February 9, 2021

Last Updated on January 12, 2024

The Cybersecurity Maturity Model Certification (CMMC) framework was created on behalf of the US Department of Defense (DoD) specifically to protect Controlled Unclassified Information (CUI) in the defense supply chain. The CMMC arranges its 171 controls into 17 domains, each of which comprises capabilities, processes and practices. CMMC practices are also mapped onto the framework’s five cybersecurity maturity levels.

The purpose of the CMMC Media Protection (MP) domain controls is to ensure that the physical and digital media your organization uses to store and/or transit CUI is identified and protected. It also specifies basic protections for Federal Contract Information (FCI).

The Media Protection domain defines eight practices across CMMC levels 1, 2 and 3. Each practice is part of one of four CMMC capabilities: 

  • Identify and mark media
  • Protect and control media
  • Sanitize media
  • Protect media during transport

What are the CMMC Media Protection Domain Practices?

CMMC Level 1 defines the minimum “basic cyber hygiene” controls required to handle FCI. To achieve compliance at this level you need to implement one Media Protection domain practice:

  • 1.118 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

This practice applies to all forms of digital and nondigital media that you would dispose of or reuse, such as hard drives, notebook computers, mobile devices, paper documents, magnetic tape, thumb drives, CDs, etc. “Sanitizing” media means deleting or overwriting data on the media so that it cannot be recovered. Approaches to sanitizing media include destroying it, cryptographically erasing it or clearing it. How you sanitize media depends on factors like cost and convenience, but you will need to demonstrate that your methods work to prevent unauthorized access.

The three Media Protection practices at CMMC Level 2 are about controlling who has access to media, especially if it contains CUI:

  • 2.119 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
    “System media” includes both digital and nondigital media—everything from external and internal hard drives to mag tape to flash drives to CDs to paper to microfilm. “Protecting” digital media means using access controls to limit access to only those who need it and have the right permissions. “Physically controlling” media includes keeping an inventory of what media you have, ensuring accountability for media in storage, and putting processes in place for checking media in/out of secure storage.
  • 2.120 Limit access to CUI on system media to authorized users.
    This control is self-explanatory: only people authorized to access CUI should be able to access it. Achieving this control could include using locks or other physical mechanisms to secure storage areas, along with keeping track of who accesses the CUI and providing some form of check-in/check-out procedure.
  • 2.121 Control the use of removable media on system components.
    This practice requires you to restrict the use of removable media types on systems, since these could be used to exfiltrate CUI or other sensitive data. An example would be a company policy prohibiting the use of flash drives, DVDs and/or external hard drives on systems that store or process CUI. Or you might need to limit the use of portable storage devices to only approved units that your company provides. Scanning removable media for malware on an air-gapped, standalone system before attaching it to any network-connected system could also be important to performing this practice.

The four Media Protection practices at CMMC Level 3 focus on portable media and transportation of media:

  • 3.122 Mark media with necessary CUI markings and distribution limitations.
    To make sure staff are aware of when they are handling CUI, you must appropriately mark all media that holds CUI in a human-readable way—including removable hard drives, thumb drives, paper documents, etc. A lot of today’s media is very compact, so you might need alternate methods (e.g., a CUI banner or message on a laptop screen) where external marking is problematic. A minimal marking would state “CUI” and the agency involved (e.g., the DoD).
  • 3.123 Prohibit the use of portable storage devices when such devices have no identifiable owner.
    USB drives and other portable storage is easy to use, easy to lose and a very attractive attack vector for hackers. Being able to identify the owner (a person, a company, a project, etc.) of portable storage devices reduces the risk associated with using them, because it enables you to know who is responsible for a device’s security. This control mandates that you forbid the use of devices where ownership can’t be traced. It could take the form of an IT policy and a documented procedure for how to handle the situation (e.g., don’t plug the device into any system but instead turn it over to the Helpdesk for testing/disposal).
  • 3.124 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
    “Controlled areas” are places where you’ve put physical and/or procedural controls (e.g., encryption or locked storage boxes) in place to protect CUI and associated systems. When media is transported out of controlled areas, whether by employees or a third party like a courier service, you need to maintain and track accountability for it. This might entail restricting transport of CUI to only bonded couriers from a trusted vendor, and then keeping records of the media’s movements as it’s transported to reduce the chances of loss or tampering.
  • 3.125 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
    The more portable the storage medium, the greater the chance it will be lost or stolen. To reduce risk to CUI, you need to encrypt it on portable media before transporting it. This might include encrypting backups that you plan to store offsite, for instance. If encryption isn’t feasible, you instead need strong physical safeguards to mitigate the associated risk.

What is needed to comply with the CMMC Media Protection Domain controls?

To comply with the Media Protection domain requirements, your business must demonstrate that it identifies and appropriately marks media containing CUI. You’ll also need to show evidence that you have media protection procedures in place, including procedures for sanitization and secure transport.

The most basic of the Media Protection practices concern sanitizing/destroying sensitive physical and digital data. The destruction method you use could vary with the media involved, with cost and effectiveness being important factors. Tools that shred, crush or burn the media are highly effective. Repeatedly overwriting the original data might be a better choice if you plan to reuse the media.

Some other Media Protection controls, like those for securing and tracking removable media in transit, can be met or supported by encrypting the data. A range of automated encryption and tracking solutions are available to match the sensitivity of the data.

If you store CUI in the cloud, you’ll need to understand how your cloud service provider (CSP) handles physical media in its data centers and whether those practices meet CMMC guidelines.

Concerned about how CMMC compliance requirements will impact your organization, and the most cost-efficient way to meet them? Contact Pivot Point Security to discuss your unique needs with a CMMC expert.