LLMPrompt MP.L2-3.8.1

From CMMC Toolkit Wiki
Jump to navigation Jump to search

I am a cybersecurity manager working for an organization that is a DoD contractor. I need to implement various security practices that conform to DoD's CMMC program at level 2. The CMMC program stipulates security practices that are based on NIST Special Publication 800-171 R2. For each security practice of CMMC Level 2, I need to show evidence that my organization is in compliance with CMMC. Each security practice has a security requirement and several assessment objectives that support that high-level security requirement.

I am assessing one of the assessment objectives within the practice MP.L2-3.8.1 – MEDIA PROTECTION. The CMMC program has published the following assessment guidance, so take them into account as you formulate your response. Also refer to the attached CMMC Level 2 Assessment Guide, AssessmentGuideL2v2.pdf, for more context and information about the practice.

A. SECURITY REQUIREMENT: Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

B. ASSESSMENT OBJECTIVES: Determine if: [a] paper media containing CUI is physically controlled; [b] digital media containing CUI is physically controlled; [c] paper media containing CUI is securely stored; and [d] digital media containing CUI is securely stored.

C. ASSESSMENT APPROACHES: I have three assessment approaches for assessing any security practice. They are listed as follows:

C1. Examine: The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objectives to facilitate understanding, achieve clarification, or obtain evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

C2. Interview: The process of conducting discussion with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

C3. Test: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

D. ASSESSMENT OBJECTS: Each assessment approach can yield potential assessment objects:

D1. Examine: [SELECT FROM: System media protection policy; procedures addressing media storage; procedures addressing media access restrictions; access control policy and procedures; physical and environmental protection policy and procedures; system security plan; media storage facilities; access control records; other relevant documents or records].

D2. Interview: [SELECT FROM: Personnel with system media protection responsibilities; personnel with information security responsibilities; system or network administrators].

D3. Test: [SELECT FROM: Organizational processes for restricting information media; mechanisms supporting or implementing media access restrictions].

E. DISCUSSION: System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team. Physically controlling system media includes conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library. Access to CUI on system media can be limited by physically controlling such media, which includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.

F. FURTHER DISCUSSION: CUI can be contained on two types of physical media: hardcopy (e.g., CD drives, USB drives, magnetic tape); and digital devices (e.g., CD drives, USB drives, video). You should store physical media containing CUI in a secure location. This location should be accessible only to those people with the proper permissions. All who access CUI should follow the process for checking it out and returning it.

G. Example: Your company has CUI for a specific Army contract contained on a USB drive. You store the drive in a locked drawer, and you log it on an inventory [d]. You establish a procedure to check out the USB drive so you have a history of who is accessing it. These procedures help to maintain the confidentiality, integrity, and availability of the data.

H. Potential Assessment Considerations: Is hardcopy media containing CUI handled only by authorized personnel according to defined procedures [a]? Is digital media containing CUI handled only by authorized personnel according to defined procedures [b]? Is paper media containing CUI physically secured (e.g., in a locked drawer or cabinet) [c]? Is digital media containing CUI securely stored (e.g., in access-controlled repositories) : [d]?

I. EVIDENCE TYPES: Finally, I have four evidence types that I can collect. The definitions of the evidence types are as follows:

I1. Artifacts: Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. (See CAP Glossary for additional details.)

I2. Document: Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writing of every kind and description over which an agency has authority. (See CAP Glossary for additional details.)

I3. Physical Review: An on-premise observation of Evidence.

I4. Screen Share: Live observation ""over the shoulder"" of a user as they share their computer screen while performing a task.

J. KEY REFERENCES: NIST SP 800-171 Rev 2 3.8.1

Retrieved from "https://cmmcwiki.org/index.php?title=LLMPrompt_MP.L2-3.8.1&oldid=1516"