Search
  • Ignyte CMMC Specialist
    • Apr 1
    • 3 min read

NIST 800-171 | MEDIA PROTECTION

What is considered "Media" in the context of NIST 800-171?


Media is physical & digital. Some examples of physical media are:

  • Books

  • Printed materials

  • Magazines

  • Backup Tapes

  • Hard drives "Portable devices"

  • Thumb drives "Portable devices"

  • Laptops "Portable devices"

  • Phones "Portable devices"

Digital Media:

  • Files

  • Folders

  • Anything on the computer or the internet


Physical protection of these resources is normally done through an inventory management system where equipment is tagged with a bar code and properly accounted for every year.


For digital protection, the use of crypto is the most common way to protect media. When using cryptography for CUI, be sure to use a FIPS validated encryption as stated in the communication protection family.


Thumb drives are extremely difficult to get rid of within a small business. There are several tools on the market to address this problem.



Family Name: Media Protection


3.8.1 Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.


System media includes digital and non-digital media.


Digital media includes:

  • Diskettes

  • Magnetic Tapes

  • External and removable hard disk drives

  • Flash drives

  • Compact disks

  • Digital video disks.


Non-digital media includes:

  • Paper

  • Microfilm


Physically controlling system media includes

  • Conducting inventories

  • Maintaining accountability for stored media

  • Ensuring procedures are in place to allow individuals to check out and return media to the media library.


Secure storage includes:

  • Locked drawer, desk, or cabinet

  • Controlled media library


NIST Special Publication 800-111 provides guidance on storage encryption technologies for end user devices.



3.8.2 Limit access to CUI on information system media to authorized users.



3.8.3 Sanitize or destroy information system media containing CUI before disposal or release for reuse.


This requirement applies to all system media, digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable.


The Sanitization process removes information from the media such that the information cannot be retrieved or reconstructed.


Sanitization techniques:

  • Clearing

  • Purging

  • Cryptographic erase

  • Destruction

  • Prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal.


Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to media requiring sanitization.


NARA policy and guidance control the sanitization process for controlled unclassified information.


See NARA Sanitization Policy and Guidance.


NIST Special Publication 800-88 provides guidance on media sanitization.



3.8.4 Mark media with necessary CUI markings and distribution limitations.


The term security marking refers to the application or use of human-readable security attributes.


Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations.


See NARA Marking Handbook



3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.


Controlled areas are areas or spaces for which organizations provide sufficient physical or procedural safeguards to meet the requirements established for protecting systems and information.


Safeguards to protect media during transport include

  • Locked containers

  • Cryptography


Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used.


Maintaining accountability of media during transport includes

  • Restricting transport activities to authorized personnel

  • Tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.



3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.


This requirement applies to portable storage devices and mobile devices with storage capability.


NIST Special Publication 800-111 provides guidance on storage encryption technologies for end user devices.


See NIST Cryptographic Standards.



3.8.7 Control the use of removable media on information system components.


This requirement restricts the use of certain types of media on systems by restricting or prohibiting the use of flash drives or external hard disk drives.


Organizations can employ technical and nontechnical safeguards (policies, procedures, rules of behavior) to control the use of system media.


Organizations may also limit the use of portable storage devices to only approved devices including

  • Devices provided by the organization

  • Devices provided by other approved organizations

  • Devices that are not personally owned.


Finally, organizations may control the use of portable storage devices based on the type of device

  • Prohibiting the use of writeable, portable storage devices

  • Implementing this restriction by disabling or removing the capability to write to such devices.



3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner.


Requiring identifiable owners for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices



3.8.9 Protect the confidentiality of backup CUI at storage locations.


Backed-up information containing CUI may include system-level information and user-level information.


System-level information includes

  • System-state information

  • Operating system software

  • Application software

  • Licenses.


User-level information includes information other than system-level information.


Organizations can employ cryptographic mechanisms or alternative physical safeguards to protect the confidentiality of backup information at designated storage locations.



For further Information and Demo, please contact us:


  • LinkedIn
  • Facebook
  • Twitter
  • Instagram
  • YouTube
  • Pinterest

info@ignyteplatform.com | 1.833.IGNYTE1 

​​

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Generic disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
 

Gartner is a registered trademark and service mark of Gartner, Inc. and/or of its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved
 

Igntye © 2020 All Rights Reserved. Ignyte Assurance Platform, Privacy Policy and Terms of Service.