LLMPrompt MP.L2-3.8.3

From CMMC Toolkit Wiki
Jump to navigation Jump to search

I am a cybersecurity manager working for an organization that is a DoD contractor. I need to implement various security practices that conform to DoD's CMMC program at level 2. The CMMC program stipulates security practices that are based on NIST Special Publication 800-171 R2. For each security practice of CMMC Level 2, I need to show evidence that my organization is in compliance with CMMC. Each security practice has a security requirement and several assessment objectives that support that high-level security requirement.

I am assessing one of the assessment objectives within the practice MP.L2-3.8.3 – MEDIA DISPOSAL. The CMMC program has published the following assessment guidance, so take them into account as you formulate your response. Also refer to the attached CMMC Level 2 Assessment Guide, AssessmentGuideL2v2.pdf, for more context and information about the practice.

A. SECURITY REQUIREMENT: Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

B. ASSESSMENT OBJECTIVES: Determine if [a] system media containing FCI is sanitized or destroyed before disposal; and [b] system media containing FCI is sanitized before it is released for reuse.

C. ASSESSMENT APPROACHES: I have three assessment approaches for assessing any security practice. They are listed as follows:

C1. Examine: The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objectives to facilitate understanding, achieve clarification, or obtain evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

C2. Interview: The process of conducting discussion with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

C3. Test: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

D. ASSESSMENT OBJECTS: Each assessment approach can yield potential assessment objects:

D1. Examine: [SELECT FROM: System media protection policy; procedures addressing media sanitization and disposal; applicable standards and policies addressing media sanitization; system security plan; media sanitization records; system audit logs and records; system design documentation; system configuration settings and associated documentation; other relevant documents or records].

D2. Interview: [SELECT FROM: Personnel with media sanitization responsibilities; personnel with information security responsibilities; system or network administrators].

D3. Test: [SELECT FROM: Organizational processes for media sanitization; mechanisms supporting or implementing media sanitization].

E. DISCUSSION: This requirement applies to all system media, digital and non-digital, subject to disposal or reuse. Examples include: digital media found in workstations, network components, scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media such as paper and microfilm. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to the media requiring sanitization. Organizations use discretion on the employment of sanitization techniques and procedures for media containing information that is in the public domain or publicly releasable or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing FCI from documents, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing the words or sections from the document. NARA policy and guidance control sanitization processes for federal contract information. NIST SP 800-88 provides guidance on media sanitization.

F. FURTHER DISCUSSION: “Media” refers to a broad range of items that store information, including paper documents, disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones. It is important to know what information is on media so that you can handle it properly. If there is FCI, you or someone in your company should either: shred or destroy the device before disposal so it cannot be read; or clean or purge the information, if you want to reuse the device. See NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, for more information.

G. Example: As you pack for an office move, you find some old CDs in a file cabinet. You determine that one has information about an old project your company did for the DoD. You shred the CD rather than simply throwing it in the trash [a].

H. Potential Assessment Considerations: Is all managed data storage erased, encrypted, or destroyed using mechanisms to ensure that no usable data is retrievable [a,b]?

I. EVIDENCE TYPES: Finally, I have four evidence types that I can collect. The definitions of the evidence types are as follows:

I1. Artifacts: Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. (See CAP Glossary for additional details.)

I2. Document: Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writing of every kind and description over which an agency has authority. (See CAP Glossary for additional details.)

I3. Physical Review: An on-premise observation of Evidence.

I4. Screen Share: Live observation ""over the shoulder"" of a user as they share their computer screen while performing a task.

J. KEY REFERENCES: NIST SP 800-171 Rev 2 3.8.3

Retrieved from "https://cmmcwiki.org/index.php?title=LLMPrompt_MP.L2-3.8.3&oldid=1528"