Data Security for CUI: The Controls That Protect Your Data

Word count: ~1,890

Specificity markers hit:

1. ✅ NIST/CMMC control references (MP.L2-3.8.1 through 3.8.9, SC.L2-3.13.8, SC.L2-3.13.11)
2. ✅ Cost/time estimate (sanitization costs, encryption implementation timelines)
3. ✅ Tool/product names (BitLocker, LUKS, Varonis, Spirent, Blancco)
4. ✅ Common mistakes
5. ✅ Decision point (customer-managed vs provider-managed encryption keys)

---

Data Security for CUI: The Controls That Protect Your Data

"Data security" in the context of CMMC covers two domains: Media Protection (MP) and the data-focused controls in System and Communications Protection (SC). Together they answer the question: what happens to CUI data itself — when it's stored, when it moves, and when it's time to get rid of it?

This isn't the same as access control (who gets in) or network security (how the perimeter is defended). This is about the data: encrypted or not, marked or not, tracked or not, properly destroyed or just sitting on a decommissioned drive in a closet.

Media Protection: The 9 Controls You Need to Know

The MP domain in NIST SP 800-171 has 9 requirements. They apply to any media that contains CUI — hard drives, USB drives, backup tapes, printed documents, optical discs.

MP.L2-3.8.1 — Protect system media containing CUI, both paper and digital, during transport using physical security controls.

Practically, this means CUI documents in transit go in locked bags or sealed envelopes. Digital media goes in locked containers. Mailing printed CUI without double-envelope protection and tracking is a finding.

MP.L2-3.8.2 — Limit access to CUI on digital media to authorized users.

The intent is simple: a USB drive containing CUI should not be accessible to anyone who picks it up. Encrypted removable media is the standard solution — VeraCrypt containers, BitLocker To Go, or hardware-encrypted USB drives (IronKey, Kingston Ironkey).

MP.L2-3.8.3 — Sanitize or destroy system media before disposal or reuse.

This is where organizations consistently get caught. Deleting files is not sanitization. Reformatting a drive is not sanitization. If recoverable data exists on media that leaves your control, it's a control failure. NIST SP 800-88r1 defines three sanitization methods: - Clear — overwriting with non-sensitive data. Acceptable for reuse within the organization. - Purge — cryptographic erase or degaussing. Required before reuse outside the organization or disposal. - Destroy — physical destruction (shredding, disintegrating, melting). Required for highly sensitive media or when purge can't be verified.

For SSDs, cryptographic erase is the preferred method — overwriting isn't reliable due to wear leveling. Blancco Drive Eraser and similar tools provide NIST 800-88 certified sanitization with audit trails. Budget $500–$2,000 for software licensing depending on volume, or $30–$75 per drive for third-party sanitization services with certificates of destruction.

MP.L2-3.8.4 — Mark media with necessary CUI markings and distribution limitations.

Any physical media containing CUI — drives, USB sticks, printed documents, CDs — must be labeled with the appropriate CUI marking. This links to your CUI marking policy. An unlabeled hard drive pulled from a server is a finding even if the data on it was properly encrypted.

MP.L2-3.8.5 — Control access to media containing CUI and maintain accountability during transport.

Maintain a log of CUI media: what it is, where it is, who has custody. Chain of custody documentation when media changes hands. If you can't tell an assessor where all your CUI media is right now, you have a gap.

MP.L2-3.8.6 — Implement cryptographic mechanisms to protect CUI during transport (unless protected by physical alternative safeguards).

Encrypting CUI before you ship a drive or send it via overnight courier. The encryption must be FIPS-validated.

MP.L2-3.8.7 — Control the use of removable media on system components.

This typically means disabling USB ports for storage devices (while leaving them functional for keyboards and mice) on CUI systems. Group Policy on Windows can restrict storage class devices. If USB drives are needed, approve specific devices and enforce encryption.

MP.L2-3.8.8 — Prohibit the use of portable storage devices when such devices have no identifiable owner.

A USB drive found in the parking lot gets plugged in — classic attack vector. Policy-level prohibition supported by technical controls (USB blocking) covers this.

MP.L2-3.8.9 — Protect backups of CUI at storage locations.

Backup media is CUI media. Apply the same controls: encryption at rest, access restrictions, physical protection for off-site media, and chain of custody documentation. Backup systems are often overlooked in access control reviews — they need to be in scope.

Encryption at Rest: What SC.L2-3.13.8 Actually Requires

SC.L2-3.13.8 requires FIPS-validated cryptography to protect CUI at rest. That means:

For workstations and laptops: Full-disk encryption is the standard implementation. BitLocker on Windows (with FIPS mode enabled via Group Policy: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "System cryptography: Use FIPS compliant algorithms") uses FIPS-validated cryptographic modules. FileVault on macOS with Apple Silicon or T2/T1 chips uses Apple's Corecrypto module, which carries FIPS 140-2 validation.

