Back to Control Explorer

MP.3.125

Content

Control Acronym

MP

Family

Media Protection

CMMC Level

3

800-171 Control #

3.8.6

CMMC Description

Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

CMMC Clarification

CUI can be stored and transported on a variety of media like magnetic disks, tapes, USB drives, CD-ROMs, and so on. This makes digital CUI data very portable. The portability increases the chance that the media is lost. When identifying the paths CUI flows through your organization, identify devices to include in this practice. To mitigate the risk of losing or exposing CUI an organization should implement an encryption scheme to protect the data. Even if the media is lost the fact that it is properly encrypted renders the data inaccessible to other people. When encryption is not an option, alternative physical sageguards should be applied during transport. Example You manage the backups for file servers in your datacenter. In addition to the organization‘s sensitive information you know that CUI is stored on the file servers. As part of a broader plan to protect data your organization has begun sending the backup tapes off-site to a vendor. You are aware that your backup software provides the option to encrypt data onto tape. You develop a plan to test and enable backup encryption for the data sent off site. This will encrypt the data on the backup tapes while they are being transported.

800-171 Description

Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

800-171 Discussion

This requirement applies to portable storage devices (e.g., USB memory sticks, digital video disks, compact disks, external or removable hard disk drives). See [NIST CRYPTO]. [SP 800-111] provides guidance on storage encryption technologies for end user devices.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 13.9

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 MP-5(4)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.8.6

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

CERT RMM v1.2 KIM:SG4.SP1

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Sub-Criterias

Assessment Sub-Criteria 1

MP.3.125.[a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15