3.8.1 has a weight of -3 points
(Media Protection Family) 1/9
Protect (i.e.,physically control and securely store)system media containing CUI, both paper and digital.
Example of Sysytem Security Plan (SSP):
Control: SP 800-171 Control 3.8.1 – Physically Control and Securely Store System Media Containing CUI
Control Description: System media containing CUI, in both paper and digital forms, should be physically controlled and securely stored. It entails being aware of its location, ensuring it isn’t taken out of secure areas without proper authorization, and storing it in a secured environment.
Implementation:
-
Physical Security of CUI:
- Our building has a designated area explicitly used for CUI. This area is always controlled, locked, and monitored. Access is granted using keycards, ensuring only authorized personnel can enter. Additionally, the area is under constant video surveillance to maintain the integrity and security of the data stored.
- The CUI designated area, is locked, acts as a primary perimeter, ensuring CUI isn’t accessible by unauthorized personnel.
- Any CUI data not stored within the designated area is stored and protected in a FedRAMP compliant data centers.
-
Digital Security of CUI:
- Our policy strictly prohibits storing CUI on any form of digital media outside the GCC High environment.
- Only designated and authorized personnel with a clear need to know, have the authority to store CUI on the GCC environment.
- Folder and data access within the GCC environment is meticulously managed. Permissions are set to ensure that only authorized users can view and interact with specific pieces of information.
- Every CUI in transit, whether digitally or physically, is protected either by encryption or by physical safeguards appropriate to the mode of transportation.
-
Paper Copies of CUI:
- We strictly avoid maintaining paper versions of CUI, with the rare exception of certain items, which are securely stored in the classified safe inside a secure area of the building.
-
Training:
- All authorized staff members, without exception, must complete the DoD CUI training. This training equips personnel with the knowledge and understanding needed to handle and protect CUI effectively.
Example of Plan of Action and Milestones ( POA & M):
POA&M for SP 800-171 Control 3.8.1
Control: SP 800-171 Control 3.8.1 – Physically Control and Securely Store System Media Containing CUI
Control Description: System media containing CUI, in both paper and digital forms, should be physically controlled and securely stored.
Milestones:
-
Establish a Secure CUI Containment Area:
- Task: Identify and designate a specific area within the building for CUI containment.
- Completion Date: [specific date]
- Responsible Party: Facilities Management / Security Team
- Status: Not Started / In Progress / Completed
- Notes: N/A
-
Install Physical Security Measures:
- Task: Implement keycard access and video surveillance in the designated CUI area.
- Completion Date: [specific date]
- Responsible Party: Facilities Management / Security Team
- Status: Not Started / In Progress / Completed
- Notes: Consider integrating access logs to monitor and audit entry and exit events.
-
Research Digital Storage Solutions for CUI:
- Task: Evaluate software solutions like Google Assured, Microsoft GCC High, and Prevail for secure CUI storage.
- Completion Date: [specific date]
- Responsible Party: IT Management / Security Team
- Status: Not Started / In Progress / Completed
- Notes: Consider evaluating factors such as compatibility, scalability, and ease of migration.
-
Acquire and Implement Digital Storage Solution:
- Task: Procure the selected digital storage solution and begin implementation.
- Completion Date: [specific date]
- Responsible Party: IT Management / Security Team
- Status: Not Started / In Progress / Completed
- Notes: Ensure the solution meets FedRAMP compliance.
-
Ensure Training Compliance:
- Task: Schedule and track DoD CUI training for all authorized staff members.
- Completion Date: [specific date]
- Responsible Party: HR / Training Department
- Status: Not Started / In Progress / Completed
- Notes: Consider establishing annual refresher courses to keep staff updated on best practices.
Monitoring and Reporting:
- Frequency: Monthly review meetings will be held to assess progress on the milestones.
- Reporting: Updates will be documented and reported to senior management to ensure alignment and resource allocation.
- Audit: An annual internal audit will be conducted to ensure continued compliance and effectiveness of the control.
RELEVANT INFORMATION:
System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital
media includes paper and microfilm. Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team. Physically controlling system media includes conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library. Access to CUI on system media can be limited by physically controlling such media, which includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. [SP 800-111] provides guidance on storage encryption technologies for end user devices.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.