CMMC Requirement MP.L2-3.8.2 – Media Access: Limit access to CUI on system media to authorized users.
A practical guide from Adelia Risk that explains how to implement CMMC 2.0 media protection controls, focusing on securing, tracking, and restricting access to CUI on system media. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. Crowdstrike webpage providing security tips and resources for considerations on least privilege. The DCSA CUI Program Office is dedicated to providing up-to-date information, tools, and resources to support Industry's implementation of CUI programs. This Defense Counterintelligence and Security Agency (DCSA) Controlled Unclassified Information (CUI) webpage is routinely updated with news and information related to DCSA’s CUI oversight responsibilities. A concise checklist targeting media protection for CMMC/FCI/CUI: covers secure storage, policies, inventory, disposal. Great for quick policy validation. This NIST Special Publication provides recommendations to facilitate more efficient and effective storage encryption solution design, implementation, and management for Federal departments and agencies. This article breaks down CMMC Section 3.8, which focuses on the media protection for media that contains controlled unclassified information (CUI) This GSA-IT Security MP Procedurals reference provides guidance for the MP security controls identified in NIST SP 800-53 and federal contractor media protection requirements.
Access can be limited by physically controlling system media and secure storage areas. Physically controlling system media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return system media to the media library, and maintaining accountability for all stored media. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library.
Further Discussion
Limit physical access to CUI to people permitted to access CUI. Use locked or controlled storage areas and limit access to only those allowed to access CUI. Keep track of who accesses physical CUI in an audit log.