Skip to Content

NIST 800-171 - Media Use (3.8.7)

175  Matthew Burdick September 26, 2022  Media Protection

Overview:
Control the use of removable media on information system components.


Action Items:
3.8.7[a]
Determine if: the use of removable media on system components is controlled.


POTENTIAL ASSESSMENT METHODS AND OBJECTS


1
Examine: System media protection policy; system use policy; procedures addressing media usage restrictions; system security plan; rules of behavior; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].


2
Interview: Personnel with system media use responsibilities; personnel with information security responsibilities; system or network administrators].


3
Test: Organizational processes for media use; mechanisms restricting or prohibiting use of system media on systems or system components].


Related Documents (document name and content will vary by organization):
1) System media protection policy
2) system use policy
3) procedures addressing media usage restrictions
4) system security plan
5) rules of behavior
6) system design documentation
7) system configuration settings and associated documentation
8) system audit logs and records
9) other relevant documents or records


Additional Guidance:
System media includes digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external or removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm.


This requirement also applies to mobile devices with information storage capability (e.g., smart phones, tablets, and ereaders). In contrast to 3.8.1, which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned.


Finally, organizations may control the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.
Not Rated
Secure Code