NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.8.2: Limit access to CUI on system media to authorized users.
Control Family: Maintenance
Control Type: Basic
SPRS Value: 3
SPRS Supplemental Guidance:
Exposure limited to CUI on
media
CMMC Level(s): MP.L2-3.8.1
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
MP-2
MP-4
MP-6
NIST Supplemental Guidance:
N/A
Discussion:
Access can be limited by physically controlling system media and secure storage areas. Physically controlling system media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return system media to the media library, and maintaining accountability for all stored media. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library.
Upon assessment, assessors must determine if-
Determine if access to CUI on system media is limited to authorized users.
Assessors are instructed to-
Examine: [SELECT FROM: System media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; system security plan; system media; designated controlled areas; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system media protection and storage responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for storing media; mechanisms supporting or implementing secure media storage and media protection].
FURTHER DISCUSSION
Limit physical access to CUI to people permitted to access CUI. Use locked or controlled storage areas and limit access to only those allowed to access CUI. Keep track of who accesses physical CUI in an audit log.
Example
Your company has CUI for a specific Army contract contained on a USB drive. In order to control the data, you establish specific procedures for handling the drive. You designate the project manager as the owner of the data and require anyone who needs access to the data to get permission from the data owner [a]. The data owner maintains a list of users that are authorized to access the information. Before an authorized individual can get access to the USB drive that contains the CUI they have to fill out a log and check out the drive. When they are done with the data, they check in the drive and return it to its secure storage location.
Potential Assessment Considerations
Is a list of users who are authorized to access the CUI contained on system media maintained [a]?
Frameworks & Controls
3.8.2: Limit access to CUI on system media to authorized users.
3.8.3: Sanitize or destroy system media containing
CUI before disposal or release for reuse.3.8.4: Mark media with necessary CUI markings and distribution limitations.
3.8.7: Control the use of removable media on system components.
3.8.8: Prohibit the use of portable storage devices when such devices have no identifiable owner.
3.8.9: Protect the confidentiality of backup CUI at storage locations.