CMMC Practice MP.L2-3.8.1

Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

Bold Coast Security Guidance

Designate a secure location to store removable media which contains protected information, such as CUI. This could be a safe, a locked file cabinet, or a desk. We recommend designated an individual to be responsible controlling access to the media, maintaining the log, and conducting a regular inventory. Develop a procedure for checking in and returning media containing CUI as well.

Discussion From Source

DRAFT NIST SP 800-171 R2 System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team. Physically controlling system media includes conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library . Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library. Access to CUI on system media can be limited by physically controlling such media, which includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.