An assessment is being conducted at a remote client site. For the duration of the assessment, the client has provided a designated hoteling space in their secure facility which consists of a desk with access to a shared printer. After noticing that the desk does not lock, a locked cabinet is requested but the client does not have one available. At the end of the day, the client provides a printout copy of an important network diagram. The diagram is clearly marked and contains CUI. What should be done NEXT to protect the document?
In this scenario, the primary concern is the protection of Controlled Unclassified Information (CUI) in an environment that lacks sufficient physical security controls (specifically, a lack of a locked cabinet or drawer). According to the CMMC Assessment Process (CAP) and NIST SP 800-171 (specifically the Physical Protection (PE) family), CUI must be protected from unauthorized access at all times.
Responsibility of the Assessor: CMMC Professionals (CCPs and CCAs) are bound by the CMMC Code of Professional Conduct and the C3PAO's internal security protocols to ensure that any CUI provided by the Organization Seeking Certification (OSC) is handled securely.
Physical Protection (PE.L2-3.10.1 and PE.L2-3.10.2): These practices require that an organization limit physical access to systems and equipment to authorized users and protect the physical facility. If the provided 'hoteling space' does not offer a locked container (like a cabinet) to secure the CUI overnight, leaving it in an unlocked drawer (Option C) or on the desk (Option B) would be a violation of CUI handling requirements and a security risk.
Why Option A is the best 'Next' step: In the absence of on-site secure storage, the assessor must maintain positive control of the CUI. Taking the document to a secure location (such as the assessor's hotel room or person) where they can ensure it remains under their control is the only viable way to prevent unauthorized access by janitorial staff or other unauthorized personnel at the client site overnight.
Why other options are incorrect:
Option B and C: Both fail to protect the CUI from unauthorized access in a non-secure, shared environment.
Option D: Taking a picture of CUI on a personal phone is a major security violation (spillage), as personal devices are generally not authorized to store or process CUI.
Reference Documents:
CMMC Assessment Process (CAP) v1.0: Section regarding 'Assessor Responsibilities for CUI and Proprietary Information.'
NIST SP 800-171 Rev 2: Physical Protection (PE) family (3.10.1, 3.10.2).
DoD Instruction 5200.48: 'Controlled Unclassified Information (CUI),' which specifies that CUI must be protected by at least one physical barrier when not in the direct control of an authorized individual.
Currently there are no comments in this discussion, be the first to comment!