MP.L2-3.8.5

  • Requirement

    Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

  • Discussion

    Controlled areas are areas or spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting systems and information. Controls to maintain accountability for media during transport include locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.

More Info

  • Title

    Media Accountability
  • Domain

    Media Protection
  • CMMC Level

    2
  • Related NIST 800-171 ID

  • Related NIST 800-53 ID

    MP-5

  • DoD Scoring Methodology Points

    1

  • Reference Documents

    • N/A

  • Further Discussion

    CUI is protected in both physical and digital formats. Physical control can be accomplished using traditional concepts like restricted access to physical locations or locking papers in a desk or filing cabinet. The digitization of data makes access to CUI much easier. CUI can be stored and transported on magnetic disks, tapes, USB drives, CD-ROMs, and so on. This makes digital CUI data very portable. It is important for an organization to apply mechanisms to prevent unauthorized access to CUI due to ease of transport.

    Example

    Your team has recently completed configuring a server for a DoD customer. The customer has asked that it be ready to plug in and use. An application installed on the server contains data that is considered CUI. You box the server for shipment using tamper-evident packaging and label it with the specific recipient for the shipment [b]. You select a reputable shipping service so you will get a tracking number to monitor the progress. Once the item is shipped, you send the recipients the tracking number so they can monitor and ensure prompt delivery at their facility.

    Potential Assessment Considerations

    • Do only approved individuals have access to media containing CUI [a]?
    • Is access to the media containing CUI recorded in an audit log [b]?
    • Is all CUI data on media encrypted or physically locked prior to transport outside of secure locations [b]?

NIST 800-171A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!