Are you prepared to continue to progress on your Cybersecurity Maturity Model Certification (CMMC) journey? The third domain in CMMC Level 1 is Media Protection. This domain’s purpose and focus are on the sanitization of media. In this post, we will build on our knowledge of the domains and practices of Level 1, continuing our discussion with the sole practice of Media Protection, MP.1.118
What is a CMMC Assessment?
A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. CMMC Third Party Assessment Organizations (C3PAOs) carry out this methodology and evaluate your company’s unclassified networks. The CMMC evaluation process gives contractors guidance for a specific CMMC level (1-5); if you pass this process, the C3PAO issues the appropriate CMMC certificate. Passing a level 1 assessment, for example, confirms that you’re meeting the basic safeguarding requirements for Federal Contract Information (FCI). FCI is information not marked as public or for public release (specified in FAR Clause 52.204-21).
What is Media Protection – MP.1.118?
The sole practice in the Media Protection domain, MP.1.118 has a requirement to “Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. The most important thing to note is that this requirement applies to ALL system media, digital or non-digital, subject to disposal or reuse. This means that you have to be wary of all media that your company retains or uses that contains information that is no longer reusable, or needs to be disposed. The media can be something as simple as a document containing FCI, or something on your system hard drive that contains information from a previous project. Sanitization techniques include (but are not limited to) clearing, purging, cryptographic erase, and destruction. It is also vital to know when to destroy information rather than just clearing it, as that cannot always be the option in certain situations.
In order to work towards achieving this requirement, you need to ensure that all media (again, digital and non-digital) is reviewed and assessed for FCI or other sensitive information. You or someone in your company should always do the following when assessing this media: clean or purge the information (if you want to reuse the device) or shred or destroy the device so it cannot be read. A great place to start if you haven’t already is to review NARA policy and guidance control sanitization processes for controlled unclassified information as well as review NIST SP 800-88 for guidance on media sanitization.
What are the MP.1.118 Assessment Objectives and Objects?
Assessment procedures consist of an objective and a set of objects. The assessment objective includes a determination statement related to the CMMC practice content to ensure traceability of assessment results to requirements. These results determine if a practice is satisfied. Assessment objects specify the specific items that a C3PAO assesses (e.g., mechanisms, activities, and individuals).
MP.1.118 assessment objectives: System media containing FCI is sanitized or destroyed before disposal, and System media containing FCI is sanitized before it is released for reuse.
MP.1.118 assessment objects: A C3PAO can assess document-based artifacts associated with your system, hardware, software, or firmware safeguards, protection-related actions supporting your system that involves people, and any other personnel related to these elements.
What are the Assessment Methods for MP.1.118?
Assessment methods define the nature and extent of assessors’ actions (e.g., examining, interviewing, and testing). They are outlined below for MP.1.118:
Examine: This method refers to reviewing, inspecting, observing, studying, or analyzing assessment objects. In regards to MP.1.118, a C3PAO may examine procedures addressing media sanitization and disposal, applicable standards and policies addressing media sanitization, or media sanitization records.
Interview: This method refers to the process of holding discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence. A C3PAO may interview personnel with media sanitization responsibilities.
Test: This method is the process of exercising assessment objects under specified conditions to compare actual behavior with expected behavior. All assessment objects that a C3PAO can examine for MP.1.118 are susceptible to testing, as well as organizational processes for uniquely identifying and authenticating users.
How Do I Know if I’m Complying to the MP.1.118 Practice?
Identification and Authentication is a domain that builds upon the concepts of Access Control, and establishes some more specifics that require attention. You may already have made progress and set measures in place to ensure that you are working towards complying with this practice and its requirements, but you might be wary of what C3PAO’s might assess and how you would stand in an assessment. If this is the case, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process for this domain. Taking this next step can help you better your standing towards compliance, and take you one step forward in achieving CMMC Level 1 certification.