CMMC v2.11 Practices

MP.L2-3.8.5  

Reference: CMMC v2.11

Family: MP

Level Introduced: 2

Title: Media Accountability

Practice:
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

Further Discussion:
CUI is protected in both physical and digital formats. Physical control can be accomplished using traditional concepts like restricted access to physical locations or locking papers in a desk or filing cabinet. The digitization of data makes access to CUI much easier. CUI can be stored and transported on magnetic disks, tapes, USB drives, CD-ROMs, and so on. This makes digital CUI data very portable. It is important for an organization to apply mechanisms to prevent unauthorized access to CUI due to ease of transport.

Example
Your team has recently completed configuring a server for a DoD customer. The customer has asked that it be ready to plug in and use. An application installed on the server contains data that is considered CUI. You box the server for shipment using tamper-evident packaging and label it with the specific recipient for the shipment [b]. You select a reputable shipping service so you will get a tracking number to monitor the progress. Once the item is shipped, you send the recipients the tracking number so they can monitor and ensure prompt delivery at their facility.

Potential Assessment Considerations
• Do only approved individuals have access to media containing CUI [a]?
• Is access to the media containing CUI recorded in an audit log [b]?
• Is all CUI data on media encrypted or physically locked prior to transport outside of secure locations [b]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11