Back to Control Explorer
MP.2.120
Content
Control Acronym
MP
Family
Media Protection
CMMC Level
2
800-171 Control #
3.8.2
CMMC Description
Limit access to CUI on system media to authorized users.
CMMC Clarification
Limit physical access to CUI to people permitted to access CUI. Use locked or controlled storage areas and limit access to only those allowed to access CUI. Keep track of who accesses physical CUI in some sort of record. Example Your organization has CUI for a specific Army contract. The Army gave you the CUI on a CD. You store the CD in a locked drawer. The only employees with access to the drawer are those assigned to the project. They are the only people allowed to access CUI. When someone removes the CD for work, they sign it out with their name and time. When they return the CD to the locked drawer, they sign it back in.
800-171 Description
Limit access to CUI on system media to authorized users.
800-171 Discussion
Access can be limited by physically controlling system media and secure storage areas. Physically controlling system media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return system media to the media library, and maintaining accountability for all stored media. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library.
Other Source Discussion
N/A
CIS Control References
CIS Controls v7.1 14.6
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 MP-2
CMMC Derived
NIST CSF Control References
NIST 800-171 References
NIST SP 800-171 Rev 1 3.8.2
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 PR.PT-2
CERT RMM Reference
CERT RMM v1.2 MON:SG2.SP4
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
AS ACSC Reference
Sub-Criterias
Assessment Sub-Criteria 1
MP.2.120.[a] access to CUI on system media is limited to authorized users.