Welcome to our comprehensive guide on Media Protection (MP) for achieving CMMC Level 2.0 compliance. Designed for DoD contractors and small & medium businesses aiming to protect Controlled Unclassified Information (CUI). This guide offers step-by-step insights into secure media protection practices and CMMC level 2 compliance strategies.
We deliver clear, actionable guidance on Media Protection CMMC standards, including best practices for media disposal for CMMC, secure storage, and CMMC digital media protocols. Additionally, you'll find tips on data encryption for CMMC compliance and methods for protecting sensitive data and secure CUI storage.
For expert support, connect with our team. Our specialists are committed to helping your business seamlessly achieve CMMC compliance.
“Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.”
Level Of Effort: Low
This is about keeping both paper and electronic media with CUI secure. This is so you can achieve media protection by protecting important information from being accessed by people who shouldn't see it or from getting lost.
For Paper CUI:
Recommendations:
Lock up physical CUI documents: Use locked cabinets, safes, or secure rooms to store any paper with CUI, especially when it's not used.
Hide CUI papers when out in the open: If you're using CUI documents in places like work areas, keep them in folders or use covers to shield them from view, especially when visitors are around.
Evidence:
Your secure storage spots: Show where you lock up your CUI papers.
Your policy in the Security System Plan (SSP): Write down in your SSP how you keep CUI papers safe.
For Digital CUI (tapes, USBs, CD/DVD, etc.):
Recommendations:
Be clear about digital CUI storage rules: Your policy should say exactly where digital CUI can be stored and who can get to it. Remember to label these storage spots as stated in MP.L2-3.8.4 – MEDIA MARKINGS.
Encrypt digital CUI: Whenever you can, encrypt your digital CUI to keep it extra safe.
Move CUI: When you need to take CUI somewhere, like to another building or someone else, use secure packaging. Pick trusted people or companies to move it and track it. Also, keep a log of all CUI movements.
Keep track of digital media: Have a list of all your digital media like USBs or CDs and set up a system to check them in and out.
Evidence:
Instructions in your SSP: Include details in your Security System Plan about how and where you store digital CUI.
Labels you’ve used: Show how you’ve marked storage spots.
Proof of encrypting CUI: Have records that show you’ve encrypted your digital CUI.
Transport records: Keep a log or spreadsheet that details all the times you've transported CUI.
Media inventory and tracking: Maintain a list of your digital media and a record of who's used it.
MP.L2-3.8.2 – MEDIA ACCESS
“Limit access to CUI on system media to authorized users.”
“Sanitize or destroy information system media containing CUI before disposal or release for reuse.”
Level Of Effort: Low
When it's time to throw away or reuse any media (like hard drives, papers, or CDs) that has Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on it, you have to be careful. Either completely clean off the info or destroy the media. This stops anyone from seeing or using FCI or CUI that shouldn't.
Recommendations:
Make a cleaning or destroying plan: Decide how you're going to make each type of media safe:
For electronic items (like computers), erase all the data.
For papers with important FCI, shred them. Use an office shredder or a professional shredding service.
Destroy hard-to-clean items: For items you can't erase, like old hard drives, find a National Association of Information Destruction (NAID) shredding company. These places are certified to destroy stuff. They typically cost $75 to $150 per item and they will give you a certificate saying the item was destroyed.
Evidence:
Your safety plan in your SSP: Write down your methods for cleaning or shredding in your Security System Plan.
Proof from the shredding service: Keep any agreements with the shredding service and the certificates they give you when they've destroyed your stuff.
Policy Example Of Media Disposal:
Here’s an example of a policy that outlines how one company handles the destruction of hard drives:
This policy outlines an example of how a company manages the destruction of hard drives, specifically addressing any equipment containing or that has contained Controlled Unclassified Information (CUI). Before leaving the company’s facilities or being reused or prepared for disposal, the equipment must undergo the following sanitization processes:
Physical Destruction: In instances where a drive is deemed damaged or is requested for physical destruction, the company's IT firm collaborates with a trusted partner employing a standard punch press process. A certificate of destruction is obtained and stored indefinitely. This certifies the complete physical destruction of the drive, rendering data irretrievable. By opting for this service, individuals understand and agree that all data is lost forever.
