NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
AC-3.8.1: Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
Control Family: Maintenance
Control Type: Basic
SPRS Value: 3
SPRS Supplemental Guidance:
Exposure limited to CUI on
media
CMMC Level(s):
MP.L2-3.8.1
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
MP-2
MP-4
MP-6
NIST Supplemental Guidance:
[SP 800-111]
Discussion:
System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team. Physically controlling system media includes conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library.
Access to CUI on system media can be limited by physically controlling such media, which includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media.
[SP 800-111] provides guidance on storage encryption technologies for end user devices.
Upon assessment, assessors must determine if-
3.8.1[a] paper media containing CUI is physically controlled.
3.8.1[b] digital media containing CUI is physically controlled.
3.8.1[c] paper media containing CUI is securely stored.
3.8.1[d] digital media containing CUI is securely stored.
Assessors are instructed to-
Examine: [SELECT FROM: System media protection policy; procedures addressing media storage; procedures addressing media access restrictions; access control policy and procedures; physical and environmental protection policy and procedures; system security plan; media storage facilities; access control records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system media protection responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for restricting information media; mechanisms supporting or implementing media access restrictions].