The Media Protection (MP) domain brings up vital topics related to physical and digital media, and how it should be safeguarded, during storage and transmission. It is critical to understand this domain to ensure CUI (Controlled Unclassified Information) and FCI (Federal Contract Information) are protected.
We will be exploring Media Protection in the following manner:
The main focus of the Media Protection domain is to identify both physical and digital media within your organization, especially media that stores and transmits CUI and FCI. The Media Protection domain covers sanitization or destruction of media with sensitive information.
For CMMC 2.0, there is one practice in CMMC Level 1 for Media Protection, and Level 2 has eight practices. For CMMC Level 3, the MP practices are still in development. Here are the topics detailed in these practices:
Any system media that contains FCI (Federal Contract Information) needs to be sanitized or destroyed before it is disposed of or released for reuse. It is important to note that this applies to digital and non-digital media, where examples can include media found in workstations, scanners, computers, and mobile devices (digital) and paper/microfilm (non-digital). You can choose to sanitize system media, which can include methods such as clear, purging, or cryptographic erasing, or destroy it if these are not available to use for a particular form of media. This is to protect sensitive information from unauthorized users or malicious entities. Your organization may determine the method for sanitization or destruction as necessary.
Though sanitization and destruction of media are no longer needed, protecting system media that contains CUI is equally important. This includes physically controlling and securely storing any media as necessary to prevent unauthorized access. Physically controlling media can mean conducting inventories on your organization's media, maintaining accountability for any media stored and used, and having a check-in and check-out process for any media. Securely storing media can mean keeping media in a locked room or cabinet, or a controlled media library. It is extremely important that regardless of the method, accountability is maintained, and you can identify who is using media and for what purpose.
Maintaining and limiting access to media that contains CUI is vital. Media that contains CUI should only be accessible to authorized users. As aforementioned, this can be enforced through physical control or secure storage, as well as the check-in process to see who is accessing any media. For digital media, in particular, ensuring proper access control measures are put in place and only users with authorization and explicit permissions can access the media is important as well. Marking any system media will assist in this endeavor and is also required of media that contain CUI. To further clarify, any media containing CUI should be marked with CUI markings and distribution limitations. An example is marking a USB stick with CUI as “CUI-Sensitive”. The marking of system media is also applicable based on any Federal Laws, policies, or regulations.
Accountability has been mentioned a few times before, and it is good to break it down so you can understand how to be accountable with system media containing CUI. Accountability comes into question specifically during usage or transport of media, and controlling that access is part of accountability, especially outside of controlled areas. A controlled area is an area or space that your organization maintains access to and controls. Implementing measures to ensure the safety of media during transport outside of these areas can include locked containers or using cryptography. It is also important to have authorized transport and courier personnel, track transport, and obtain records of transport activities. This ensures the safety of the media and prevents loss, destruction, or tampering with system media.
While we have discussed restricting user access to media, it is also important to discuss the restriction of certain types of (removable) media on systems in your organization. This is a requirement for media protection as well and focuses on external storage devices such as flash drives or external hard disk drives. Use and restriction of these can be determined by your organization and your organization can employ technical or nontechnical controls to achieve this requirement. An organization may control the use of portable devices by only allowing them on approved devices or certain types of devices. This leads to another topic, which is shared media. An organization must prohibit the use of portable storage devices when the device in question does not have an identifiable owner. Without an owner, the content of the device cannot be verified, and it could contain malicious files. Thus, devices such as these should be strictly prohibited.
As an organization, it is likely you store backups of system media. The protection of this media is also part of this domain, and it is required that your organization protects the confidentiality of backup CUI at your designated storage locations. Your organization may implement cryptographic mechanisms or physical controls to restrict access. As long as the backups are secured just as much as the original information, you are in good shape. The method of protection is up to the organization, but protection is a must.
The requirements within this domain focus heavily on the protection, sanitization, and destruction of System Media containing CUI or FCI. The storage and transmission of this data are also discussed, and properly implementing this practice ensures your organizational data is secure and CUI is protected.
For CMMC Level 1, your organization will have to perform a self-assessment for the sole practice required within Media Protection. For CMMC Level 2, your organization will have to look further into the eight practices required and provide proper implementation and documentation. Here is some guidance on what to include or look for:
Media Protection is an important domain within CMMC that is required to be implemented by your organization. The self-assessment of a CMMC practice and the assessment performed by a Certified Assessor result in one of three possible findings: 'MET', 'NOT MET', or 'NOT APPLICABLE'.
For CMMC Level, a finding of 'NOT MET' means you are not compliant.
InterSec Inc's cmmc advisory, consulting, and Cybersecurity Services have helped many defense contractors in industries ranging from Professional Services, Health, and Manufacturing to comply with NIST 800-171, CMMC, FedRAMP, HITECH compliance, etc.). InterSec is a CMMC-AB RPO. Our Registered Practitioners and Certified Assessors team can help you cost-effective compliance.
You may have security measures to address the CMMC requirements, but if you're doubtful about how do they stack up to the latest CMMC 2.0 standards and certification expectations, our free CMMC self-assessment can help you find out your CMMC posture. Complying with these Media Protection (MP) practices means you're one step closer to the next domain, and, to your CMMC compliance.
If you need help with CMMC compliance, you can schedule a 30-minute free consultation with our experts.