments, the stakes were high: a third of the company’s revenue depended on safeguarding CMMC-regulated data, such as job site reports and worksite assessments.
To validate their readiness, Cascade worked with Opsin to simulate Copilot behavior across SharePoint, Teams, and OneDrive. The results were indicative:
Over 70% of Copilot-style queries returned sensitive information, including content regulated under CMMC.
The exposure wasn’t malicious—it was structural. Years of organic SharePoint growth and inconsistent permissioning (such as “Everyone Except External Users”) had created an invisible attack surface, one that could be easily surfaced through natural language prompts.
Solution: Oversharing Detection and CMMC-Grade Remediation with Opsin Security
Cascade Environmental partnered with Opsin Security to assess and mitigate the risk of exposing sensitive CMMC-regulated content to AI tools like Microsoft 365 Copilot. With compliance tied directly to a third of Cascade’s revenue, it was critical to gain visibility and enforce the right guardrails before enabling AI across their environment.
Opsin’s platform provided deep visibility into the Microsoft 365 environment—including SharePoint, Teams, and OneDrive—and helped Cascade address permission sprawl, oversharing, and inconsistent governance.
Most importantly, Opsin enabled Cascade to proactively secure its data before rolling out AI:
CMMC-Centric Risk Discovery via proactive risk assesment
Opsin conducted a proactive risk assessment across Cascade’s content ecosystem. This surfaced high-risk sites, libraries, and folders where CMMC-regulated information—such as job site assessments, worksite data, and other sensitive operational documents—could be unintentionally exposed to tools like Copilot.
Permission Remediation for “Everyone Except External Users”
Opsin uncovered widespread use of the permissive “Everyone Except External Users” configuration on SharePoint sites and document libraries. The platform guided Cascade through a secure, structured workflow to replace those permissions with Entra ID dynamic groups—ensuring proper access control without disrupting productivity.
Issue-Specific Fixes Without IT Bottlenecks
Opsin delivered actionable remediation workflows for both the IT team and departmental site owners. This empowered Cascade’s lean IT staff to delegate permission clean-up across business units, while maintaining centralized oversight.
Policy-Aware Copilot Readiness
With proper access controls and content-level security labeling in place, Cascade could confidently begin its Copilot rollout—knowing sensitive content wouldn’t be accidentally surfaced or leaked via AI queries.
Outcomes: Risk Remediated, Copilot Ready to Scale
With Opsin, Cascade moved from uncertainty to confidence—securing critical data, aligning with CMMC requirements, and unlocking the ability to scale Microsoft 365 Copilot company-wide.
Looking Ahead: A Culture of Responsible Innovation
As Cascade continues its phased rollout of Microsoft 365 Copilot, the groundwork laid by Opsin gives them the freedom to explore LLM use cases—without compromising security or compliance.
Cascade is now focused on defining clear, enforceable AI usage policies and continuously monitoring Copilot activity through Opsin’s continuous monitoring model, ensuring access, behavior, and data visibility remain aligned with business needs and regulatory obligations.