Software Overwrites Data Destruction (for Magnetic Hard Drives): The company’s IT firm uses compliant software—DoD 5220.22-M (3 passes), DoD 5200.22-M (ECE) (7 passes), and DoD 5200.28-STD (7 passes). The duration of this process varies based on the drive's size. Upon completion, the firm receives a detailed report.
Software Overwrites Data Destruction (for Solid State Hard Drives): In cases where the drive lacks a built-in BIOS/UEFI Secure Erase feature, the IT firm follows these steps: a. Encrypt the drive using Bitlocker or a MacOS equivalent
“Mark media with necessary CUI markings and distribution limitations.”
Level Of Effort: Low
When you're using media like USB drives or CDs for storing CUI, you need to make sure each item is marked. These labels should show what kind of CUI is on the media and who's allowed to see it.
Here’s a simple guide on how to do this and what kind of proof you should keep:
Recommendations:
Stick labels on everything with CUI: Put labels on all places where you keep CUI. This includes things like filing cabinets, USB drives, CDs or DVDs, and even computers. The labels should say what type of CUI is there and if there are any rules about who can see it.
Show off your labeled items: Keep a record or photos of all the items you've labeled. This shows you're following the rules by marking where the CUI is.
MP.L2-3.8.5 – MEDIA ACCOUNTABILITY
“Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.”
“Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.”
Level Of Effort: Low
This control focuses on encrypting CUI on portable devices. These devices include USB sticks and external hard drives. The purpose is to keep the data secure, especially outside your office.
Recommendations:
Encrypt your portable devices: Your I.T. team can use tools like Bitlocker for Windows or FileVault for Macs. There might be other useful third-party tools too.
Document your encryption methods: Write about your encryption methods in your Security System Plan (SSP).
Evidence:
Proof of encryption: Keep screenshots of your encryption setups.
SSP section on encryption: Have a part in your SSP that details encrypting portable storage.
Pro Tip: If older equipment can't handle encrypted drives, be extra vigilant. Track who uses these drives and when. For more info, see AC.L2-3.1.21 – PORTABLE STORAGE USE.
“Control the use of removable media on system components.”
Level Of Effort: High
When you use media like USB drives, CDs, and external hard disks, especially with CUI, limiting their uses is important. This is about making sure the sensitive data is safe, even when it's not in your main office network.
Recommendations:
Block all removable media: The best step is to stop using all USB drives, CDs, and similar stuff. You can do this through Group Policy objects or EDR/antivirus tools.
Allow limited use of removable media: If you can't stop using all, then let only a few people use them. Identify one or two people and block access to the rest.
Use encrypted removable media with virus scans: If you still need to use these devices, make sure they have encryption and are scanned for viruses. Use security tools to only allow specific USBs (typically by serial number).
Keep track of USB drives: For essential use of USB drives without encryption, like in manufacturing areas like cutters, benders, CNC, etc. you should keep a close watch on them. Set up a system to check who is using them and make sure they're returned at the end of each shift.
Evidence:
For blocking all removable media: Keep screenshots of the computer settings or tools showing that these devices are blocked. Also, have records that prove you've tested these blocks.
For limited use of removable media: Save similar kinds of screenshots and records as you would for completely blocking.
For using encrypted media and scans: Store pictures of your encryption settings and the rules for scanning devices.
For USB drive inventory management: Write down this process in your System Security Plan (SSP) and keep track of who takes and returns the USB drives.
MP.L2-3.8.8 – SHARED MEDIA
“Prohibit the use of portable storage devices when such devices have no identifiable owner.”
“Protect the confidentiality of backup CUI at storage locations.”
Level Of Effort: Medium
This control is about keeping CUI safe in backup storage locations. This means using encryption, managing who can access it, and keeping it physically secure.
Many companies have their I.T. team use an automated service for backups. Services like Datto and Veeam will do backups regularly and keep them offsite.
If this is what you do, check your backup system with your I.T. team to ensure:
