MP.2.119

Control Acronym

MP

Family

Media Protection

CMMC Level

2

800-171 Control #

3.8.1

CMMC Description

Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

CMMC Clarification

Physical CUI includes two types of items: * hardcopy (e.g., paper, microfilm) * digital devices (e.g., CD drives, flash drives, video). You should store physical CUI in a secure location. This location should be accessible only to those people with the proper permissions. All who access CUI should follow the process for checking out and returning it. Example Your organization has CUI for a specific Army contract. The Army gave you the CUI on a CD. You store the CD in a locked drawer and you log the CUI CD in an inventory. You also establish a procedure to check out the CD when your employees need to use it.

800-171 Description

Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

800-171 Discussion

System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team. Physically controlling system media includes conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library. Access to CUI on system media can be limited by physically controlling such media, which includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. [SP 800-111] provides guidance on storage encryption technologies for end user devices.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 MP-4

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.8.1

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.PT-2

CERT RMM Reference

CERT RMM v1.2 KIM:SG2.SP2

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

MP.2.119.[a] paper media containing CUI is physically controlled;

Assessment Sub-Criteria 2

MP.2.119.[b] digital media containing CUI is physically controlled;

Assessment Sub-Criteria 3

MP.2.119.[c] paper media containing CUI is securely stored; and

Assessment Sub-Criteria 4

MP.2.119.[d] digital media containing CUI is securely stored.

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15