In this nugget, we discuss the procedures and rules of behavior controls, so you know the full depth of the requirement. We also include some common examples of failure that your organization might not have thought of.

MP.L2-3.8.1 – Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital:

This control encompasses all physical and digital media that contain Controlled Unclassified Information (CUI). It includes various mediums, including paper documents, USB drives, external hard drives, CDs/DVDs, laptops, desktops, servers, printers, and more. Organizations are required to:

  • Establish procedures for physically controlling and securely storing system media containing CUI. This includes defining secure storage locations, such as locked cabinets or safes for physical media, and encrypted storage solutions for digital media.
  • Implement measures to prevent unauthorized access to system media, such as access controls, locks, or encryption.
  • Develop guidelines for handling, transporting, and disposing of system media containing CUI, ensuring that appropriate security measures are maintained throughout the media lifecycle.
  • Conduct regular assessments and audits to verify compliance with media protection procedures and identify any areas for improvement.

Some example failures include:

  • Unsecured Workstation: An employee leaves a USB drive containing sensitive CUI on their unattended workstation overnight. Without proper physical controls in place, such as locking drawers or cabinets, the USB drive may be vulnerable to theft or unauthorized access.
  • Inadequate Disposal Procedures: A company disposes of paper documents containing CUI by throwing them in the trash instead of securely disposing of them. This failure to follow proper disposal procedures could lead to the unauthorized retrieval of sensitive information from discarded documents.
MP.L2-3.8.2 – Limit access to CUI on system media to authorized users:

This control focuses on restricting access to CUI only to authorized users with a legitimate need to access the information to perform their job. Organizations are required to develop processes and procedures that:

  • Define access control by specifying who is authorized to access CUI stored on system media and under what circumstances.
  • Implement technical controls such as encryption, access controls, and authentication mechanisms to restrict access to CUI on system media.
  • Establish user roles and permissions, granting access to CUI only to individuals or groups with a legitimate business need.
  • Provide training and awareness programs to educate employees about their responsibilities regarding access to CUI and the consequences of unauthorized access or disclosure.
  • Monitor access to CUI, log access events, and review access logs regularly to detect and respond to unauthorized access attempts.
  • Implement procedures for revoking access rights when employees change roles or leave the organization to prevent unauthorized access to CUI.

Some example causes for failure include:

  • Weak Access Controls: An organization implements access controls for CUI stored on its network drives but fails to configure the permissions properly. As a result, employees without a legitimate need to access CUI are granted unauthorized access, increasing the risk of data breaches or leaks.
  • Insufficient User Training: Employees sharing login credentials or access to CUI with unauthorized people illustrate a lack of awareness of limiting access. This lack of awareness and training leads to unauthorized access to sensitive information, highlighting the importance of ongoing education and awareness programs.
  • Inadequate Monitoring: The organization implements access controls and user permissions but fails to monitor access logs regularly. As a result, unauthorized access attempts go unnoticed, allowing malicious actors to gain access to CUI without detection. This failure emphasizes the importance of proactive monitoring and response to potential security incidents.

Remember, every organization is unique, and the specific challenges they face will vary. However, by fully addressing these practices, organizations can increase their implementation of CMMC practices, secure their architecture, and pass a CMMC assessment.

For assistance with your CMMC efforts, contact DTC’s C3PAO team.