Overview:
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
Action Items:
3.8.5[a]
Determine if: access to media containing CUI is controlled.
3.8.5[b]
Determine if: accountability for media containing CUI is maintained during transport outside of controlled areas.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: System media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; system security plan; system media; designated controlled areas; other relevant documents or records].
2
Interview: Personnel with system media protection and storage responsibilities; personnel with information security responsibilities; system or network administrators].
3
Test: Organizational processes for storing media; mechanisms supporting or implementing media storage and media protection].
Related Documents (document name and content will vary by organization):
1) System media protection policy
2) procedures addressing media storage
3) physical and environmental protection policy and procedures
4) access control policy and procedures
5) system security plan
6) system media
7) designated controlled areas
8) other relevant documents or records
Additional Guidance:
System media includes digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external or removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Controlled areas are areas or spaces for which organizations provide sufficient physical or procedural safeguards to meet the requirements established for protecting systems and information.
Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization. Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.
Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational risk assessments to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records.
Article ID: 173
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-physical-media-transfer-3-8-5-173.html