Printing Problems for your CMMC Assessment

If there is a single word that causes CMMC assessors the most anxiety, it would be “printing.” Under CMMC (specifically Level 2), all CUI - whether digital or physical - must be strictly protected, making printers, copiers, and the paper they produce significant sources of compliance risk. Therefore, printing CUI opens up substantial physical and digital vulnerabilities that would otherwise not be a focus of your CMMC assessment.

“Ok but is CMMC concernd about physical security?”

In a largely digital world, the use of paper media can seem insubstantial, but the very nature of paper-based CUI opens up considerable risks to your physical environment. This is because paper media requires stringent physical safeguards.

An immediate, and costly, requirement for allowing in-scope CUI printing is the need to physically control where and by whom printers are to be used. Printers must be in a secured area, and paper documents must be securely stored when not in use. Both of these requirements come with the cost of dedicated CUI storage locations and physical protection requirements, such as an approved and monitored locking system.

An additional and often misunderstood control, is how you control the printed CUI materials. You have to know who is responsible for the printed material from the start, and be able to track that paper all the way through to secure destruction. If you are removing the paper from the secure area and passing it around to construction crews for example, you have to make sure the individuals you share it with are authorized for CUI. Not only must they be authorized for CUI, but the individual responsible for that printed material must either stay with that CUI at all times or have a way of tracking the chain of custody of those documents to make sure they don’t just walk off a job site. 

“So I only have to worry about printed CUI if I am removing it from my office?”

Not necessarily. In the previous example where CUI is taken out of the controlled office environment and onto a job site, it’s obvious that CUI is not in a controlled space and needs to be protected in accordance with Media Protection requirements. In an office, it can be more challenging and entirely depends on how you have defined your scope. If your entire company is authorized for CUI, it’s a little less challenging because your entire office, and every employee in it, can be in scope. The controls at the perimeter of the office are used for PE, and every employee will need to have completed the AT and PS requirements. If you are in a blended environment, where you have individuals who do not need to work with CUI sitting alongside individuals who do, your scope just became a lot trickier.

In the blended environment scenario, unattended CUI documents pose a considerable risk, even if the individuals using the CUI are authorized to do so. If you limit your scope to a printer room with a subset of authorized users, that certainly makes PE, and therefore AT and PS, easier. But the second paper leaves that printer room, now your office is just like the external job site - it’s leaving a controlled area where it cannot leave the authorized holder’s custody unless it is securely stored and inaccessible when not in use. Your employee can’t be working on CUI at their desk and get up to use the restroom; they can’t even just put the CUI in their desk drawer and walk away - not unless that drawer locks. They also can’t just print CUI and walk out of the room with it. There now needs to be a way to track what CUI was printed to ensure it returns to the secure storage space or printer room for destruction when no longer needed. All of these can impede business processes, and are also very likely scenarios for spillage. 

A final consideration is what happens to paper media once it is no longer needed. As part of CMMC compliance, destruction of paper media must be completed and tracked through the CUI’s lifecycle. This destruction has strict requirements (i.e., cross-cut shredding) and must be carefully maintained to ensure evidence of destruction is obtained. If evidence of destruction cannot be produced within an assessment, CMMC requirements are not met and your assessment success will be put at risk.

“Ok got it, sounds easy - anything else?”

Not so fast my friend. The risk of paper-based CUI does not stop at physical controls; logical security must also be considered if printing is enabled within your environment. In particular, unencrypted print jobs pose substantial risk, as many printers communicate over the network in plaintext. CMMC requires secure and encrypted communications between computers and printers to meet basic assessment requirements.

Another consideration is the widening of your network scope by including printing. If a computer sends CUI to a printer, that printer and, very likely, the network segmentation that houses the printer, also immediately comes into scope for the CMMC assessment, which only raises expected assessment costs. An immediate solution to this could potentially be to locally connect printers via USB to keep the printers off-network, or logically segmented VLANs to prevent your entire network from coming into scope, but this solution also must be configured and adequately explained and demonstrated live in an assessment, which inherently poses risks.

“What should I do if I need to be able to review CUI outside of the controlled space?”

You have choices here - and it all comes down to a business decision. If you truly need paper, it is still possible to properly control it and scope your environment. You just need to be careful about where you draw your boundary and what the implications are for authorizing additional employees through your training and screening processes, or for chain of custody and document tracking. Alternatively, you can keep everything digital, but portable. Tablets, e-readers, and iPads are effective ways to transport CUI and show it to those who have a need to know outside of controlled areas without bringing PE into scope. Those devices may be more expensive up front than printing, but the ability to manage, configure, and remote wipe those devices if they are lost or stolen significantly reduce the risk and associated cost of a data spillage incident.

“Where can I get more information?”

As with anything in the CMMC ecosystem, there are gray areas. Luckily, Hive Systems is available to assist in navigating these uncertain requirements and find a solution for your unique needs. If you have any questions or concerns, let our experts find a solution for you! Contact us today.

Follow us - stay ahead.