Practice MP.L2-3.8.4 Details: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
(Created page with "'''Source of Reference: The official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Level 2 Assessment Guide] from the Office of the Under Secretary of Defense Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == MP.L2-3.8.9 – PROTECT BACKUPS == === SECURITY REQUIREMENT === Protect the confidentiality of backup CUI at storage locations. === ASSESSMENT OBJECTIVES === Det...")
 
No edit summary
 
Line 3: Line 3:
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.


== MP.L2-3.8.9 PROTECT BACKUPS ==
== MP.L2-3.8.4 MEDIA MARKINGS ==
=== SECURITY REQUIREMENT ===
=== SECURITY REQUIREMENT ===
Protect the confidentiality of backup CUI at storage locations.
Mark media with necessary CUI markings and distribution limitations.
=== ASSESSMENT OBJECTIVES ===
=== ASSESSMENT OBJECTIVES ===
Determine if:
Determine if:
: [a] the confidentiality of backup CUI is protected at storage locations.
: [a] media containing CUI is marked with applicable CUI markings; and
: [b] media containing CUI is marked with distribution limitations.
=== POTENTIAL ASSESSMENT METHODS AND OBJECTS ===
=== POTENTIAL ASSESSMENT METHODS AND OBJECTS ===
'''Examine'''
'''Examine'''


[SELECT FROM: Procedures addressing system backup; system configuration settings and associated documentation; security plan; backup storage locations; system backup logs or records; other relevant documents or records].
[SELECT FROM: System media protection policy; procedures addressing media marking;physical and environmental protection policy and procedures; system security plan; list of system media marking security attributes;designated controlled areas;other relevant documents or records].


'''Interview'''
'''Interview'''


[SELECT FROM: Personnel with system backup responsibilities; personnel with information security responsibilities].
[SELECT FROM: Personnel with system media protection and marking responsibilities;personnel with information security responsibilities].


'''Test'''
'''Test'''


[SELECT FROM: Organizational processes for conducting system backups;mechanisms supporting or implementing system backups].
[SELECT FROM: Organizational processes for marking information media;mechanisms supporting or implementing media marking].
=== DISCUSSION ===
=== DISCUSSION ===
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.
The term security marking refers to the application or use of human-readable security attributes. System media includes digital and non-digital media. Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations.
=== FURTHER DISCUSSION ===
=== FURTHER DISCUSSION ===
You protect CUI to ensure that it remains private (confidentiality) and unchanged (integrity).Methods to ensure confidentiality may include:
All media, hardcopy and digital, must be properly marked to alert individuals to the presence of CUI stored on the media. The National Archives and Records Administration (NARA) has published guidelines for labeling media of different sizes.
* encrypting files or media;
* managing who has access to the information; and
* physically securing devices and media that contain CUI.


Storage locations for information are varied, and may include:
MP.L2-3.8.8 requires that media have an identifiable owner, so organizations may find it desirable to include ownership information on the device label as well.
* external hard drives;
* USB drives;
* magnetic media (tape cartridge);
* optical disk (CD, DVD);
* Networked Attached Storage (NAS);
* servers; and
* cloud backup.
 
This practice, MP.L2-3.8.9, requires the confidentiality of backup information at storage locations.


'''Example'''
'''Example'''


You are in charge of protecting CUI for your company. Because the company’s backups contain CUI, you work with IT to protect the confidentiality of backup data. You agree to encrypt all CUI data as it is saved to an external hard drive [a].
You were recently contacted by the project team for a new DoD program. The team said they wanted the CUI in use for the program to be properly protected. When speaking with them, you realize that most of the protections will be provided as part of existing enterprise cybersecurity capabilities. They also mentioned that the project team will use several USB drives to share specific data. You explain that the team must ensure the USB drives are externally marked to indicate the presence of CUI [a]. The project team labels the outside of each USB drive with an appropriate CUI label following NARA guidance [a]. Further, the labels indicate that distribution is limited to those employees supporting the DoD program [a].


'''Potential Assessment Considerations'''
'''Potential Assessment Considerations'''
* Are data backups encrypted on media before removal from a secured facility [a]?
* Are all media containing CUI identified [a,b]?
* Are cryptographic mechanisms FIPS validated [a]?
=== KEY REFERENCES ===
=== KEY REFERENCES ===
* NIST SP 800-171 Rev 2 3.8.9
* NIST SP 800-171 Rev 2 3.8.4

Latest revision as of 23:24, 25 February 2022

Source of Reference: The official CMMC Level 2 Assessment Guide from the Office of the Under Secretary of Defense Acquisition & Sustainment.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

MP.L2-3.8.4 – MEDIA MARKINGS

SECURITY REQUIREMENT

Mark media with necessary CUI markings and distribution limitations.

ASSESSMENT OBJECTIVES

Determine if:

[a] media containing CUI is marked with applicable CUI markings; and
[b] media containing CUI is marked with distribution limitations.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

Examine

[SELECT FROM: System media protection policy; procedures addressing media marking;physical and environmental protection policy and procedures; system security plan; list of system media marking security attributes;designated controlled areas;other relevant documents or records].

Interview

[SELECT FROM: Personnel with system media protection and marking responsibilities;personnel with information security responsibilities].

Test

[SELECT FROM: Organizational processes for marking information media;mechanisms supporting or implementing media marking].

DISCUSSION

The term security marking refers to the application or use of human-readable security attributes. System media includes digital and non-digital media. Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations.

FURTHER DISCUSSION

All media, hardcopy and digital, must be properly marked to alert individuals to the presence of CUI stored on the media. The National Archives and Records Administration (NARA) has published guidelines for labeling media of different sizes.

MP.L2-3.8.8 requires that media have an identifiable owner, so organizations may find it desirable to include ownership information on the device label as well.

Example

You were recently contacted by the project team for a new DoD program. The team said they wanted the CUI in use for the program to be properly protected. When speaking with them, you realize that most of the protections will be provided as part of existing enterprise cybersecurity capabilities. They also mentioned that the project team will use several USB drives to share specific data. You explain that the team must ensure the USB drives are externally marked to indicate the presence of CUI [a]. The project team labels the outside of each USB drive with an appropriate CUI label following NARA guidance [a]. Further, the labels indicate that distribution is limited to those employees supporting the DoD program [a].

Potential Assessment Considerations

  • Are all media containing CUI identified [a,b]?

KEY REFERENCES

  • NIST SP 800-171 Rev 2 3.8.4
Retrieved from "https://cmmcwiki.org/index.php?title=Practice_MP.L2-3.8.4_Details&oldid=194"