Part 8 of CampusGuard’s series covering each of the critical controls from NIST SP 800-171 rev.2
When information is stored, transmitted, or handled through many different channels and devices (i.e. paper files, applications, portable flash drives, etc.), without a formal process in place, it can be difficult to successfully track and protect it all. Requirement 3.8 of the NIST SP 800-171 outlines requirements for media protection and clearly defining within your organization what devices are allowed to store information, who is authorized to access and share media, and what methods are approved for media destruction.
The Basic Security Requirements include:
3.8.1 Protect (i.e. physically control and securely store) system media containing CUI, both paper and digital.
Media includes both electronic (digital) and non-electronic media. Electronic media includes, for example, diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-electronic media includes paper and microfilm.
Physically controlling media means you are accurately conducting and maintaining an inventory of all media, documenting accountability for stored media, and ensuring procedures are in place to allow individuals to “check out” media, with proper chain of custody controls in place. You must also maintain a log of any media removed from protected systems or areas so you know who has it and where the media is located at all times.
Any media containing CUI must be securely stored in a restricted and protected area. For paperbased information, this can refer to a physical locked drawer, cabinet, or office. For electronic media, this refers to a secure server with the proper technical controls deployed. One thing to consider is that any information stored solely on media or devices that are vulnerable to degradation over time should be transferred to fresh media prior to the media’s life expectancy.
The storage of sensitive data on anything other than approved media should be prohibited. This is especially important as considering the current environment with many staff members transferring data to portable devices to take information home, accessing information on personal laptops, and forwarding information via email to external accounts.
3.8.2 Limit access to CUI on system media to authorized users.
Access to CUI must be restricted to authorized users, requiring keys or key cards for physical storage areas, and two-factor authentication for any computer systems. Ensure the proper authorization controls are in place for all organizational systems containing CUI and enforce access controls through documented workflows and access control policies. Typically, you will want to manage all CUI systems under least access rules, which restrict the availability of information a user can access on organizational systems to the least privilege necessary.
3.8.3 Sanitize or destroy system media containing CUI before disposal or release for reuse.
This requirement applies to all system media, digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include: digital media found in scanners, copiers, printers, laptops, workstations, network components, and mobile devices.
Any media that has passed the storage date requirements must be properly destroyed or sanitized. The sanitization process must remove information from the media such that the information cannot be retrieved or reconstructed if the media is released for reuse or disposal. Sanitization techniques include clearing or purging CUI from documents, redaction that is equivalent to removal, cryptographic erase, and destruction.
Clearly outline your recommendations and approved methods for media sanitization within your policies, and maintain records of media that have been sanitized or destroyed.
The Derived Security Requirements include:
3.8.4 Mark media with necessary CUI markings and distribution limitations.
Follow the CUI marking guidelines for any documents that contain CUI. This guidance outlines banner headings for documents, container markings, fax cover sheets, etc.
Typically, information that is considered “public” will not require CUI markings; for all other information you will want to have a list of security characteristics that define media as CUI.
3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
Controlled areas are those areas or locations that have physical or procedural safeguards to meet the requirements established for protecting systems and information. If CUI is transported outside of a controlled area, only authorized personnel should be allowed to transport or share the information. All media removed should be logged and accounted for
during transport both out of and back into the controlled area.
3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Safeguards to maintain accountability for media during transport include locked containers and encryption. Ensure than any CUI stored on digital media is encrypted using industry accepted methods. For the actual transport, restrict transport activities to authorized personnel and maintain records of all activities to prevent and detect loss or tampering. Shipped media should be sent by a tracked carrier with a recipient signature required. If you are encrypting electronic media, the encryption key should only be released once the package and confirmation signature have been received.
3.8.7 Control the use of removable media on system components.
This requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards to control the use of system media. Removable media should only be allowed if there is a process in place to control the use. For example, organizations may prohibit access to external ports, or disable or remove the ability to insert, read, or write to external devices.
3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner.
Only approved devices with known and identifiable authorized users should be permitted to access your systems, store data, or transport data. This reduces the risk of using such devices by ensuring organizations can assign responsibility and accountability for addressing any known vulnerabilities in the device. It is also important to scan all portable storage devices for malware before they are connected to the organizational network.
3.8.9 Protect the confidentiality of backup CUI at storage locations.
Organizations should ensure backups of CUI data are encrypted before removing media from a controlled/protected area. Ensure any storage facilities for backup information are protected and protect the integrity of all system backups through the use of digital signatures and cryptographic hashes.
Media protection is critical to ensure access to sensitive information is restricted, but also to ensure media is available as needed to all authorized users. Your organization should have a formal, documented media protection policy in place that addresses purpose, scope, roles, and responsibilities, as well as documented procedures to facilitate the implementation of the policy. Effective media protection prevents unwanted disclosures of information and costly data breaches.
Additional guidance from our Security Advisor team below:
[Gilmore]: Effective media management starts first with a justification of need. Many processes exist because “we have always done it that way.” This usually means that no one has taken the time to re-evaluate the processes to ensure that the procedure is still needed. Take the time to assess whether the disk, tapes, or especially paper are still needed. Economization of work processes often reduce the number of steps taken to complete a task and may also remove the need for media to transport sensitive information.
If there is a justification of disk, tapes, paper, or any other portable media, proper inventory of these devices must be in place. Any loss of these, when carrying sensitive data, should kick off your incident response plan immediately. Incorporating encryption on portable media (and devices such as tablets and laptops) is key to lowering the likelihood of having to declare a data breach. Again, only implement these risky processes if the business need exists. If using portable media can be avoided, do so.
