3.8.2 has a weight of -3 points

System Security Plan (SSP) for Control of Access to CUI on System Media

1. Access Control and Management:

• Control over access to CUI on system media is managed by the IT department under directives from the administration.
• Program managers are responsible for initiating access requests on behalf of employees who need access for their specific job duties.
• All access requests are approved by the IT department and, when necessary, by the administration.
• For physical media containing CUI, the facilities department is involved.
• A complete record of all access requests is maintained in the IT ticketing system, ensuring full chain of custody for CUI data access.

2. CUI Training and Authorization:

• Only personnel who have successfully completed CUI training are permitted to access system media containing CUI.
• CUI data is stored electronically, with strict access controls in place to limit its access only to those who are authorized.

3. Removable Media Control:

• Employees wishing to transfer information to removable media must submit a formal request through their immediate supervisor to the COO for consideration.
• Upon approval, only devices procured by the company will be issued for such purposes.
• To facilitate this, the IT administrator forwards a written request detailing the requirement to activate the authorized individual’s USB port. This documentation contains specifics such as the user’s name, the time window for which the USB port will be open, and the date of its deactivation.

4. Device Management:

• The Facility Security Officer (FSO) is responsible for issuing these devices and maintaining an inventory control log.
• Once its use is concluded, the device is returned to the FSO. It is then cleansed of all stored data and reset to its factory settings.

All the above procedures and protocols have been successfully implemented to ensure that access to CUI on system media is controlled, monitored, and maintained securely.

Plan of Action and Milestones (POA&M) for Control of Access to CUI on System Media

1. Access Control and Management:

• Milestone A: Continual audit and oversight of the IT department’s management of access control to ensure alignment with administration directives.
  • Completion Date: Quarterly
  • Responsibility: Administration & IT Department
• Milestone B: Monthly review of the access requests initiated by program managers to ensure only legitimate requests are made.
  • Completion Date: Monthly
  • Responsibility: IT Department & Program Managers
• Milestone C: Bi-monthly review of the ticketing system to ensure all access requests are logged accurately.
  • Completion Date: Bi-monthly
  • Responsibility: IT Department

2. CUI Training and Authorization:

• Milestone D: Regularly schedule, track, and audit CUI training for all new and existing personnel.

  • Completion Date: Bi-annually
  • Responsibility: HR Department & Training Team

• Milestone E: Quarterly review of access controls in place for electronic storage of CUI to ensure they remain stringent.

  • Completion Date: Quarterly
  • Responsibility: IT Department

3. Removable Media Control:

• Milestone F: Monthly audit of formal requests for transferring information to removable media to ensure adherence to the established process.

  • Completion Date: Monthly
  • Responsibility: COO & Supervisors

• Milestone G: Ensure timely processing of USB port activation and deactivation requests.

  • Completion Date: Within 24 hours of each request
  • Responsibility: IT Administrator

4. Device Management:

• Milestone H: Conduct bi-monthly reviews of the inventory control log maintained by the FSO to ensure all devices are accounted for.

  • Completion Date: Bi-monthly
  • Responsibility: FSO & IT Department

• Milestone I: Periodic scrubbing and resetting of returned devices to maintain data security.

  • Completion Date: Immediately upon return of each device
  • Responsibility: FSO & IT Support

“System media” refers to any physical or digital medium that can store data or information for a computer or system. In the context of the provided information regarding Control of Access to CUI on System Media, the term “system media” is specifically addressing where Controlled Unclassified Information (CUI) is stored and accessed.

Here’s a breakdown:

1. Physical System Media: These are tangible items that can hold or record data. Examples include:

   • Hard drives (both internal and external)
   • USB drives (flash drives, thumb drives)
   • CDs, DVDs
   • Magnetic tapes
   • Paper documents (as CUI can be both digital and paper-based)

2. Digital/Electronic System Media: These are typically non-tangible storage spaces or platforms that exist in electronic form. Examples include:

   • Virtual drives or storage (cloud storage, network drives)
   • Databases
   • Electronic document repositories

In the provided System Security Plan (SSP), when discussing the control of access to CUI on system media, the focus is on ensuring that only authorized individuals have the appropriate access to these media, whether they are physical devices like USB drives or digital storage solutions like databases or cloud storage.