Back to Control Explorer
MP.3.124
Content
Control Acronym
MP
Family
Media Protection
CMMC Level
3
800-171 Control #
3.8.5
CMMC Description
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
CMMC Clarification
Protection of Controlled Unclassified Information (CUI) is applicable to physical and digital formats. Physical control can be accomplished using traditional concepts like restricted access to physical locations or locking papers in a desk or filing cabinet. The digitization of data makes access to CUI much easier. CUI can be stored and transported on magnetic disks, tapes, USB drives, CD-ROMs, and so on. This makes digital CUI data very portable. As a result of the portability it is important for an organization to apply mechanisms to prevent unauthorized access to CUI. Example 1 Your organization recently was awarded a Department of Defense (DoD) contract. The contract requires processing of Controlled Unclassified Information (CUI). While reviewing the security requirements you read about controlling access to media. Aspects of your project will require machining specific parts for a DoD platform. The parts will be made in a room where the CUI is stored. The machining tool references the CUI data to produce the part. The room is isolated but generally accessible to all staff. To ensure you meet the requirements to protect the data you decide to install a separate badge reader on the door to the room. The badge reader will be used to restrict and log access to staff on the project. . You also write a policy requiring all portable media or printed documents containing CUI to be stored in the locked filing cabinets installed in the room and to require each person entering the room to badge in with no access allowed for those who have not been issued a badge. You train all employees on this policy when you issue them their new badge. Example 2 Your team has recently completed setup of a server. The sponsor has asked that it be ready to plug in and use. You are aware that the application code created for the sponsor is considered to be Controlled Unclassified Information (CUI). As you box the server for shipment using tamper-evident packaging, you label it with the specific recipient for the shipment. You will also be using a shipping service so you will get a tracking number to monitor the progress. Once completed you send the recipient the tracking number so they can monitor and ensure prompt delivery at their facility.
800-171 Description
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
800-171 Discussion
Controlled areas are areas or spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting systems and information. Controls to maintain accountability for media during transport include locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.
Other Source Discussion
N/A
CIS Control References
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 MP-5
CMMC Derived
NIST CSF Control References
NIST 800-171 References
NIST SP 800-171 Rev 1 3.8.5
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 PR.PT-2
CERT RMM Reference
CERT RMM v1.2 KIM:SG4.SP2
Modification of NIST 800-171B Reference
NIST 800-171B Reference
UK NCSCCyber Reference
AS ACSC Reference
Sub-Criterias
Assessment Sub-Criteria 1
MP.3.124.[a] access to media containing CUI is controlled; and
Assessment Sub-Criteria 2
MP.3.124.[b] accountability for media containing CUI is maintained during transport outside of controlled areas.