CMMC MP.2.119 - Protect System Media Containing CUI

CMMC MP.2.119 - Protect System Media Containing CUI

Requirement text: MP.2.119: Protect (i.e., physically control and securely store) system media
containing CUI, both paper and digital.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
System media includes digital and non-digital media. Digital media includes diskettes,
magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and
digital video disks. Non-digital media includes paper and microfilm. Protecting digital media
includes limiting access to design specifications stored on compact disks or flash drives in
the media library to the project leader and any individuals on the development team.
Physically controlling system media includes conducting inventories, maintaining
accountability for stored media, and ensuring procedures are in place to allow individuals to
check out and return media to the media library. Secure storage includes a locked drawer,
desk, or cabinet, or a controlled media library.

Access to CUI on system media can be limited by physically controlling such media, which
includes conducting inventories, ensuring procedures are in place to allow individuals to
check out and return media to the media library, and maintaining accountability for all
stored media.

NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.

CMMC CLARIFICATION
Physical CUI includes two types of items:
      • hardcopy (e.g., paper, microfilm); and
      • digital devices (e.g., CD drives, flash drives, video).

You should store physical CUI in a secure location. This location should be accessible only to
those people with the proper permissions. All who access CUI should follow the process for
checking out and returning it.

Example
Your organization has CUI for a specific Army contract. The Army gave you the CUI on a CD.
You store the CD in a locked drawer and you log the CUI CD in an inventory. You also
establish a procedure to check out the CD when your employees need to use it.

References
• NIST SP 800-171 Rev 1 3.8.1
• NIST CSF v1.1 PR.PT-2
• CERT RMM v1.2 KIM:SG2.SP2
• NIST SP 800-53 Rev 4 MP-4

    • Related Articles

    • CMMC MP.3.124 - Control Access to Media containing CUI during Transport

      Requirement text: MP.3.124: Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Controlled areas are areas or spaces for which ...

    • CMMC Level 1 Overview - Basic Cyber Hygiene

      CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...

    • CMMC MP.1.118 – Sanitize Information System Media

      Requirement text:  MP.1.118: Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement applies to all system media, ...

    • CMMC MP.2.120 - Limit Access to CUI on System Media

      Requirement text: MP.2.120: Limit access to CUI on system media to authorized users. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Access can be limited by physically controlling system media and secure storage areas. Physically controlling system ...

    • Media Protection: SP 800-171 Security Family 3.8

      Media protection is a requirement that addresses the defense of system media, which can be described as both digital and non-digital. Examples of digital media include: diskettes, magnetic tapes, external/removable hard disk drives, flash drives, ...