- Ignyte CMMC Specialist
NIST 800-171 | MEDIA PROTECTION
What is considered "Media" in the context of NIST 800-171?
Media is physical & digital. Some examples of physical media are:
Books
Printed materials
Magazines
Backup Tapes
Hard drives "Portable devices"
Thumb drives "Portable devices"
Laptops "Portable devices"
Phones "Portable devices"
Digital Media:
Files
Folders
Anything on the computer or the internet
Physical protection of these resources is normally done through an inventory management system where equipment is tagged with a bar code and properly accounted for every year.
For digital protection, the use of crypto is the most common way to protect media. When using cryptography for CUI, be sure to use a FIPS validated encryption as stated in the communication protection family.
Thumb drives are extremely difficult to get rid of within a small business. There are several tools on the market to address this problem.
Family Name: Media Protection
3.8.1 Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
System media includes digital and non-digital media.
Digital media includes:
Diskettes
Magnetic Tapes
External and removable hard disk drives
Flash drives
Compact disks
Digital video disks.
Non-digital media includes:
Paper
Microfilm
Physically controlling system media includes
Conducting inventories
Maintaining accountability for stored media
Ensuring procedures are in place to allow individuals to check out and return media to the media library.
Secure storage includes:
Locked drawer, desk, or cabinet
Controlled media library
NIST Special Publication 800-111 provides guidance on storage encryption technologies for end user devices.
3.8.2 Limit access to CUI on information system media to authorized users.
3.8.3 Sanitize or destroy information system media containing CUI before disposal or release for reuse.
This requirement applies to all system media, digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable.
The Sanitization process removes information from the media such that the information cannot be retrieved or reconstructed.
Sanitization techniques:
Clearing
Purging
Cryptographic erase
Destruction
Prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal.
Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to media requiring sanitization.
NARA policy and guidance control the sanitization process for controlled unclassified information.
See NARA Sanitization Policy and Guidance.
NIST Special Publication 800-88 provides guidance on media sanitization.
3.8.4 Mark media with necessary CUI markings and distribution limitations.
The term security marking refers to the application or use of human-readable security attributes.
Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations.
3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
Controlled areas are areas or spaces for which organizations provide sufficient physical or procedural safeguards to meet the requirements established for protecting systems and information.
Safeguards to protect media during transport include
Locked containers
Cryptography
Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used.
Maintaining accountability of media during transport includes
Restricting transport activities to authorized personnel
Tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.
3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
This requirement applies to portable storage devices and mobile devices with storage capability.
NIST Special Publication 800-111 provides guidance on storage encryption technologies for end user devices.
See NIST Cryptographic Standards.
3.8.7 Control the use of removable media on information system components.
This requirement restricts the use of certain types of media on systems by restricting or prohibiting the use of flash drives or external hard disk drives.
Organizations can employ technical and nontechnical safeguards (policies, procedures, rules of behavior) to control the use of system media.
Organizations may also limit the use of portable storage devices to only approved devices including
Devices provided by the organization
Devices provided by other approved organizations
Devices that are not personally owned.
Finally, organizations may control the use of portable storage devices based on the type of device
Prohibiting the use of writeable, portable storage devices
Implementing this restriction by disabling or removing the capability to write to such devices.
3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner.
Requiring identifiable owners for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices
3.8.9 Protect the confidentiality of backup CUI at storage locations.
Backed-up information containing CUI may include system-level information and user-level information.
System-level information includes
System-state information
Operating system software
Application software
Licenses.
User-level information includes information other than system-level information.
Organizations can employ cryptographic mechanisms or alternative physical safeguards to protect the confidentiality of backup information at designated storage locations.
For further Information and Demo, please contact us: