Media Protection
The Media Protection family in NIST 800-171 Rev 2 outlines the security controls necessary to protect Controlled Unclassified Information (CUI) that is stored on both digital and non-digital media. The goal is to ensure that media containing sensitive information is properly handled, stored, and disposed of to prevent unauthorized access, loss, or theft.
This family covers various forms of media, including physical storage devices like hard drives and USB drives, paper documents, and electronic storage media, and addresses how organizations should manage and protect these media throughout their lifecycle.
Key Media Protection Requirements in NIST 800-171 Rev 2:
The Media Protection family consists of seven security requirements, which focus on protecting media containing CUI during its storage, transportation, use, and disposal.
1. Protect System Media Containing CUI (3.8.1)
Basic Requirement: Organizations must protect both digital and non-digital media (e.g., USB drives, CDs, paper documents) that contain CUI, ensuring they are secure at all times.
Key Focus:
- Implement physical and logical controls to protect media containing CUI.
- Ensure that only authorized personnel can access media storing sensitive information.
Example: Storing USB drives containing CUI in a locked cabinet when not in use, or using encryption on external storage devices.
2. Limit Access to Media Containing CUI to Authorized Users (3.8.2)
Basic Requirement: Access to media containing CUI should be limited to individuals who are authorized to view or handle the information.
Key Focus:
- Establish role-based access control to ensure that only individuals with a legitimate need can access media containing sensitive information.
- Maintain strict oversight and documentation of who accesses or handles such media.
Example: Only allowing authorized employees with proper clearance to access paper files or removable storage devices that store CUI.
3. Sanitize or Destroy Media Containing CUI (3.8.3)
Basic Requirement: Media containing CUI must be sanitized (cleared of all sensitive data) or destroyed when it is no longer needed to ensure that sensitive information cannot be recovered.
Key Focus:
- Implement approved methods for sanitizing media (e.g., degaussing, overwriting, or encryption) or physically destroying it (e.g., shredding, pulverizing) to render data irrecoverable.
- Maintain records of the sanitization or destruction process to ensure accountability.
Example: Shredding paper documents containing CUI or using specialized software to overwrite data on a hard drive before disposal.
4. Mark Media Containing CUI (3.8.4)
Derived Requirement: Media containing CUI should be appropriately labeled to clearly identify that it contains sensitive information, helping to ensure proper handling and security.
Key Focus:
- Label physical media such as CDs, USB drives, and paper documents with appropriate CUI markings.
- This labeling helps remind employees to handle the media with extra care and follow security protocols.
Example: Applying "CUI" or similar labels to USB drives or CDs that contain sensitive information.
5. Control the Transport of Media Containing CUI (3.8.5)
Derived Requirement: Organizations must control the physical and digital transport of media containing CUI to prevent unauthorized access or exposure during transit.
Key Focus:
- When physically transporting media (e.g., shipping hard drives or paper files), ensure that it is securely packaged and only trusted personnel are involved in the transportation.
- For digital transport, use secure transfer methods such as encryption or VPNs to prevent data interception.
Example: Using encrypted email or secure file transfer services to send files containing CUI, or using a secure courier service to transport paper documents or hard drives.
6. Protect Media During Transport Outside of Controlled Areas (3.8.6)
Derived Requirement: Media containing CUI must be adequately protected when transported outside of controlled areas (i.e., secure environments) to prevent unauthorized access or loss.
Key Focus:
- Implement additional security measures, such as encryption for digital media or using secure containers for physical transport, when CUI is moved outside of secure areas.
- Ensure that transport is performed by authorized personnel and is documented to maintain accountability.
Example: Encrypting data on a USB drive when it is being transported outside the organization’s offices, or using a secure shipping service for transporting hard drives.
7. Implement Cryptographic Protection for CUI on Digital Media (3.8.7)
Derived Requirement: Organizations must use encryption to protect CUI that is stored on digital media when appropriate, ensuring that unauthorized individuals cannot access the data even if the media is lost or stolen.
Key Focus:
- Implement encryption algorithms that meet federal standards (such as FIPS 140-2) to protect sensitive information stored on digital devices like hard drives, USBs, or cloud storage.
Example: Encrypting sensitive files on a laptop’s hard drive to ensure that CUI is protected if the device is lost or stolen.
Importance of Media Protection in Cybersecurity:
Prevents Data Leaks: By protecting both digital and physical media containing CUI, organizations reduce the risk of data breaches caused by lost, stolen, or improperly disposed of media.
Ensures Data Confidentiality: Limiting access to media containing sensitive information and implementing encryption ensures that only authorized personnel can access the data, thereby protecting confidentiality.
Compliance with Regulations: Media protection is essential for complying with regulations like NIST 800-171, which require organizations to handle and store CUI securely. Non-compliance could result in penalties or the loss of government contracts.
Supports Secure Data Disposal: Proper sanitization and destruction of media ensure that sensitive information is not recoverable after it is no longer needed, reducing the risk of unauthorized disclosure.
Reduces Insider Threat Risks: Limiting access to media to only authorized personnel and implementing proper labeling and oversight helps minimize the risk of insider threats or accidental exposure of CUI.
Best Practices for Media Protection:
Implement Encryption for Digital Media: Always use encryption to protect sensitive information stored on digital media, such as hard drives, USB drives, and laptops. This ensures that even if the media is lost or stolen, the data remains protected.
Control Physical Access to Media: Store media containing CUI in locked cabinets or other secure storage locations when not in use. Only authorized personnel should have physical access to these storage areas.
Use Secure Transportation Methods: When transporting media, either digitally or physically, use secure methods like encryption, VPNs, or secure couriers to minimize the risk of interception or theft.
Establish a Media Disposal Policy: Develop a policy for the sanitization and destruction of media that is no longer needed. Use appropriate methods, such as shredding or degaussing, and document all destruction activities for accountability.
Train Employees on Media Handling: Provide training to employees on how to handle, label, and store media containing CUI. Emphasize the importance of securing media both in transit and at rest.
Regularly Review Access to Media: Periodically review who has access to media containing CUI and ensure that access is limited to individuals who have a legitimate need. Revoke access for personnel who no longer require it.
Summary:
The Media Protection family in NIST 800-171 Rev 2 emphasizes the secure handling, storage, transport, and disposal of media containing CUI. By limiting access to authorized individuals, using encryption, controlling transportation, and ensuring proper disposal, organizations can protect sensitive information from unauthorized access, theft, and exposure. These controls are essential for maintaining the confidentiality and integrity of CUI, preventing data breaches, and ensuring compliance with security regulations.