← All Domains

MP — Media Protection

new org

SPRS Score: -1203

Objective Progress 0 / 15 (0.0%)
CMMC Practices MET 0 / 9
Domain Score Impact -23

CMMC scoring changes when all assessment objectives for a practice are MET; objective progress updates as each objective is assessed.

MP.L2-3.8.1 DoD Weight: 3 Deduction: -3 Basic
Not Yet Assessed
Requirement: Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.8.1[a] = Not Yet Assessed; 3.8.1[b] = Not Yet Assessed; 3.8.1[c] = Not Yet Assessed; 3.8.1[d] = Not Yet Assessed

Assessment Objectives (4)

  • 3.8.1[a]
    Determine if: paper media containing CUI is physically controlled.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.8.1[b]
    Determine if: digital media containing CUI is physically controlled.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.8.1[c]
    Determine if: paper media containing CUI is securely stored.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.8.1[d]
    Determine if: digital media containing CUI is securely stored.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System media protection policy; procedures addressing media access restrictions; access control policy and procedures; physical and environmental protection policy and procedures; security plan; media storage facilities; access control records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system media protection responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for restricting information media; mechanisms supporting or implementing media access restrictions].
MP.L2-3.8.2 DoD Weight: 3 Deduction: -3 Basic
Not Yet Assessed
Requirement: Limit access to CUI on system media to authorized users.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.8.2 = Not Yet Assessed

Assessment Objectives (1)

  • 3.8.2
    Determine if: access to CUI on system media is limited to authorized users.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; security plan; system media; designated controlled areas; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system media protection and storage responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for storing media; mechanisms supporting or implementing secure media storage and media protection].
MP.L2-3.8.3 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Sanitize or destroy system media containing CUI before disposal or release for reuse.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.8.3[a] = Not Yet Assessed; 3.8.3[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.8.3[a]
    Determine if: system media containing CUI is sanitized or destroyed before disposal.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.8.3[b]
    Determine if: system media containing CUI is sanitized before it is released for reuse.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System media protection policy; procedures addressing media sanitization and disposal; applicable standards and policies addressing media sanitization; security plan; media sanitization records; system audit logs and records; system design documentation; system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with media sanitization responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for media sanitization; mechanisms supporting or implementing media sanitization].
MP.L2-3.8.4 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Mark media with necessary CUI markings and distribution limitations.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.8.4[a] = Not Yet Assessed; 3.8.4[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.8.4[a]
    Determine if: media containing CUI is marked with applicable CUI markings.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.8.4[b]
    Determine if: media containing CUI is marked with distribution limitations.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System media protection policy; procedures addressing media marking; physical and environmental protection policy and procedures; security plan; list of system media marking security attributes; designated controlled areas; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system media protection and marking responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for marking information media; mechanisms supporting or implementing media marking].
MP.L2-3.8.5 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.8.5[a] = Not Yet Assessed; 3.8.5[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.8.5[a]
    Determine if: access to media containing CUI is controlled.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.8.5[b]
    Determine if: accountability for media containing CUI is maintained during transport outside of controlled areas.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: SELECT FROM: System media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; security plan; system media; designated controlled areas; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system media protection and storage responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for storing media; mechanisms supporting or implementing media storage and media protection].
MP.L2-3.8.6 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.8.6 = Not Yet Assessed

Assessment Objectives (1)

  • 3.8.6
    Determine if: the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System media protection policy; procedures addressing media transport; system design documentation; security plan; system configuration settings and associated documentation; system media transport records; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system media transport responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas].
MP.L2-3.8.7 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Control the use of removable media on system components.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.8.7 = Not Yet Assessed

Assessment Objectives (1)

  • 3.8.7
    Determine if: the use of removable media on system components containing CUI is controlled.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System media protection policy; system use policy; procedures addressing media usage restrictions; security plan; rules of behavior; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system media use responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for media use; mechanisms restricting or prohibiting use of system media on systems or system components].
MP.L2-3.8.8 DoD Weight: 3 Deduction: -3 Basic
Not Yet Assessed
Requirement: Prohibit the use of portable storage devices when such devices have no identifiable owner.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.8.8 = Not Yet Assessed

Assessment Objectives (1)

  • 3.8.8
    Determine if: the use of portable storage devices is prohibited when such devices have no identifiable owner.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System media protection policy; system use policy; procedures addressing media usage restrictions; security plan; rules of behavior; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system media use responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for media use; mechanisms prohibiting use of media on systems or system components].
MP.L2-3.8.9 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Protect the confidentiality of backup CUI at storage locations.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.8.9 = Not Yet Assessed

Assessment Objectives (1)

  • 3.8.9
    Determine if: the confidentiality of backup CUI is protected at storage locations.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Procedures addressing system backup; security plan; backup storage location(s); system backup logs or records; other relevant documents or records].
Interview: [[SELECT FROM: Personnel with system backup responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for conducting system backups; mechanisms supporting or implementing system backups].