CMMC Section 3.8: Media Protection

By Dr. Jerry Craig | September 12, 2022
Jerry is Ntiva’s Sr. Director of Security and CISO, offering more than 20 years in the IT and cybersecurity industry. Certified CISO, CISSP and CCSP, Jerry also serves part-time as Adjunct Professor in the University of Maryland Global Campus.

Today we’ll break down CMMC Section 3.8, which focuses on the media protection for media that contains controlled unclassified information (CUI).

It’s important to remember that these controls cover media you might not normally consider, including hardware, documents, cloud storage, magnetic tapes, and even microfilm. To ensure compliance, you must take care to identify and understand all the possible media where CUI may be stored.

Table of Contents:

What You Need to Know About CMMC Media Protection
Section 3.8.1
Section 3.8.2
Section 3.8.3
Section 3.8.4
Section 3.8.5
Section 3.8.6
Section 3.8.7
Section 3.8.8
Section 3.8.9
Your Guide to CMMC Compliance Success


Don't want to read the article? Watch the full recording below.
Be sure to register here for the Cybersecurity for the Rest of Us webinar series!


What You Need to Know About CMMC Media Protection

When the Department of Defense and CMMC conducted audits on how well companies followed the CMMC controls, they discovered that most organizations rate themselves much higher on compliance than what their actions would actually merit. This disconnect is most likely caused by companies misunderstanding the intent of the controls as written.

Section 3.8 is one family of controls that could easily be misunderstood. There are nine controls in total, many of which overlap.

CMMC Section 3.8.1

3.8.1: Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

On a high level, this might seem pretty clear cut — you need to protect paper or digital media that contains CUI. But it’s important to remember any and all media that could fall into these categories, including external media like removable hard drives, thumb drives, network and cloud storage, magnetic tapes, etc.

As you try to secure your data, you have to understand what mediums exist in your business. If you haven’t identified the media correctly, then labeled or segregated the data, how can you be sure you’ve protected the correct data? A proper inventory management system is also an important piece of the puzzle to help you account for any location where CUI may be stored. How is your inventory managed, and where is it stored when it isn’t in use?

Also consider the vendors and software you have involved in protecting CUI. If their systems are hosting that data, it needs to be adequately secured and protected.

Likewise, don’t forget about the physical protections you have in place for your papers. Are drawers, desks, or cabinets locked and secured? This control covers all these questions.

Above all, you must be meticulous about anything that contains CUI. Regardless of the way that it’s stored, you’re responsible for ensuring that it’s protected.


CMMC Section 3.8.2

3.8.2: Limit access to CUI on system media to authorized users.

Certain users will need to access your CUI, but they can be given different levels of permission. Some should be limited to “read only” access, while others can be granted edit/write access based on the needs of your organization. This control also covers data exfiltration where applicable. For instance, if information is posted on a SharePoint site, who can access and download that data?

Determining your authorized users is also an important part of limiting access. You need a way to decide and validate who needs to have access to CUI, and you also need an ongoing process to audit that access and ensure that permissions haven’t been inadvertently changed, or that users who should no longer have access have had those permissions removed.

In some cases, you’ll also want to create a system or method for checking out and checking in CUI. If you have CUI that needs to be transferred, you need a means of keeping tabs on who’s responsible for transporting it.



CMMC Section 3.8.3

3.8.3: Sanitize or destroy system media containing CUI before disposal or release for reuse.

Once again, it’s important that you know all the media types you possess, as well as where CUI resides, in order to properly destroy or dispose of the data. If you don’t know where it’s at, you can’t truly say you know for sure it’s been properly destroyed or disposed of.

If you’re dealing with cloud data, which may have been replicated to multiple locations for redundancy purposes, anything you delete may be backed up elsewhere. In cases like those, you may want to consider solutions like crypto-shredding to ensure that data is no longer accessible.

Finally, don’t forget about hardware and documents. Devices like printers, scanners, and copiers can store CUI in RAM or temp files, and they shouldn’t be overlooked. Documents that may still be used after the CUI is removed will need to be properly sanitized.


CMMC Section 3.8.4

3.8.4: Mark media with necessary CUI markings and distribution limitations.

You need to ensure the marking of CUI complies with federal contract information, laws, executive orders, directives, policies, and regulations. The Department of Defense has created trainings on how to properly mark media for CUI, and these can be found for free online. These primarily address documents and email, but they’re still a good place to begin.

Bear in mind, too, that the government is responsible for marking and classifying these documents and communications. A contracting officer or delegate is responsible for CUI markings, and if these markings are not present, the material shouldn’t be considered CUI. That said, it’s better to be careful. When in doubt, have a conversation with your contracting officer to confirm the CUI status.


CMMC Section 3.8.5

3.8.5: Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

When you’re using a third party or contractor to transport and destroy media, you also must consider the security of the transportation itself.

For example, imagine there’s an accident during transport and your materials are ejected from the vehicle. Will CUI data be scattered all over the road? These are considerations that must be taken into account before the media is sent to be destroyed at the vendor’s site.

If CUI is being transported outside a secured location, but is still within a building, it may merit special handling procedures to ensure proper security. In any case, when handing off CUI to a courier or third party, you need to ensure chain-of-custody procedures are in place so that there’s no question of who’s handling materials.


CMMC Section 3.8.6

3.8.6: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

Hopefully this control is in line with what you’re already doing. If devices are already encrypted and password protected, that should continue even while they’re being transported. This applies to portable storage media including USB drives, DVDs, CDs, and external or removable hard drive discs.

For more information, refer to the NIST SP 800-171 cryptographic standards and guidelines, and consider how you can adopt them into your own policies and procedures.


CMMC Section 3.8.7

3.8.7: Control the use of removable media on system components.

This control stands in contrast to Section 3.8.1, which focuses primarily on restricting user access. For this control, we’re talking about restricting types of media on systems (e.g., prohibiting the use of flash drives on a system).

To accomplish this, you’ll want to employ technical and non-technical controls to control the use of media. You’ll also need to define and limit the types and numbers of approved devices (while bearing in mind that just because you approve a device doesn’t mean everyone in your organization is automatically approved to use them). For devices that may have multiple users, you should implement a checkout system that allows you to keep track of who’s accessing what.

Finally, technical controls here are a useful tool here, too. These controls can be used to prevent users from writing to devices, or to stop them from deleting data without authorization.


CMMC Section 3.8.8

3.8.8: Prohibit the use of portable storage devices when such devices have no identifiable owner.

You might hope this control would go without saying, but unfortunately it doesn’t. There are many reasons it’s a bad idea to use portable storage devices. Cyberattackers have tried to hack organizations by mailing them infected USB drives.

As a matter of practice, it’s simply a bad idea to allow the use of such a device if there’s no identified owner. There’s no reason to expose your organization to that kind of risk.


CMMC Section 3.8.9

3.8.9: Protect the confidentiality of backup CUI at storage locations.

To protect the backups of CUI data, we recommend that you use cryptographic mechanisms to keep them secure. The specific way you back up this data may depend on whether you’re working with an MSP like Ntiva or doing it all on your own, but wherever you’re storing your data, it needs to be properly protected.


Your Guide to CMMC Compliance Success

If the requirements of the CMMC 3.8 controls seem lengthy, that’s because it’s critically important to protect CUI data. The practices outlined in this section provide thorough guidance to help you carefully consider every potential point of vulnerability — digital or physical — and take steps to address them.

If you’d like to learn more, or get hands-on guidance to ensuring your organization is in compliance with these and other CMMC standards, we’re here to help. Contact Ntiva today.

Explore Our Managed Security Services

Tags: Cybersecurity