NIST Special Publication 800-171 Revision 2

Date Published: January 28th, 2021

Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3

Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)

Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here

3.8.6: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

Control Family: Maintenance

Control Type: Derived

SPRS Value: 1

SPRS Supplemental Guidance: N/A

CMMC Level(s): MP.L2-3.8.6

Top Ten Failed Requirement:

No

Referenced in:

DFARS 252.204-7012

Derived From: NIST SP 800-53r4

MP-5(4)

NIST Supplemental Guidance:

[NIST CRYPTO]
[SP 800-111]

Discussion:

This requirement applies to portable storage devices (e.g., USB memory sticks, digital video disks, compact disks, external or removable hard disk drives).

See [NIST CRYPTO]. [SP 800-111] provides guidance on storage encryption technologies for end user devices.

Upon assessment, assessors must determine if-

Determine if the confidentiality of CUI stored on digital media is protected during
transport using cryptographic mechanisms or alternative physical safeguards.

Assessors are instructed to-

Examine: [SELECT FROM: System media protection policy; procedures addressing media transport; system design documentation; system security plan; system configuration settings and associated documentation; system media transport records; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system media transport responsibilities; personnel with information security responsibilities].

Test: [SELECT FROM: Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas].

FURTHER DISCUSSION

To mitigate the risk of losing or exposing CUI, implement an encryption scheme to protect the data. Even if the media are lost, proper encryption renders the data inaccessible. When encryption is not an option, apply alternative physical safeguards during transport. Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. This requirement, MP.L2-3.8.6, provides additional protections to those provided by MP.L2- 3.8.5. This requirement is intended to protect against situations where control of media access fails, such as through the loss of the media.

Example

You manage the backups for file servers in your datacenter. You know that in addition to the company’s sensitive information, CUI is stored on the file servers. As part of a broader plan to protect data, you send the backup tapes off site to a vendor. You are aware that your backup software provides the option to encrypt data onto tape. You develop a plan to test and enable backup encryption for the data sent off site. This encryption provides additional protections for the data on the backup tapes during transport and offsite storage [a].

Potential Assessment Considerations

  • Are all CUI data on media encrypted or physically protected prior to transport outside of controlled areas [a]?

  • Are cryptographic mechanisms used to protect digital media during transport outside of controlled areas [a]?

  • Do cryptographic mechanisms comply with FIPS 140-2 [a]?