3.4.11

Requirement

a. Identify and document the location of CUI and the system components on which the information is processed and stored.
b. Document changes to the system or system component location where CUI is processed and stored.

Discussion

Information location addresses the need to understand the specific system components where CUI is being processed and stored and the users who have access to CUI so that appropriate protection mechanisms can be provided, including information flow controls, access controls, and information management.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: configuration management policy and procedures; configuration management plan; procedures for identification and documentation of information location; system audit records; architecture documentation; system design documentation; list of users with system and system component access; change control records; system component inventory; system security plan; other relevant documents or records]
Interview

[SELECT FROM: processes governing information location; mechanisms for enforcing policies and methods for governing information location]
Test

[SELECT FROM: personnel with responsibilities for managing information location and user access; personnel with responsibilities for operating, using, or maintaining the system; personnel with information security responsibilities; system developers; system administrators]

ID	Assessment Objectives
A.03.04.11.a[01]	the location of CUI is identified and documented.
A.03.04.11.a[02]	the system components on which CUI is processed are identified and documented.
A.03.04.11.a[03]	the system components on which CUI is stored are identified and documented.
A.03.04.11.b[01]	changes to the system or system component location where CUI is processed are documented.
A.03.04.11.b[02]	changes to the system or system component location where CUI is stored are documented.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!