03.08.01: Media Storage

Control Familly: Media Protection

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • SP 800-88 [50]

  • SP 800-111 [51]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.08.01

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • MP-04

Physically control and securely store system media that contain CUI.

Discussion:

System media include digital and non-digital media. Digital media include diskettes, flash drives, magnetic tapes, external or removable solid state or magnetic drives, compact discs, and digital versatile discs. Non-digital media include paper and microfilm. Physically controlling stored media includes conducting inventories, establishing procedures to allow individuals to check out and return media to libraries, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. Controlled areas provide physical and procedural controls to meet the requirements established for protecting information and systems. Sanitization techniques (e.g., destroying, cryptographically erasing, clearing, and purging) prevent the disclosure of CUI to unauthorized individuals. The sanitization process removes CUI from media such that the information cannot be retrieved or reconstructed.

Assessment Methods and Objectives

Examine [SELECT FROM: physical protection policy and procedures; media protection policy and procedures; procedures for media storage; access control policy and procedures; system media; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with system media protection and storage responsibilities; personnel with information security responsibilities]

Test [SELECT FROM: processes for storing information media; mechanisms for supporting or implementing secure media storage/media protection]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.08.01[01]: system media that contain CUI are physically controlled.

A.03.08.01[02]: system media that contain CUI are securely stored.