CMMC Practice Number: MP.L2-3.8.6
CMMC Level: 2 CMMC Domain: Media Protection (MP)
Practice Summary:
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
Practice Clarification (DOD, CMU)
CUI can be stored and transported on a variety of portable media, which increases the chance that the CUI can be lost. When identifying the paths CUI flows through your company, identify devices to include in this practice.
To mitigate the risk of losing or exposing CUI, implement an encryption scheme to protect the data. Even if the media are lost, proper encryption renders the data inaccessible. When encryption is not an option, apply alternative physical safeguards during transport. This practice, MP.L2-3.8.6, provides additional protections to those provided by MP.L2-3.8.5. This practice is intended to protect against situations where control of media access fails, such as through the loss of the media.
Example
You manage the backups for file servers in your datacenter. You know that in addition to the company’s sensitive information, CUI is stored on the file servers. As part of a broader plan to protect data, you send the backup tapes off site to a vendor. You are aware that your backup software provides the option to encrypt data onto tape. You develop a plan to test and enable backup encryption for the data sent off site. This encryption provides additional protections for the data on the backup tapes during transport and offsite storage [a].
Potential Assessment Considerations
• Are all CUI data on media encrypted or physically protected prior to transport outside of controlled areas [a]?
• Are cryptographic mechanisms used to protect digital media during transport outside of controlled areas [a]?
• Do cryptographic mechanisms comply with FIPS 140-2 [a]?
Where To Look
- System media protection policy;
- procedures addressing media transport;
- system design documentation;
- system security plan;
- system configuration settings and associated documentation;
- system media transport records;
- system audit logs and records;
- other relevant documents or records.
Who To Talk To
- Personnel with system media transport responsibilities;
- personnel with information security responsibilities.
Perform Test On
- Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas.
Additional Information
This requirement also applies to mobile computing and communications devices with information storage capability (e.g., notebooks/ laptop computers, personal digital assistants, cell/smart phones, digital cameras and audio recording devices) that are transported outside of controlled areas. Telephone systems are also considered information systems and may have the capability to store information on internal media (e.g., on voicemail).
Key vaults help safeguard cryptographic keys and secrets systems, applications, and services. By using a key vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, and passwords) by using keys that are protected by hardware security modules (HSMs). For added assurance, you can import or generate keys in HSMs. Key vaults streamline the key management process and enables you to maintain control of keys that access and encrypt your data.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: NIST SP 800-171 R2
This requirement applies to portable storage devices (e.g., USB memory sticks, digital video disks, compact disks, external or removable hard disk drives).
NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.
CMMC References:
· NIST SP 800-171 Rev 1 3.8.6
· CIS Controls v7.1 13.9
· CERT RMM v1.2 KIM:SG4.SP1
· NIST SP 800-53 Rev 4 MP-5(4)