MP.2.121

Control Acronym

MP

Family

Media Protection

CMMC Level

2

800-171 Control #

3.8.7

CMMC Description

Control the use of removable media on system components.

CMMC Clarification

Removable media is any type of media storage that you can remove from your computer or machine, for example, CDs, DVDs, diskettes and USB drives. Write a specific policy for removable media for your company. The policy should cover that there are two types of removable media: write-once media and rewritable media. Limit the use of removable media to the smallest number needed. Scan all removable media for viruses. Track removable media that you own and make sure you reuse and dispose of it properly. Example You are in charge of IT operations at your company. You establish a policy for USB drives. All of them must be scanned for viruses and bugs before use on the company’s networks. You set up a separate computer to scan these drives before anyone uses them on the network. This computer has anti-virus software installed that is kept up to date.

800-171 Description

Control the use of removable media on system components.

800-171 Discussion

In contrast to requirement 3.8.1, which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read, or write to such devices.Organizations may also limit the use of portable storage devices to only approved devices including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may control the use of portable27 The implementation of this requirement is per marking guidance in [32 CFR 2002] and [NARA CUI]. Standard Form (SF) 902 (approximate size 2.125” x 1.25”) and SF 903 (approximate size 2.125” x .625”) can be used on media that contains CUI such as hard drives, or USB devices. Both forms are available from https://www.gsaadvantage.gov. SF 902: NSN 7540-01-679-3318. SF 903: NSN 7540-01-679-3319. storage devices based on the type of device, prohibiting the use of writeable, portable devices, and implementing this restriction by disabling or removing the capability to write to such devices.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 13.7, 13.8

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 MP-7

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.8.7

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.PT-2

CERT RMM Reference

CERT RMM v1.2 MON:SG2.SP4

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

MP.2.121.[a] the use of removable media on system components is controlled.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15