Skip to content
CMMC 2.13
CMMC · Rev 2.132FAMILY MP

MP.L2-3.8.5

Media Accountability

Requirement

Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

Further discussion

CUI is protected in both physical and digital formats. Physical control can be accomplished using traditional concepts like restricted access to physical locations or locking papers in a desk or filing cabinet. The digitization of data makes access to CUI much easier. CUI can be stored and transported on magnetic disks, tapes, USB drives, CD-ROMs, and so on. This makes digital CUI data very portable. It is important for an organization to apply mechanisms to prevent unauthorized access to CUI due to ease of transport. Example Your team has recently completed configuring a server for a DoD customer. The customer has asked that it be ready to plug in and use. An application installed on the server contains data that is considered CUI. You box the server for shipment using tamper-evident packaging and label it with the specific recipient for the shipment [b]. You select a reputable shipping service so you will get a tracking number to monitor the progress. Once the item is shipped, you send the recipients the tracking number so they can monitor and ensure prompt delivery at their facility. Potential Assessment Considerations • Do only approved individuals have access to media containing CUI [a]? • Is access to the media containing CUI recorded in an audit log [b]? • Is all CUI data on media encrypted or physically locked prior to transport outside of secure locations [b]?

Supporting controls

NIST 800-171 · Rev 21 mapped

Create a free account or log in to view the cross-referenced controls.

Implementation strategies

10 recommended strategies for this practice.

Create a free account or log in to view the implementation strategies.

Source: DoD CIO · https://dodcio.defense.gov/CMMC/