CMMC Practice MP.L2-3.8.5 – Media Accountability: Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This is a sample removable storage policy for the Colorado Department of Education. This article provides an overview of removable media including the risks associated with this technology and how to implement a control policy. McAfee Total Protection to reduce the attack surface This article breaks down CMMC Section 3.8, which focuses on the media protection for media that contains controlled unclassified information (CUI) The USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. This sample policy provided by SANS discusses removable media. This SANS whitepaper discusses a holistic approach to USB port-security. This article provides an overview of the risks associated with removable media for industrial facilities based on a 2018 Honeywell report. This GSA-IT Security MP Procedurals reference provides guidance for the MP security controls identified in NIST SP 800-53 and federal contractor media protection requirements. This paper focuses on the risks associated with simple media devices and smart media devices.
Discussion [NIST SP 800-171 R2]
Controlled areas are areas or spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting systems and information. Controls to maintain accountability for media during transport include locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.
Further Discussion
CUI is protected in both physical and digital formats. Physical control can be accomplished using traditional concepts like restricted access to physical locations or locking papers in a desk or filing cabinet. The digitization of data makes access to CUI much easier. CUI can be stored and transported on magnetic disks, tapes, USB drives, CD-ROMs, and so on. This makes digital CUI data very portable. It is important for an organization to apply mechanisms to prevent unauthorized access to CUI due to ease of transport.