CMMC v2.11 Practices

MP.L2-3.8.1  

Reference: CMMC v2.11

Family: MP

Level Introduced: 2

Title: Media Protection

Practice:
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

Further Discussion:
CUI can be contained on two types of physical media:
• hardcopy (e.g., CD drives, USB drives, magnetic tape); and
• digital devices (e.g., CD drives, USB drives, video).

You should store physical media containing CUI in a secure location. This location should be accessible only to those people with the proper permissions. All who access CUI should follow the process for checking it out and returning it.

Example
Your company has CUI for a specific Army contract contained on a USB drive. You store the drive in a locked drawer, and you log it on an inventory [d]. You establish a procedure to check out the USB drive so you have a history of who is accessing it. These procedures help to maintain the confidentiality, integrity, and availability of the data.

Potential Assessment Considerations
• Is hardcopy media containing CUI handled only by authorized personnel according to defined procedures [a]?
• Is digital media containing CUI handled only by authorized personnel according to defined procedures [b]?
• Is paper media containing CUI physically secured (e.g., in a locked drawer or cabinet) [c]?
• Is digital media containing CUI securely stored (e.g., in access-controlled repositories) [d]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11