Practice MP.L2-3.8.8 Details
Source of Reference: The official CMMC Level 2 Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
MP.L2-3.8.8 – SHARED MEDIA
SECURITY REQUIREMENT
Prohibit the use of portable storage devices when such devices have no identifiable owner.
ASSESSMENT OBJECTIVES
Determine if:
- [a] the use of portable storage devices is prohibited when such devices have no identifiable owner.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine
[SELECT FROM: System media protection policy; system use policy; procedures addressing media usage restrictions; system security plan; rules of behavior; system configuration settings and associated documentation; system design documentation; system audit logs and records; other relevant documents or records].
Interview
[SELECT FROM: Personnel with system media use responsibilities;personnel with information security responsibilities; system or network administrators].
Test
[SELECT FROM: Organizational processes for media use; mechanisms prohibiting use of media on systems or system components].
DISCUSSION
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code).
FURTHER DISCUSSION
A portable storage device is a system component that can be inserted into and removed from a system and is used to store data or information. It typically plugs into a laptop or desktop port (e.g., USB port). These devices can contain malicious files that can lead to a compromise of a connected system. Therefore, use should be prohibited if the device cannot be traced to an owner who is responsible and accountable for its security.
This practice, MP.L2-3.8.8, furthers the protections provided by MP.L2-3.8.7 by prohibiting unidentified media use even if that media type is allowable.
Example
You are the IT manager. One day, a staff member reports finding a USB drive in the parking lot. You investigate and learn that there are no labels on the outside of the drive to indicate who might be responsible for it. You send an email to all employees to remind them that IT policies expressly prohibit plugging unknown devices into company computers. You also direct staff members to turn in to the IT help desk any devices that have no identifiable owner [a].
Potential Assessment Considerations
- Do portable storage devices used have identifiable owners [a]?
KEY REFERENCES
- NIST SP 800-171 Rev 2 3.8.8