CMMC Practice MP.L2-3.8.6 – Portable Storage Encryption: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This is a sample removable storage policy for the Colorado Department of Education. This article provides an overview of removable media including the risks associated with this technology and how to implement a control policy. McAfee Total Protection to reduce the attack surface This NIST Special Publication provides recommendations to facilitate more efficient and effective storage encryption solution design, implementation, and management for Federal departments and agencies. This NIST Special Publication is one part in a series of documents intended to provide guidance to the Federal Government for using cryptography to protect its sensitive, but unclassified digitized information during transmission and while in storage. This article breaks down CMMC Section 3.8, which focuses on the media protection for media that contains controlled unclassified information (CUI) The USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. This sample policy provided by SANS discusses removable media. This SANS whitepaper discusses a holistic approach to USB port-security. This article provides an overview of the risks associated with removable media for industrial facilities based on a 2018 Honeywell report. This GSA-IT Security MP Procedurals reference provides guidance for the MP security controls identified in NIST SP 800-53 and federal contractor media protection requirements. University of California, Berkeley’s recommendations and guidance for devices handling covered data. This document advises on the storage of personal or special category personal data (sensitive data) on portable devices including laptops, USB flash drives, hard drives, other portable storage devices, CDs, DVDs and other portable media. This paper focuses on the risks associated with simple media devices and smart media devices. This video from SANS educates viewers on the positive and negative aspects of using full disk encryption for security.
Discussion [NIST SP 800-171 R2]
This requirement applies to portable storage devices (e.g., USB memory sticks, digital video disks, compact disks, external or removable hard disk drives).
NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.
Further Discussion
CUI can be stored and transported on a variety of portable media, which increases the chance that the CUI can be lost. When identifying the paths CUI flows through your company, identify devices to include in this practice.
To mitigate the risk of losing or exposing CUI, implement an encryption scheme to protect the data. Even if the media are lost, proper encryption renders the data inaccessible. When encryption is not an option, apply alternative physical safeguards during transport.
This practice, MP.L2-3.8.6, provides additional protections to those provided by MP.L2-3.8.5. This practice is intended to protect against situations where control of media access fails, such as through the loss of the media.