Requirement text: MP.3.125: Implement cryptographic mechanisms to protect the confidentiality of CUI
stored on digital media during transport unless otherwise protected by alternative physical safeguards.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
This requirement applies to portable storage devices (e.g., USB memory sticks, digital video
disks, compact disks, external or removable hard disk drives).
CMMC CLARIFICATION
CUI can be stored and transported on a variety of media like magnetic disks, tapes, USB
drives, CD-ROMs, and so on. This makes digital CUI data very portable. The portability
increases the chance that the media is lost. When identifying the paths CUI flows through
your organization, identify devices to include in this practice.
To mitigate the risk of losing or exposing CUI an organization should implement an
encryption scheme to protect the data. Even if the media is lost the fact that it is properly
encrypted renders the data inaccessible to other people. When encryption is not an option,
alternative physical sageguards should be applied during transport.
Example
You manage the backups for file servers in your datacenter. In addition to the organization‘s
sensitive information you know that CUI is stored on the file servers. As part of a broader
plan to protect data your organization has begun sending the backup tapes off-site to a
vendor. You are aware that your backup software provides the option to encrypt data onto
tape. You develop a plan to test and enable backup encryption for the data sent off site. This
will encrypt the data on the backup tapes while they are being transported.
References
• NIST SP 800-171 Rev 1 3.8.6
• CIS Controls v7.1 13.9
• CERT RMM v1.2 KIM:SG4.SP1
• NIST SP 800-53 Rev 4 MP-5(4)