03.08.02: Media Access

Control Familly: Media Protection

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • SP 800-111 [51]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.08.02

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • MP-02

Restrict access to CUI on system media to authorized personnel or roles.

Discussion:

System media include digital and non-digital media. Access to CUI on system media can be restricted by physically controlling such media. This includes conducting inventories, ensuring that procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for stored media. For digital media, access to CUI can be restricted by using cryptographic means. Encrypting data in storage or at rest is addressed in 03.13.08.

Assessment Methods and Objectives

Examine [SELECT FROM: physical protection policy and procedures; media protection policy and procedures; procedures for media access restrictions; access control policy and procedures; media storage facilities; access control records; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with system media protection responsibilities; personnel with information security responsibilities; system administrators]

Test [SELECT FROM: processes for restricting information on media; mechanisms for supporting or implementing media access restrictions]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.08.02: access to CUI on system media is restricted to authorized personnel or roles.