NIST SP 800-171 – Protecting Information on Digital and Non-Digital Media

March 20, 2024

As a government contractor, adherence to NIST SP 800-171 requirements is not just an option, but an essential mandate. Proactive preparation for compliance with these security requirements is crucial in order to avoid potential disruptions to your business operations. This blog is focused on the Media Protection security requirement.

Key Takeaways

  • Safeguarding Controlled Unclassified Information (CUI) on system media requires a comprehensive approach that includes: (1) protecting the media by limiting access and ensuring secure storage, (2) restricting access to authorized users only, and (3) sanitizing or destroying the media before disposal or reuse to prevent unauthorized retrieval of information.
  • Cryptography and limiting access control are essential to protect the confidentiality and integrity of CUI that is being transported out of an organization’s controlled area.
  • Protecting information by following strict policies and procedures for handling removable media and securing CUI at storage locations is crucial.

Understanding NIST SP 800-171 Media Protection

3.8.1. Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. Organizations can limit access to CUI stored on both digital and non-digital media by conducting regular inventories and by securing media in locked or controlled environments.

3.8.2. Limit access to CUI on system media to authorized users. In order to maintain accountability for stored media, access to CUI should be restricted to authorized users only. This is achieved by physically controlling system media, monitoring secure storage areas, conducting inventories, and ensuring procedures are in place requiring individuals to check out and return system media to a media library.

3.8.3. Sanitize or destroy system media containing CUI before disposal or release for reuse. Before disposal or reuse, media containing CUI must be sanitized or destroyed to ensure that the information cannot be retrieved or reconstructed. The method of sanitization is determined by the organization. Media destruction may be necessary when other methods to sanitize the data are not successful.

3.8.4. Mark media with necessary CUI markings and distribution limitations. Security marking media is used to associate system media in a human-readable way. System media including digital and non-digital data should contain markings that comply with applicable federal laws, Executive Orders, directives, policies, and regulations.

3.8.5. Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. Implement access controls for transporting media outside of the organization’s controlled area. Media should only be transported by an authorized courier or personnel. Accountability for media is secured by using locked containers and cryptographic measures. Organizations should have a detailed transportation plan in place that restricts transport activities to authorized personnel, and tracks and obtains detailed transport activity records as the media moves through the transportation system to detect and prevent loss, destruction, and tampering.

3.8.6. Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. Using cryptographic mechanisms like encryption to protect CUI on portable storage devices is required unless there are physical access control measures in place. Examples of portable storage include but are not limited to, USB memory sticks, digital video disks, compact disks, and external or removable hard disk drives.

3.8.7. Control the use of removable media on system components. Organizations can choose to restrict the use of certain types of removable media on systems (for example, flash drives or external hard drives). Removable media can introduce threats to corporate information and lead to malware infections and data exfiltration. Organizations can implement controls (i.e., policies, procedures, and rules of behavior) to control the use of system media. Controls include technical controls and non-technical controls.

Technical Controls

  • Port Blocking: Disable or restrict access to specific ports, where removable media can be connected.
  • Device Allow Listing: Restrict the use of removable media to only approved devices.
  • Read-Only Access: Allow read-only access to prevent users from transferring data from the system using removable media.

Non-Technical Controls

  • Policies and Procedures: Establish clear policies outlining authorized use of removable media, acceptable device types, data transfer protocols, and inform users of potential policy violation consequences.
  • Training and Awareness: Implement regular training programs to educate users on the risks associated with removable media.

3.8.8. Prohibit the use of portable storage devices when such devices have no identifiable owner. Identifying owners of portable storage devices facilitates the ability to track and trace devices, and aids in the investigation in case of loss, theft, or misuse. Ownership association allows for assigning responsibility for potential security breaches. Organizations can increase accountability and reduce risk by requiring identifiable device owners.

3.8.9. Protect the confidentiality of backup CUI at storage locations. Organizations can maintain confidentiality of backup CUI by employing cryptographic controls such as encryption. Encryption ensures the data at rest can only be accessed by authorized personnel with decryption keys and information cannot be accessed even if physical locations are compromised.

Securing Media and Information

The management of CUI on system media is a comprehensive process that involves protection, access control, and sanitization or destruction. Organizations can ensure the confidentiality, integrity, and availability of CUI by implementing effective access control, cryptography, and tracking systems. Key measures include limiting access to authorized personnel, using secure storage areas, conducting regular inventories, and employing stringent check-out/check-in procedures for media. Prior to disposal or reuse, media containing CUI must be thoroughly sanitized and/or destroyed to prevent unauthorized retrieval of information. These practices are essential in maintaining the security and integrity of CUI.

These are just a few examples of how to implement Media Protection whether you are a DoD Contractor or part of the Defense Industrial Base (DIB). Look for our next blog on Personnel Security.

Stay Ahead of the Game: Ensure Your NIST SP 800-171 Compliance for DoD Contracts

IBSS will use our 20 years of corporate DoD cybersecurity experience to prepare you for NIST SP 800-171 compliance. We specialize in developing cybersecurity strategies that align with organizational business processes to detect or prevent cyber attacks. We identify threats and vulnerabilities, and we assist organizations with managing risks to critical data. We provide expert support to promote compliance with Defense Federal Acquisition Regulation Supplement (DFARS), Federal Information Security Modernization Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), NIST SP 800-171, and Privacy requirements.

Contact us now to get a free consultation on how to develop your company’s NIST SP 800-171 SSP.

Related

Learn more about IBSS