CMMC v2.11 Practices

MP.L2-3.8.6  

Reference: CMMC v2.11

Family: MP

Level Introduced: 2

Title: Portable Storage Encryption

Practice:
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

Further Discussion:
CUI can be stored and transported on a variety of portable media, which increases the chance that the CUI can be lost. When identifying the paths CUI flows through your company, identify devices to include in this requirement.

To mitigate the risk of losing or exposing CUI, implement an encryption scheme to protect the data. Even if the media are lost, proper encryption renders the data inaccessible. When encryption is not an option, apply alternative physical safeguards during transport.

Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11.

This requirement, MP.L2-3.8.6, provides additional protections to those provided by MP.L2-3.8.5. This requirement is intended to protect against situations where control of media access fails, such as through the loss of the media.

Example
You manage the backups for file servers in your datacenter. You know that in addition to the company’s sensitive information, CUI is stored on the file servers. As part of a broader plan to protect data, you send the backup tapes off site to a vendor. You are aware that your backup software provides the option to encrypt data onto tape. You develop a plan to test and enable backup encryption for the data sent off site. This encryption provides additional protections for the data on the backup tapes during transport and offsite storage [a].

Potential Assessment Considerations
• Are all CUI data on media encrypted or physically protected prior to transport outside of controlled areas [a]?
• Are cryptographic mechanisms used to protect digital media during transport outside of controlled areas [a]?
• Do cryptographic mechanisms comply with FIPS 140-2 [a]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11