CMMC Practice Number: MP.L2-3.8.2
CMMC Level: 2 CMMC Domain: Media Protection (MP)
Practice Summary:
Limit access to CUI on system media to authorized users.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] access to CUI on system media is limited to authorized users.
Practice Clarification (DOD, CMU)
Limit physical access to CUI to people permitted to access CUI. Use locked or controlled storage areas and limit access to only those allowed to access CUI [a]. Keep track of who accesses physical CUI in an audit log.
Example
Your company has CUI for a specific Army contract contained on a USB drive. In order to control the data, you establish specific procedures for handling the drive. You designate the project manager as the owner of the data and require anyone who needs access to the data to get permission from the data owner [a]. The data owner maintains a list of users that are
authorized to access the information. Before an authorized individual can get access to the USB drive that contains the CUI they have to fill out a log and check out the drive. When they are done with the data, they check in the drive and return it to its secure storage location.
Potential Assessment Considerations
• Is a list of users who are authorized to access the CUI contained on system media maintained [a]?
Where To Look
- System media protection policy;
- procedures addressing media storage;
- physical and environmental protection policy and procedures;
- access control policy and procedures;
- system security plan;
- system media;
- designated controlled areas;
- other relevant documents or records.
Who To Talk To
- Personnel with system media protection and storage responsibilities;
- personnel with information security responsibilities.
Perform Test On
- Organizational processes for storing media;
- mechanisms supporting or implementing secure media storage and media protection.
Additional Information
Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which companies provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by companies to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on the company or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: NIST SP 800-171 R2
Access can be limited by physically controlling system media and secure storage areas. Physically controlling system media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return system media to the media library, and maintaining accountability for all stored media. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library.
CMMC References:
· NIST SP 800-171 Rev 1 3.8.2
· CIS Controls v7.1 14.6
· NIST CSF v1.1 PR.PT-2
· CERT RMM v1.2 MON:SG2.SP4
· NIST SP 800-53 Rev 4 MP-2