Your customer has provided you with Controlled Technical Information for designing a system … they have provided the information digitally and securely transported hard copy plans to you.  How do you protect both types of media?

System media includes digital (flash drives, hard drives, memory devices, etc.) and non-digital (i.e., a hard copy representation of information such as paper copy) media.  Protecting both requires controls and procedures for logical and physical access.

Media Access Control

3.8.1Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
3.8.2Limit access to CUI on system media to authorized users.
3.8.5Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
3.8.6Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

Logical access control can be achieved through Hypertext Transfer Protocol Secure (HTTPS) connections, firewall appliances, gateways, and highly-secured cloud platforms, as discussed in our CMMC Implementation – Level 2 (Access Control) blog.  

Controlling physical access for hard copy media can be achieved through restricted facility access and locked boxes or file cabinets.

When transporting media containing CUI, use processes such as chain of custody, data encryption in keeping with FIPS 140-2, tamper-evident packaging, and locked containers.

Media Sanitization

3.8.3Sanitize or destroy system media containing CUI before disposal or release for reuse.

Sanitizing media irreversibly removes information from the device. 

Digital media can be contained in scanners, copiers, printers, laptops, desktop computers, mobile phones, and other network components.  Sanitization policies and procedures must be in place for digital media containing CUI, regardless of whether the media is removable from the system or not.  Techniques for sanitizing digital media include (NIST SP 800-88 Descriptions used):

  • Clearing – Applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).
  • Purging – Applies physical or logical techniques that render Target Data recovery infeasible using state-of-the-art laboratory techniques.
  • Destroying – Renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.

Non-digital media such as paper copies of controlled information must also be sanitized.  Shredding (using locked bins) or incinerating are two examples of sanitizing physical print media.

NIST SP 800-88 Rev.1, Guidelines for Media Sanitization[1], provides detailed information on media sanitization techniques and tools, including “Minimum Sanitization Recommendations” for specific types of media (see Appendix A).

Portable Storage

3.8.7Control the use of removable media on system components.
3.8.8Prohibit the use of portable storage devices when such devices have no identifiable owner.

Portable storage is “a data storage device that can be added or removed from a system and that has a small form factor making it easy to transport and lose”[2]

Removable media is a portable data storage device that can be inserted into and removed from a computer system.  Examples of removable media include flash drives (a/k/a thumb drives) and external hard drives.

Depending on the needs of the organization, removable media can either be controlled or disallowed.  If disallowed, configure the device to disable read and write access to removable storage devices.  Whitelisting and encryption effectively control the use of removable media. 

A detailed and comprehensive Asset Inventory List is essential for ensuring that all organizational devices have an identifiable owner.  Unique identifiers, device labels, and detailed information on the device and assigned owner allow for close tracking.  Portable storage devices that have not yet been assigned to an owner should be kept in a restricted location.

CUI at Storage Locations

3.8.9Protect the confidentiality of backup CUI at storage locations.

Backup information needs to be as secure as the first-line source, both in transit and in storage.  Encrypted devices, access control, password protection, chain of custody, restricted facilities, and data retention managed are examples of ensuring the confidentiality of backup CUI at physical and logical storage locations.

Need Help?

If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.

FoxGuard Solutions delivers reliable, secure and configurable solutions to solve technology and compliance challenges faced by critical infrastructure entities.  With over four decades of experience, our team focuses on delivering customized cybersecurity and compliance solutions.

Our services will help guide your organization through the Discovery, Planning, Execution and Maintenance phases necessary to allow your organization to attain Cybersecurity Maturity Model Certification (CMMC).  Our team of experts will partner with you to review existing policies, processes, procedures, and technical controls to identify any gaps with CMMC requirements.  An execution plan will be created that aligns with your needs, budget and timeline, and which outlines a recommended approach to attain CMMC.

As a Microsoft Gold Certified Partner, FoxGuard Solutions has experience in delivering both on premise as well as cloud-based solutions to assist you with your compliance needs.

FoxGuard Solutions is ISO 9001 and ISO 27001 certified, and is a Cyber-AB Registered Practitioner Organization

Please visit for more information.