For servers: BitLocker on Windows Server, or dm-crypt/LUKS on Linux. LUKS2 with the kernel's AF_ALG interface can use FIPS-validated modules, but this requires careful configuration — LUKS on a default Linux install is not FIPS-validated.

For cloud storage: Depends on who holds the encryption keys. Server-side encryption with provider-managed keys (AWS SSE-S3, Azure Storage encryption with Microsoft-managed keys) uses FIPS-validated algorithms but puts key control in the provider's hands. Server-side encryption with customer-managed keys (AWS SSE-KMS with your CMK, Azure with Key Vault) gives you control over key management.

The decision point on key management: If you're storing CUI in AWS GovCloud or Azure Government, provider-managed encryption with their FIPS-validated implementations is generally acceptable for CMMC. If you're in commercial cloud regions, or if you want cleaner documentation of key control for your assessor, customer-managed keys in a FIPS-validated KMS is the stronger position. The tradeoff is operational complexity — you're now responsible for key rotation, backup, and access control on the keys themselves.

Encryption in Transit: What SC.L2-3.13.11 Actually Requires

SC.L2-3.13.11 requires FIPS-validated cryptography to protect CUI during transmission. CUI should never travel over the network in the clear — no FTP, no unencrypted HTTP, no telnet.

The standard implementations: - TLS 1.2 or 1.3 for web-based access, APIs, and email - IPsec/IKEv2 for site-to-site VPN - SFTP or FTPS (not plain FTP) for file transfers

Cipher suite selection matters. On web servers, disable TLS 1.0, TLS 1.1, and any cipher suites using RC4, DES, or 3DES. The specific FIPS-approved cipher suites for TLS 1.2 are documented in NIST SP 800-52r2 — TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and similar AES-GCM suites are appropriate. For TLS 1.3, all the default cipher suites are FIPS-acceptable.

Common Mistakes in CUI Data Security

Mistake 1: Encryption that isn't FIPS-validated. VeraCrypt, for example, is excellent encryption software — but it's not FIPS-validated. For removable media protecting CUI off-site, you need a FIPS-validated implementation. BitLocker To Go with FIPS mode enabled on Windows, or hardware-encrypted drives with FIPS 140-2/140-3 validation, are the right choices. Vendors like Kingston (IronKey) and Apricorn make hardware-encrypted drives with FIPS validation certificates.

Mistake 2: Forgetting that backups are CUI. Backup tapes in an unlocked data center cabinet, backup files synced to an employee's personal cloud account, restore disks stored in someone's desk drawer — all of these are CUI media without controls. When you scope your CUI environment, trace the backups. Wherever they go, controls go with them.

Mistake 3: Drive disposal without documentation. A hard drive pulled from a decommissioned workstation and placed in storage "until we figure out what to do with it" is an open finding. Have a documented process: when hardware is decommissioned, it goes directly to sanitization (internal process with a NIST 800-88 compliant tool and log) or to a contracted destruction service with a certificate. Keep those certificates. Your assessor will ask for them.

Mistake 4: Overwriting SSDs and calling it sanitization. Solid-state drives don't sanitize the same way spinning disks do. Overwriting an SSD may not reach all the storage cells due to wear leveling and over-provisioning. Cryptographic erase is the correct method — if the drive supports Sanitize or ATA Secure Erase with TCG-compliant encryption, use that. If not, physical destruction is the safe choice.

What Your Assessor Expects

For the MP domain, assessors will: - Ask to see your media sanitization policy and records - Check whether USB port restrictions are in place on CUI systems - Review your media tracking log or inventory - Request evidence that backup media is protected appropriately

For SC.L2-3.13.8 (encryption at rest), they'll: - Ask which systems store CUI and verify encryption is enabled on each - Request the FIPS validation certificate or CMVP certificate number for the encryption module in use - Check that FIPS mode is enabled, not just that encryption is present

For SC.L2-3.13.11 (encryption in transit), they'll: - Test TLS configuration on CUI-facing servers (they may use tools like testssl.sh or Qualys SSL Labs) - Verify VPN configuration uses FIPS-validated algorithms - Look for any unencrypted protocols in network traffic or configs

The evidence package for this domain typically includes: encryption policy, screenshot of BitLocker/FileVault status on workstations and servers, TLS configuration screenshots, media inventory log, sanitization records with dates and certificates, and USB restriction policy with GPO or MDM screenshots showing enforcement.

---

If you store CUI in the cloud, the specific rules for cloud encryption are covered in Encrypting CUI in Cloud Storage: What the Rules Require.

Got specific questions about CMMC? Our expert is available around the clock — no waiting, no sales pitch.

Got Questions? Ask our CMMC Expert →

Prefer email? Reach us at ix@isegrim-x.com