Overview:
Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
Action Items:
3.8.1[a]
Determine if: paper media containing CUI is physically controlled.
3.8.1[b]
Determine if: digital media containing CUI is physically controlled.
3.8.1[c]
Determine if: paper media containing CUI is securely stored.
3.8.1[d]
Determine if: digital media containing CUI is securely stored.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: System media protection policy; procedures addressing media storage; procedures addressing media access restrictions; access control policy and procedures; physical and environmental protection policy and procedures; system security plan; media storage facilities; access control records; other relevant documents or records].
2
Interview: Personnel with system media protection responsibilities; personnel with information security responsibilities; system or network administrators].
3
Test: Organizational processes for restricting information media; mechanisms supporting or implementing media access restrictions].
Related Documents (document name and content will vary by organization):
1) System media protection policy
2) procedures addressing media storage
3) procedures addressing media access restrictions
4) access control policy and procedures
5) physical and environmental protection policy and procedures
6) system security plan
7) media storage facilities
8) access control records
9) other relevant documents or records
Additional Guidance:
System media includes digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Protecting digital media includes, for example, limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team. Physically controlling system media includes, for example, conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library.
Access to CUI on system media can be limited by physically controlling such media, which includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. NIST Special Publication 800-111 provides guidance on storage encryption technologies for end user devices.
Article ID: 169
Created: September 26, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-media-storage-3-8-1-169.html