CMMC Practice MP.L2-3.8.1 – Media Protection: Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. The DCSA CUI Program Office is dedicated to providing up-to-date information, tools, and resources to support Industry's implementation of CUI programs. This Defense Counterintelligence and Security Agency (DCSA) Controlled Unclassified Information (CUI) webpage is routinely updated with news and information related to DCSA’s CUI oversight responsibilities. This NIST Special Publication provides recommendations to facilitate more efficient and effective storage encryption solution design, implementation, and management for Federal departments and agencies. This is a blog from North Carolina Manufacturing Extension Partnership which speaks to the importance of media protection and how it is defined in NIST 800-171 publication. This article breaks down CMMC Section 3.8, which focuses on the media protection for media that contains controlled unclassified information (CUI) This page is built as an overview for aerospace and defense contractors supporting the Department of Defense who may handle, and/or store and process sensitive data. This GSA-IT Security MP Procedurals reference provides guidance for the MP security controls identified in NIST SP 800-53 and federal contractor media protection requirements. This video from SANS educates viewers on the positive and negative aspects of using full disk encryption for security.
Discussion [NIST SP 800-171 R2]
System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team. Physically controlling system media includes conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library.
Access to CUI on system media can be limited by physically controlling such media, which includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media.
NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.
Further Discussion
CUI can be contained on two types of physical media:
- hardcopy (e.g., CD drives, USB drives, magnetic tape); and
- digital devices (e.g., CD drives, USB drives, video).
You should store physical media containing CUI in a secure location. This location should be accessible only to those people with the proper permissions. All who access CUI should follow the process for checking it out and returning it.