3.8.2 has a weight of -3 points

(Media Protection Family) 2/9

Limit access to CUI on system media to authorized users

Video:

Example of Sysytem Security Plan (SSP):

    System Security Plan (SSP) for Control of Access to CUI on System Media

    1. Access Control and Management:

    • Control over access to CUI on system media is managed by the IT department under directives from the administration.
    • Program managers are responsible for initiating access requests on behalf of employees who need access for their specific job duties.
    • All access requests are approved by the IT department and, when necessary, by the administration.
    • For physical media containing CUI, the facilities department is involved.
    • A complete record of all access requests is maintained in the IT ticketing system, ensuring full chain of custody for CUI data access.

    2. CUI Training and Authorization:

    • Only personnel who have successfully completed CUI training are permitted to access system media containing CUI.
    • CUI data is stored electronically, with strict access controls in place to limit its access only to those who are authorized.

    3. Removable Media Control:

    • Employees wishing to transfer information to removable media must submit a formal request through their immediate supervisor to the COO for consideration.
    • Upon approval, only devices procured by the company will be issued for such purposes.
    • To facilitate this, the IT administrator forwards a written request detailing the requirement to activate the authorized individual’s USB port. This documentation contains specifics such as the user’s name, the time window for which the USB port will be open, and the date of its deactivation.

    4. Device Management:

    • The Facility Security Officer (FSO) is responsible for issuing these devices and maintaining an inventory control log.
    • Once its use is concluded, the device is returned to the FSO. It is then cleansed of all stored data and reset to its factory settings.

      All the above procedures and protocols have been successfully implemented to ensure that access to CUI on system media is controlled, monitored, and maintained securely.

      Example of Plan of Action and Milestones ( POA & M):

      Plan of Action and Milestones (POA&M) for Control of Access to CUI on System Media


      1. Access Control and Management:

      • Milestone A: Continual audit and oversight of the IT department’s management of access control to ensure alignment with administration directives.
        • Completion Date: Quarterly
        • Responsibility: Administration & IT Department
      • Milestone B: Monthly review of the access requests initiated by program managers to ensure only legitimate requests are made.
        • Completion Date: Monthly
        • Responsibility: IT Department & Program Managers
      • Milestone C: Bi-monthly review of the ticketing system to ensure all access requests are logged accurately.
        • Completion Date: Bi-monthly
        • Responsibility: IT Department

      2. CUI Training and Authorization:

      • Milestone D: Regularly schedule, track, and audit CUI training for all new and existing personnel.

        • Completion Date: Bi-annually
        • Responsibility: HR Department & Training Team
      • Milestone E: Quarterly review of access controls in place for electronic storage of CUI to ensure they remain stringent.

        • Completion Date: Quarterly
        • Responsibility: IT Department

      3. Removable Media Control:

      • Milestone F: Monthly audit of formal requests for transferring information to removable media to ensure adherence to the established process.

        • Completion Date: Monthly
        • Responsibility: COO & Supervisors
      • Milestone G: Ensure timely processing of USB port activation and deactivation requests.

        • Completion Date: Within 24 hours of each request
        • Responsibility: IT Administrator

      4. Device Management:

      • Milestone H: Conduct bi-monthly reviews of the inventory control log maintained by the FSO to ensure all devices are accounted for.

        • Completion Date: Bi-monthly
        • Responsibility: FSO & IT Department
      • Milestone I: Periodic scrubbing and resetting of returned devices to maintain data security.

        • Completion Date: Immediately upon return of each device
        • Responsibility: FSO & IT Support

      "System Media" Explained:

      “System media” refers to any physical or digital medium that can store data or information for a computer or system. In the context of the provided information regarding Control of Access to CUI on System Media, the term “system media” is specifically addressing where Controlled Unclassified Information (CUI) is stored and accessed.

      Here’s a breakdown:

      1. Physical System Media: These are tangible items that can hold or record data. Examples include:

        • Hard drives (both internal and external)
        • USB drives (flash drives, thumb drives)
        • CDs, DVDs
        • Magnetic tapes
        • Paper documents (as CUI can be both digital and paper-based)
      2. Digital/Electronic System Media: These are typically non-tangible storage spaces or platforms that exist in electronic form. Examples include:

        • Virtual drives or storage (cloud storage, network drives)
        • Databases
        • Electronic document repositories

      In the provided System Security Plan (SSP), when discussing the control of access to CUI on system media, the focus is on ensuring that only authorized individuals have the appropriate access to these media, whether they are physical devices like USB drives or digital storage solutions like databases or cloud storage. 

      RELEVANT INFORMATION:

      Access can be limited by physically controlling system media and secure storage areas. Physically controlling system media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return system media to the media library, and maintaining accountability for all stored media. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library

      Resources to consider:

      Security Policy Document:

      This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

      Asset Inventory and Access Control Sheet:

      Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

      User Account Management Log:

      Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

      Password and Multi-Factor Authentication Policy:

      Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

      Process and Script Accountability Log:

      Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

      Device Access Control and VPN Policy:

      Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

      Access Control Review and Monitoring Schedule:

      Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

      User Training and Awareness Materials:

      Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.