03.08.05: Media Transport
Control Familly: Media Protection
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-111 [51]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.08.05
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
MP-05
SC-28
a. Protect and control system media that contain CUI during transport outside of controlled areas.
b. Maintain accountability of system media that contain CUI during transport outside of controlled areas.
c. Document activities associated with the transport of system media that contain CUI.
Discussion:
System media include digital and non-digital media. Digital media include flash drives, diskettes, magnetic tapes, external or removable solid state or magnetic drives, compact discs, and digital versatile discs. Non-digital media include microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural measures to meet the requirements established for protecting CUI and systems. Media protection during transport can include cryptography and/or locked containers. Activities associated with media transport include releasing media for transport, ensuring that media enter the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking or obtaining the records of transport activities as the media move through the transportation system to prevent and detect loss, destruction, or tampering. This requirement is related to 03.13.08 and 03.13.11.
Assessment Methods and Objectives
Examine [SELECT FROM: physical protection policy and procedures; media protection policy and procedures; procedures for media storage; access control policy and procedures; authorized personnel list; system media; designated controlled areas; system and communications protection policy and procedures; cryptographic mechanisms and configuration documentation; procedures for the protection of information at rest; system design documentation; system configuration settings; list of information at rest requiring confidentiality protections; system audit records; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with system media protection and storage responsibilities; personnel with information security responsibilities; system developers; system administrators]
Test [SELECT FROM: processes for storing information media; mechanisms for supporting or implementing media storage/media protection; mechanisms for supporting or implementing confidentiality protections for information at rest]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.08.05.a[01]: system media that contain CUI are protected during transport outside of controlled areas.
A.03.08.05.a[02]: system media that contain CUI are controlled during transport outside of controlled areas.
A.03.08.05.b: accountability for system media that contain CUI is maintained during transport outside of controlled areas.
A.03.08.05.c: activities associated with the transport of system media that contain CUI are documented.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A