Hi everybody, and welcome to part six of “What you need to know about CMMC”. I’m Bob Hanley from Sabre Systems and today we’re going to continue our discussion on the CMMC domains. We’re going to continue through each of the 17 domains and help you in your cyber preparation to become compliant. If you remember, we discussed identification and authentication last week, but today we’re going to discuss media protection, or MP for short. And remember, CMMC is about protecting controlled, unclassified information, or CUI, which includes lim-dis (limited distribution) and FOUO (for official use only).
So, as a refresher, CMMC has five maturity levels with five being the most stringent. Contractors and subcontractors will need to have a minimum level one, but if you’re gonna prime an effort you’re gonna need to have a minimum level three. You can get extra points for level four and level five, but you will have to have a minimum of level three and you will have to ensure that your subcontractors are compliant as well.
MP has level one, level two and level three requirements, but does not have level four and level five requirements. So, today we will discuss those level one, level two and level three requirements. MP, just to give you a frame of reference, is focused on identifying and marking your media; protecting and controlling the media; sanitizing the media; and finally, protecting your media during transport or moving it obviously from one place to another.
So, MP has one level/one practice or control. The level one control is about sanitizing or destroying system media containing FCI, better known as federal contract information, before disposal or release for reuse. So, what you should do: you must have practices for sanitizing and destroying hard copy and electronic media including solid state devices that cannot be sanitized with some of the older techniques used for magnetic disk drives. Your process must also ensure validation and occasional testing to ensure the processes and technologies used are clear – they purge and or destroy the media and ensure that that’s successful. You should also have a means of documenting your purging and destroying activities and tie them to a specific person, a time and a method that you used to purge and destroy. Never assume old, used media are not a target. So, think about dumpster diving, right? In the old days, people would throw out paper records into dumps and people would go into dumps and pull that information out and be able to piece together CUI or sometimes maybe even classified information. So, think dumpster diving – when you think about some of that old media that you have that you still have to purge or destroy.
Let’s move on to level two. Level two has three practices or controls. The first practice is about protecting, typically referred to as physically controlling and securely storing system media containing CUI, which includes both paper and digital just like I talked about previously with the dumpster diving. This practice is more about the physical security of physical media and less about actually labeling the media. So, besides removable storage and personal devices and computers, you need to protect data and data centers and all the computing and storage media that it is comprised of.
So, depending upon how big or small your network is, you’re going to have to adapt to the size and scope of your effort there. For non-digital, such as paper products, it’s a similar process but in this case it may just be lock it up, limit access, record the access, manage keys and repeat. Now think about COVID-19 – with the more remote workforce during COVID, you need to make sure your written policies also address printing and other duplication methods for CUI in the event somebody off site or remote may have a need to actually print. So, in the physical office where you normally work that may be a no-brainer, you just print to your office or company, uh, printers but if you have that same person working remotely and they print at their own personal printer at home you may have a completely different security issue. So, make sure you address that and additionally, you may want to create labeling policies to prevent users from printing a document labeled CUI.
The second practice is about limiting access to CUI on system media to authorized users. This practice is similar to the one we just discussed but adds authorized users to the equation. So, you need to keep your server and network room secured with only select individuals permitted to access it and the same would apply to storage areas for other forms of media that contain FCI like we talked about earlier and CUI. So, you may also work in the cloud. In a cloud scenario, you are entrusting this process to your cloud provider. Those data centers should be “by request only” for access and should require two-factor authentication. It may also include some form of biometrics to keep track of people as they move in and out and through the data center. You may also want to consider video camera monitoring on the front and back of every server rack.
Practice is about controlling the use of removable media on systems components. This practice is focused on endpoints and any physical access point on hardware components within an information system. So, you should deploy policies and controls to prevent individuals from using prohibited media sources in your environment. So, think about that – that includes smartphones: that is a media with storage devices on it so don’t just think of the conventional portable uh media and recording devices, it can also include smart devices such as smartphones and tablets, so make sure that’s included in your policies. All approved media should also be scanned for viruses and bugs before use on any company network.
Let’s move on to level three. Level three has four practices or controls. The first level three practice is about marking media with necessary CUI markings and distribution limitations. So, there is a CUI handbook; use the CUI handbook. It provides instructions on how to label CUI within a document itself, but also permits and encourages the use of electronic alerts notifying users of the presence of CUI. You may also apply a digital policy to alert users that are they are accessing CUI – wouldn’t that be nice because sometimes it can be vague about what’s CUI and what’s not cui. Wouldn’t it be nice, as a user, to get an alert that you are now accessing or using CUI? So, consider that. Force them to be authenticated to access this file. Limit their interactions and automatically set headers and footers to label CUI. Great practice to consider. If you authorize the use of USBs, you will need to ensure they are properly scanned and marked before use. A lot of government agencies no longer allow USBs, but in private practice and smaller companies they still use USBs, so think about those storage devices and how you are using those.
The second practice is about prohibiting the use of portable storage devices when such devices have no identifiable owner. Alright, so you could have a drawer full of USBs in your office or other media people just check them out or use them as needed, but they’re never actually assigned to an individual, so think about how you’re going to protect those. So, this practice also correlates closely to a future domain that will discuss asset management or AM. The main objective is limiting the use of physical storage devices, like a USB external drive, to a single encrypted known tagged and managed device. You should scan external media before permitting a file to be opened. Ensure your policy addresses media that are not company owned and managed or for which the user has no understanding of its origin. So, why would you do that? Right? Why would you plug in something into your network or your personal laptop where you’re not even sure where that particular media came from? You have to manage the media that you’re using. Your policy, policy should expressly prohibit plugging unknown devices into your network or computers and your policy should also require anyone to turn in lost USBs or portable media devices to your IT lead and/or your facility security officer.
The third MP practice is about controlling access to media containing CUI and maintaining accountability for media during transport outside of controlled areas. So, you might employ access control, such as a bad batch reader or access card, to restrict and log access by your staff in and out of controlled areas. You should also write a policy requiring all portable media or printed documents containing CUI to be stored in locked filing cabinets, cabinets installed in a controlled area. You may also require each person entering the controlled area to badge in and do not allow access to anyone who has not been issued a badge; and you should also train all of your employees on this policy when you issue them a new badge. Everybody should be crystal clear on what the policies are for access in and out of a controlled area.
The last level three practice is about implementing cryptographic mechanisms to protect the confidentiality of CUI on digital media during transport unless otherwise properly protected by alternative physical safeguards. So, in combination with a previous practice we just discussed, you have two major activities that must be included in your written policies: locking and controlling access to keys for physical media containers, such as a room or filing cabinet, and encrypting digital media and ideally the files residing within them. You must develop a plan to test and enable encryption for the data set off site. You will encrypt the data on the backup tapes while they are being transported and you should do that as a standard practice within your company.
So, those are the eight practices for MA for levels one, two and three. Hopefully you’ve learned quite a bit from this and, as you can see and I’ve discussed previously, all of these domains have interactions with the previous domains we’ve talked about and with some future domains that we’re going to consider as well.
So, the composite of those 17 domains are critical for protecting CUI. Things you should do like I tell you every week: fund the program; become familiar with CMMC, in general, and especially with NIST SP 800-171 and 800-53. In our next review, we will be discussing the CMMC practice for personal security or PS.
I look forward to seeing you then and thank you. This is Bob Hanley from Sabre Systems, have a great week and stay healthy thank you.