Level 5 CMMC - CMMC Practices

MP.3.124  

Reference: CMMC 1.02

Family: MP

Level Introduced: 3

Practice:
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

CMMC Clarification:
Protection of Controlled Unclassified Information (CUI) is applicable to physical and digital formats. Physical control can be accomplished using traditional concepts like restricted access to physical locations or locking papers in a desk or filing cabinet. The digitization of data makes access to CUI much easier. CUI can be stored and transported on magnetic disks, tapes, USB drives, CD-ROMs, and so on. This makes digital CUI data very portable. As a result of the portability it is important for an organization to apply mechanisms to prevent unauthorized access to CUI.

Example 1
Your organization recently was awarded a Department of Defense (DoD) contract. The contract requires processing of Controlled Unclassified Information (CUI). While reviewing the security requirements you read about controlling access to media. Aspects of your project will require machining specific parts for a DoD platform. The parts will be made in a room where the CUI is stored. The machining tool references the CUI data to produce the part. The room is isolated but generally accessible to all staff. To ensure you meet the requirements to protect the data you decide to install a separate badge reader on the door to the room. The badge reader will be used to restrict and log access to staff on the project. . You also write a policy requiring all portable media or printed documents containing CUI to be stored in the locked filing cabinets installed in the room and to require each person entering the room to badge in with no access allowed for those who have not been issued a badge. You train all employees on this policy when you issue them their new badge.

Example 2
Your team has recently completed setup of a server. The sponsor has asked that it be ready to plug in and use. You are aware that the application code created for the sponsor is considered to be Controlled Unclassified Information (CUI). As you box the server for shipment using tamper-evident packaging, you label it with the specific recipient for the shipment. You will also be using a shipping service so you will get a tracking number to monitor the progress. Once completed you send the recipient the tracking number so they can monitor and ensure prompt delivery at their facility.

3.8.5

Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

Discussion:
Controlled areas are areas or spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting systems and information. Controls to maintain accountability for media during transport include locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.

Source: NIST Special Publication 800-171 Rev. 2

MP-5

MEDIA TRANSPORT

Description:
The organization:
    a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
    b. Maintains accountability for information system media during transport outside of controlled areas;
    c. Documents activities associated with the transport of information system media; and
    d. Restricts the activities associated with the transport of information system media to authorized personnel.

Supplemental Guidance:
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02