CMMC Practice MP.3.124

Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

Source

CMMC Version 1.02, pg. 181

Bold Coast Security Guidance

In prior practices MP.2.119 and MP.2.120 we suggested assigning a person to control access to media and keep an inventory. As a maturity level 3 practice, it is now suggested that the media be stored behind electronically locked doors which automatically record the comings and goings of staff. We also suggest utilizing a camera in the room which would record all activity. When transporting media, utilize tamper evident packaging. Tamper-proof can be expensive (and not very reliable) and is not necessary if the media is encrypted; however it is important to know if the media was altered in any way so tamper "evident" is appropriate. If your staff is not transporting the media, be sure to used bonded couriers with tracking information for your media. Your media "librarian" should track and retain this information.

Discussion From Source

DRAFT NIST SP 800-171 R2 Controlled areas are areas or spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting systems and information. Controls to maintain accountability for media during transport include locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used . Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.

References