I have an employee who recently retired from the military in a relevant position raising questions about why we make it painful to access information from BYOD. Namely, the Navy's Flankspeed M365 system allows users to access DoD SharePoint that contains CUI from BYOD with the conditional access restriction that prevents downloads. So they can use the web apps in a browser to view and edit CUI documents from an unmanaged device without any virtualized container or VPN.

My understanding was that the DoD had to meet the same NIST 800-171 standards at a minimum as a requirement by congress. If that is the case, is this an option for contractors? How would I address about half of the controls in the SSP that are suddenly not applicable (even though they claim every control is applicable)? Do I just claim a PC is an alternative worksite, or how is the Navy pulling that off?