Today we’ll break down CMMC Section 3.8, which focuses on the media protection for media that contains controlled unclassified information (CUI).
It’s important to remember that these controls cover media you might not normally consider, including hardware, documents, cloud storage, magnetic tapes, and even microfilm. To ensure compliance, you must take care to identify and understand all the possible media where CUI may be stored.
Table of Contents:
What You Need to Know About CMMC Media Protection
Section 3.8.1
Section 3.8.2
Section 3.8.3
Section 3.8.4
Section 3.8.5
Section 3.8.6
Section 3.8.7
Section 3.8.8
Section 3.8.9
Your Guide to CMMC Compliance Success
Don't want to read the article? Watch the full recording below.
Be sure to register here for the Cybersecurity for the Rest of Us webinar series!
When the Department of Defense and CMMC conducted audits on how well companies followed the CMMC controls, they discovered that most organizations rate themselves much higher on compliance than what their actions would actually merit. This disconnect is most likely caused by companies misunderstanding the intent of the controls as written.
Section 3.8 is one family of controls that could easily be misunderstood. There are nine controls in total, many of which overlap.
3.8.1: Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
On a high level, this might seem pretty clear cut — you need to protect paper or digital media that contains CUI. But it’s important to remember any and all media that could fall into these categories, including external media like removable hard drives, thumb drives, network and cloud storage, magnetic tapes, etc.
As you try to secure your data, you have to understand what mediums exist in your business. If you haven’t identified the media correctly, then labeled or segregated the data, how can you be sure you’ve protected the correct data? A proper inventory management system is also an important piece of the puzzle to help you account for any location where CUI may be stored. How is your inventory managed, and where is it stored when it isn’t in use?
Also consider the vendors and software you have involved in protecting CUI. If their systems are hosting that data, it needs to be adequately secured and protected.
Likewise, don’t forget about the physical protections you have in place for your papers. Are drawers, desks, or cabinets locked and secured? This control covers all these questions.
Above all, you must be meticulous about anything that contains CUI. Regardless of the way that it’s stored, you’re responsible for ensuring that it’s protected.
3.8.2: Limit access to CUI on system media to authorized users.
Certain users will need to access your CUI, but they can be given different levels of permission. Some should be limited to “read only” access, while others can be granted edit/write access based on the needs of your organization. This control also covers data exfiltration where applicable. For instance, if information is posted on a SharePoint site, who can access and download that data?
Determining your authorized users is also an important part of limiting access. You need a way to decide and validate who needs to have access to CUI, and you also need an ongoing process to audit that access and ensure that permissions haven’t been inadvertently changed, or that users who should no longer have access have had those permissions removed.
In some cases, you’ll also want to create a system or method for checking out and checking in CUI. If you have CUI that needs to be transferred, you need a means of keeping tabs on who’s responsible for transporting it.
3.8.3: Sanitize or destroy system media containing CUI before disposal or release for reuse.
Once again, it’s important that you know all the media types you possess, as well as where CUI resides, in order to properly destroy or dispose of the data. If you don’t know where it’s at, you can’t truly say you know for sure it’s been properly destroyed or disposed of.
If you’re dealing with cloud data, which may have been replicated to multiple locations for redundancy purposes, anything you delete may be backed up elsewhere. In cases like those, you may want to consider solutions like crypto-shredding to ensure that data is no longer accessible.
Finally, don’t forget about hardware and documents. Devices like printers, scanners, and copiers can store CUI in RAM or temp files, and they shouldn’t be overlooked. Documents that may still be used after the CUI is removed will need to be properly sanitized.
3.8.4: Mark media with necessary CUI markings and distribution limitations.
You need to ensure the marking of CUI complies with federal contract information, laws, executive orders, directives, policies, and regulations. The Department of Defense has created trainings on how to properly mark media for CUI, and these can be found for free online. These primarily address documents and email, but they’re still a good place to begin.
Bear in mind, too, that the government is responsible for marking and classifying these documents and communications. A contracting officer or delegate is responsible for CUI markings, and if these markings are not present, the material shouldn’t be considered CUI. That said, it’s better to be careful. When in doubt, have a conversation with your contracting officer to confirm the CUI status.
3.8.5: Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
When you’re using a third party or contractor to transport and destroy media, you also must consider the security of the transportation itself.
3.8.6: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Hopefully this control is in line with what you’re already doing. If devices are already encrypted and password protected, that should continue even while they’re being transported. This applies to portable storage media including USB drives, DVDs, CDs, and external or removable hard drive discs.
For more information, refer to the NIST SP 800-171 cryptographic standards and guidelines, and consider how you can adopt them into your own policies and procedures.
3.8.7: Control the use of removable media on system components.
This control stands in contrast to Section 3.8.1, which focuses primarily on restricting user access. For this control, we’re talking about restricting types of media on systems (e.g., prohibiting the use of flash drives on a system).
3.8.8: Prohibit the use of portable storage devices when such devices have no identifiable owner.
You might hope this control would go without saying, but unfortunately it doesn’t. There are many reasons it’s a bad idea to use portable storage devices. Cyberattackers have tried to hack organizations by mailing them infected USB drives.
As a matter of practice, it’s simply a bad idea to allow the use of such a device if there’s no identified owner. There’s no reason to expose your organization to that kind of risk.
3.8.9: Protect the confidentiality of backup CUI at storage locations.
To protect the backups of CUI data, we recommend that you use cryptographic mechanisms to keep them secure. The specific way you back up this data may depend on whether you’re working with an MSP like Ntiva or doing it all on your own, but wherever you’re storing your data, it needs to be properly protected.
If the requirements of the CMMC 3.8 controls seem lengthy, that’s because it’s critically important to protect CUI data. The practices outlined in this section provide thorough guidance to help you carefully consider every potential point of vulnerability — digital or physical — and take steps to address them.
If you’d like to learn more, or get hands-on guidance to ensuring your organization is in compliance with these and other CMMC standards, we’re here to help. Contact Ntiva today.