Requirement text: MP.3.124: Control access to media containing CUI and maintain accountability for
media during transport outside of controlled areas.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Controlled areas are areas or spaces for which organizations provide physical or procedural
controls to meet the requirements established for protecting systems and information.
Controls to maintain accountability for media during transport include locked containers
and cryptography. Cryptographic mechanisms can provide confidentiality and integrity
protections depending upon the mechanisms used. Activities associated with transport
include the actual transport as well as those activities such as releasing media for transport
and ensuring that media enters the appropriate transport processes. For the actual
transport, authorized transport and courier personnel may include individuals external to
the organization. Maintaining accountability of media during transport includes restricting
transport activities to authorized personnel and tracking and obtaining explicit records of
transport activities as the media moves through the transportation system to prevent and
detect loss, destruction, or tampering.
CMMC CLARIFICATION
Protection of Controlled Unclassified Information (CUI) is applicable to physical and digital
formats. Physical control can be accomplished using traditional concepts like restricted
access to physical locations or locking papers in a desk or filing cabinet. The digitization of
data makes access to CUI much easier. CUI can be stored and transported on magnetic disks,
tapes, USB drives, CD-ROMs, and so on. This makes digital CUI data very portable. As a result
of the portability it is important for an organization to apply mechanisms to prevent
unauthorized access to CUI.
Example 1
Your organization recently was awarded a Department of Defense (DoD) contract. The
contract requires processing of Controlled Unclassified Information (CUI). While reviewing
the security requirements you read about controlling access to media. Aspects of your
project will require machining specific parts for a DoD platform. The parts will be made in a
room where the CUI is stored. The machining tool references the CUI data to produce the
part. The room is isolated but generally accessible to all staff. To ensure you meet the
requirements to protect the data you decide to install a separate badge reader on the door
to the room. The badge reader will be used to restrict and log access to staff on the project. .
You also write a policy requiring all portable media or printed documents containing CUI to
be stored in the locked filing cabinets installed in the room and to require each person
entering the room to badge in with no access allowed for those who have not been issued a
badge. You train all employees on this policy when you issue them their new badge.
Example 2
Your team has recently completed setup of a server. The sponsor has asked that it be ready
to plug in and use. You are aware that the application code created for the sponsor is
considered to be Controlled Unclassified Information (CUI). As you box the server for
shipment using tamper-evident packaging, you label it with the specific recipient for the
shipment. You will also be using a shipping service so you will get a tracking number to
monitor the progress. Once completed you send the recipient the tracking number so they
can monitor and ensure prompt delivery at their facility.
References
• NIST SP 800-171 Rev 1 3.8.5
• NIST CSF v1.1 PR.PT-2
• CERT RMM v1.2 KIM:SG4.SP2
• NIST SP 800-53 Rev 4 MP-5