We have a project where the prime is using Box.com for collaboration with subcontractors. This looks fine, it's fedramp moderate and can be used for ITAR and other stuff. My question is more about how to enforce the controls when we do not have an account there?

OneDrive and SharePoint for example has a different domain for their consumer version, and custom subdomains for organizations. This makes it easy to restrict with a firewall, and using Endpoint Data Loss Prevention + Sensitivity labels. It doesn't look like Box does that.

How would I keep an employee from using the consumer version of Box if I were to allow access to it so he can upload CUI to the prime's account?