>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.8.1Media Protection - Basic

Basic Requirement

>Control Description

Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

>Discussion

System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm.

Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team. Physically controlling system media includes conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library.

Access to CUI on system media can be limited by physically controlling such media, which includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. [SP 800-111] provides guidance on storage encryption technologies for end user devices.

>Cross-Framework Mappings

CMMC

MP.L2-3.8.1
Compare

SCF

DCH-01
Compare
DCH-06
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern protection of media containing CUI?
  • What procedures define media handling and storage?
  • Who is responsible for media protection oversight?
  • How do you classify and mark media containing CUI?
  • What governance ensures media is properly protected?

Technical Implementation:

  • What physical controls protect media containing CUI?
  • How do you implement encryption for media at rest?
  • What access controls restrict media access?
  • How do you track media location and custody?
  • What monitoring detects unauthorized media access?

Evidence & Documentation:

  • Can you provide media protection procedures?
  • What documentation shows media is encrypted and secured?
  • Can you demonstrate physical media storage controls?
  • What logs track media access and movement?
  • What audit evidence verifies media protection compliance?

Ask AI

Configure your API key to use AI features.