This is the eighth of a fourteen piece blog series intended to describe how Ascolta Greenfield environments achieve National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 1, Protecting Controlled Unclassified Information in Non-federal Systems, compliance. This entry covers the controls contained in the Media Protection Policy and Procedures family.
What is it?
Media protection is a requirement that addresses the defense of system media, which can be described as both digital and non-digital. Examples of digital media include: diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks.
Examples of non-digital media include paper or microfilm. Media protections can include restricting access and making media available to authorized personnel only, applying security labels to sensitive information, and providing instructions on how to remove information from media so that the information cannot be retrieved or reconstructed. Media protections also include physically controlling system media and ensuring accountability, as well as restricting mobile devices capable of storing and carrying information into or outside of restricted areas. Examples of media protection requirements include: media access, media marking, media storage, media transport, and media sanitization. Companies should protect system media, both paper and digital, limit access to information on system media to authorized users, and sanitize or destroy system media before disposal or release for reuse.
How does Greenfield solve it?
Greenfield provides Media Protection by strongly encouraging users not to use detachable media devices. For the Greenfield System, Greenfield inherits AWS applied controls. AWS is responsible for developing, disseminating, reviewing/updating a media protection policy. The use of digital media types is restricted within the AWS authorization boundary. The only types of media permitted within the system boundary are magnetic and solid-state storage devices. AWS restricts access to data centers through the implementation of physical and environmental security controls. AWS does not currently permit the use or storage of any removable information system media in the data centers. And, AWS sanitizes all forms of digital media, regardless if it is removable storage or non-removable storage.
AWS employs sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information. Since it is presumed that in the media life-cycle that the data will at some point hold sensitive client or AWS data, all media is treated as sensitive or CUI. This subsequently enforces that all media be rendered unreadable and destroyed at the end of life-cycle, when compromised, or malfunctioning.
For clients, the best way to protect external media is not to use it! But understanding that's not always practical, if you must use it, encryption is highly recommended. Greenfield provides recommendations and best practices for encrypting and protecting CUI when moved to external media. However, CUI moved outside of the Greenfield environment boundary becomes the sole responsibility of the client to ensure all security controls of the receiving device, organization, and network are met.