>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.8.7Media Protection - Derived

Derived Requirement

>Control Description

Control the use of removable media on system components.

>Discussion

In contrast to requirement 3.8.1, which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read, or write to such devices.

Organizations may also limit the use of portable storage devices to only approved devices including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may control the use of portable storage devices based on the type of device, prohibiting the use of writeable, portable devices, and implementing this restriction by disabling or removing the capability to write to such devices.

>Cross-Framework Mappings

CMMC

MP.L2-3.8.7
Compare

SCF

DCH-10
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern cryptographic protection of CUI on media?
  • What procedures ensure media encryption before storage or transport?
  • Who is responsible for implementing media encryption?
  • What governance ensures consistent media encryption?
  • What exceptions exist for media encryption requirements?

Technical Implementation:

  • What encryption methods protect CUI on digital media?
  • How do you enforce encryption for removable media?
  • What FIPS 140-2 validated encryption do you use?
  • How do you manage encryption keys for media?
  • What controls verify media is encrypted before storage or transport?

Evidence & Documentation:

  • Can you demonstrate media encryption implementation?
  • What evidence shows CUI media is encrypted?
  • Can you provide encryption key management documentation?
  • What reports verify media encryption compliance?
  • What audit findings confirm cryptographic media protection?

Ask AI

Configure your API key to use AI features.