The National Institute of Standards and Technology (NIST) has developed a guide to assist businesses with adherence to Defense Federal Acquisition Register Supplement (DFARS) standards. The eighth of the 14 Families of Requirements for NIST 800-171 compliance is media protection.
What is Media Protection in Terms of NIST 800-171?
The Media Protection family of requirements establishes processes to ensure the security of all media – paper, removable, cloud based, digital – that might contain CUI, as well as protocols to limit access and control CUI dissemination. Media protection clarifies where and how data is stored, how it is transferred and how it should be properly secured. It also regulates secure media storage, encryption, and accessibility from a physical standpoint – through a clean desk requirement, for example. Proper acquisition, storage, access, transportation, and disposal of hardware are all covered here. Media protection has 3 Basic Security Requirements and 6 Derived Requirements.
- 3.8.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
- 3.8.2 Limit access to CUI on system media to authorized users.
- 3.8.3 Sanitize or destroy system media containing CUI before disposal or release for reuse.
- 3.8.4 Mark media with necessary CUI markings and distribution limitations
- 3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
- 3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
- 3.8.7 Control the use of removable media on system components.
- 3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner.
- 3.8.9 Protect the confidentiality of backup CUI at storage locations.
For guidance on storage encryption technologies for end user devices see NIST SP 800-111.To learn more about NIST SP 800-171 Compliance please visit NIST.SP.800-171r2.pdf and be sure to review the assessment guide:SP 800-171A, Assessing Security Requirements for CUI | CSRC.