Media Protection (MP) is one of the few Domains within the Cybersecurity Maturity Model Certification (CMMC) with no Level 4 or 5 requirements. In fact, it is one of the smallest Domains in terms of total Practices - totaling 8. Requirements range from relatively simple in nature to complex, especially when implementing across varying media types and enterprises.
Media Protection is a Domain focused on the protection of FCI and CUI on physical and digital media containers throughout the lifecycle of every endpoint and form of media. The Capabilities within the domain are shown in the image below. These include labeling, tracking, managing, repurposing, storing, disposal, and more. As discussed in the following Level by Level breakdowns, Microsoft or another cloud vendor may be meeting some of these requirements on behalf of your company and environment by the way they manage their physical media at the data center.
MP.1.118 - Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
NIST 800-88 is referenced several times in CMMC documentation, and it discusses the best practices for sanitizing and destroying hard copy and electronic media. Also, the documentation gives a consolation for new technology, such as Solid State Drives, that cannot be sanitized with the same techniques as older magnetic disk drives. 800-88 emphasizes the need for validation and occasional testing as a result to ensure the processes and technologies used to clear, purge, or destroy media are successful. You should also have a means of documenting your purging/destroying activities and tie them to a person, time, and method.
Cloud providers, such as Microsoft and AWS, often are handling the partial and total sanitization of media and devices at the data center. Microsoft, for example, states explicitly that they use "best practice procedures and a wiping solution that is NIST 800-88 compliant." They will wipe media and/or destroy end of life devices to render the recovery of information impossible, along with keeping detailed records of the destruction.
Mobile phones are referenced as a possible system media container, which introduces the need for a manual process to wipe phones and tablets of CUI or a Mobile Devices Management (MDM) and/or Mobile Application Management (MAM) tool like Microsoft Intune. Once a device is enrolled in Intune, administrators have the ability to wipe all or a select set of data from the device depending upon the future use of the device and ownership.
If an employee is allowed to access corporate data, FCI, or CUI from their mobile device on managed applications (Teams, SharePoint, OneDrive, etc.), all of those data points would be removed once the individual leaves the company. All that would be left is the person's personal data.
In the discussion around MP.1.118 CMMC documentation states that information released in the public domain is not considered worthy of these sanitization efforts. Lastly, if you enjoy burning things or letting off steam by spending hours in front of a shredder, here is an excerpt from NIST 800-88 on destruction requirements.
"Destroy paper using cross cut shredders which produce particles that are 1 mm x 5 mm (0.04 in. x 0.2 in.) in size (or smaller), or pulverize/disintegrate paper materials using disintegrator devices equipped with a 3/32 in. (2.4 mm) security screen. Destroy microforms (microfilm, microfiche, or other reduced image photo negatives) by burning." --- Exciting stuff.
MP.2.119 - Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
This practice is more about the physical security of physical media and less about labeling. CMMC refers to the NIST 800-111 (Guide to Storage Encryption Technologies for End User Devices) as a best practices guide for data at rest on digital forms of media. 800-111 talks a good deal about encryption and invokes many other practices elsewhere in CMMC - like SC.3.177 "Employ FIPS validated cryptography when used to protect the confidentiality of CUI".
Besides removable storage and personal devices/computers, Microsoft (via Azure Government and/or Microsoft 365 GCC High) goes to great lengths to physically secure its data centers and all the computing and storage media it is comprised of.
For non-digital, such as paper documents, it's a simpler process: lock it up, limit access, record access, manage keys, and repeat. With a more remote workforce due to the recent pandemic, your written policies need to be beefier to strictly restrict printing and other duplication methods for CUI. Additionally, you may want to create AIP or Unified Labeling policies to be used in tandem with Intune to prevent users from printing a document labeled CUI.
MP.2.120 - Limit access to CUI on system media to authorized users.
This practice could honestly be combined with the one above, but let's camp out on the word 'authorized'. It is obvious that a company needs to keep their server/network room under lock and key with only select individuals permitted to access it, and the same would apply to storage areas for other forms of media containing FCI/CUI. In a cloud scenario, you are entrusting this process to the cloud provider. In Microsoft's case, access to each data center is by request only and requires two-factor authentication with bio-metrics to move through the data center once you are in. In addition, to a myriad of other precautions, Microsoft conducts video camera monitoring on the front and back of ever server rack. You cannot pick your nose at a Microsoft Data Center without someone knowing it.
MP.2.121 - Control the use of removable media on system components.
This practice is focused on endpoints and any physical access point on hardware components within an information system. To control everything at Layer 2 (Data Link) and external ports on devices, you must deploy policy and technical controls to prevent individuals from using non-prohibited media sources in your environment.
For example, on personal computers and devices you can use Microsoft Defender ATP policies to approve or deny devices by USB vendor IDs, product IDs, device IDs, or a combination based on an individual or group of Azure Active Directory (Azure AD) users and enrolled devices. This can be applied to all removable storage, as well as Bluetooth based peripherals. You can more easily push out these MDATP policies to all devices or change them via Intune.
MP.3.122 - Mark media with necessary CUI markings and distribution limitations.
Most of the present documentation is archaic and focuses on physical forms of media. For a quick read on how to mark filing cabinets, external drives, etc. you can review NARA's source documentation here. In the CUI handbook, it provides instructions on how to label CUI within a document itself but also permits and encourages the use of electronic alerts notifying users of the presence of CUI.
With Microsoft's Unified Labeling product, currently most organizations use AIP, you can apply a digital policy to alert users that they are accessing CUI, force them to authenticate to access the file, limit their interactions (restrict users from forwarding or force users to enter a justification for changing the label), or automatically set headers and footers for example.
MP.3.123 - Prohibit the use of portable storage devices when such devices have no identifiable owner.
This practice correlates to Asset Management (AM) quite a bit. The main objective is limiting the use of physical storage devices like a USB external drive to single encrypted, known, tagged, and managed devices. Though MDATP will scan an external drive before permitting a file to be opened, it should be against written company policy to open/use a drive that is not company owned and managed OR for which the user has no understanding of its origin.
MP.3.124 - Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
MP.3.125 - Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
For most organizations, these two practices boil down to two major activities and associated written policies: locking and controlling access to keys for physical media containers (such as a room or filing cabinet) and encrypting digital media and ideally the files residing within them. The first activity is relatively self explanatory; however, cryptography can be slightly more complicated.
Windows 10 devices can use BitLocker Drive Encryption to meet the FIPS requirements, and AIP labels can be applied to files for item-level encryption as well. Many SSDs are self encrypting, but DVD/CD/USB media will need specific software to encrypt them if they do not come with baked in encryption like an Aegis Secure Key or Ironkey, for example. Ben Curry, Principal Architect at Summit 7, discusses this and more in the short talk below.