Practice MP.L2-3.8.1 Details

From CMMC Toolkit Wiki
Jump to navigation Jump to search

Source of Reference: The official CMMC Level 2 Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

MP.L2-3.8.1 – MEDIA PROTECTION

SECURITY REQUIREMENT

Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

ASSESSMENT OBJECTIVES

Determine if:

[a] paper media containing CUI is physically controlled;
[b] digital media containing CUI is physically controlled;
[c] paper media containing CUI is securely stored; and
[d] digital media containing CUI is securely stored.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

Examine

[SELECT FROM: System media protection policy; procedures addressing media storage;procedures addressing media access restrictions; access control policy and procedures;physical and environmental protection policy and procedures; system security plan; media storage facilities; access control records; other relevant documents or records].

Interview

[SELECT FROM: Personnel with system media protection responsibilities; personnel with information security responsibilities; system or network administrators].

Test

[SELECT FROM: Organizational processes for restricting information media; mechanisms supporting or implementing media access restrictions].

DISCUSSION

System media includes digital and non-digital media.Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team.Physically controlling system media includes conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library.

Access to CUI on system media can be limited by physically controlling such media, which includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media.

NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.

FURTHER DISCUSSION

CUI can be contained on two types of physical media:

  • hardcopy (e.g., CD drives, USB drives, magnetic tape); and
  • digital devices (e.g., CD drives, USB drives, video).

You should store physical media containing CUI in a secure location. This location should be accessible only to those people with the proper permissions. All who access CUI should follow the process for checking it out and returning it.

Example

Your company has CUI for a specific Army contract contained on a USB drive. You store the drive in a locked drawer, and you log it on an inventory [d]. You establish a procedure to check out the USB drive so you have a history of who is accessing it. These procedures help to maintain the confidentiality, integrity, and availability of the data.


Potential Assessment Considerations

  • Is hardcopy media containing CUI handled only by authorized personnel according to defined procedures [a]?
  • Is digital media containing CUI handled only by authorized personnel according to defined procedures [b]?
  • Is paper media containing CUI physically secured (e.g., in a locked drawer or cabinet) [c]?
  • Is digital media containing CUI securely stored (e.g., in access-controlled repositories) : [d]?

KEY REFERENCES

  • NIST SP 800-171 Rev 2 3.8.1