Level 5 CMMC - CMMC Practices

MP.2.119  

Reference: CMMC 1.02

Family: MP

Level Introduced: 2

Practice:
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

CMMC Clarification:
Physical CUI includes two types of items:
• hardcopy (e.g., paper, microfilm); and
• digital devices (e.g., CD drives, flash drives, video).
You should store physical CUI in a secure location. This location should be accessible only to those people with the proper permissions. All who access CUI should follow the process for checking out and returning it.

Example
Your organization has CUI for a specific Army contract. The Army gave you the CUI on a CD. You store the CD in a locked drawer and you log the CUI CD in an inventory. You also establish a procedure to check out the CD when your employees need to use it.

3.8.1

Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

Discussion:
System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team. Physically controlling system media includes conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library.

Access to CUI on system media can be limited by physically controlling such media, which includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media.

[SP 800-111] provides guidance on storage encryption technologies for end user devices.

Source: NIST Special Publication 800-171 Rev. 2

MP-4

MEDIA STORAGE

Description:
The organization:
    a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
    b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

Supplemental Guidance:
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02