3.8.5 has a weight of -1 points

(Media Protection Family) 5/9

Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

Video:

Example of Sysytem Security Plan (SSP):

Transportation and Control of Controlled Unclassified Information (CUI)

Objective:
To ensure the secure handling, transportation, and management of CUI data within and outside company-controlled areas, in alignment with company security policies to protect sensitive information.
Scope:
This protocol covers all employees who access CUI data and the stipulations governing its transport.
Authorization:
a. Only select employees, as identified by the Facility Security Officer (FSO), are authorized to transport CUI data outside of company-controlled areas.
b. All employees with access to CUI receive a briefing detailing the requirements for controlling CUI data.
c. CUI data is not removed from designated areas unless the FSO grants explicit authorization.
Data Protection:
a. All electronic CUI data is password protected.
b. Authorization for transport of electronic CUI data must be secured from the FSO prior to transport.
Transportation of Physical Media:
For physical media such as blueprints and technical drawings:
a. A transport log is created prior to the movement of such materials.
b. During transportation, all physical CUI documents are kept in a locked briefcase to ensure maximum security.
c. The transport log captures the following information:
i. Content of the data
ii. Name of the person transporting the data
iii. Duration of the event (how long the data is outside the designated area)
iv. Final disposition of the data (where it ends up and its secured state)
Log Maintenance:
a. The FSO maintains and oversees the transport log.
b. The log is electronically maintained and stored within the FSO’s designated corporate files.
c. Access to this log is limited to authorized personnel, providing an extra layer of security for the movement records of CUI data.
Breaches & Non-Compliance:
Any violations of this protocol are considered serious security breaches and are subjected to appropriate disciplinary actions.
Review & Updates:
This protocol is reviewed annually by the FSO and the security team to ensure its effectiveness and to incorporate any updates in regulations or company policies.

Example of Plan of Action and Milestones ( POA & M):

lan of Actions and Milestones (POA&M) for CUI Data Transportation and Control

Objective:
Ensure the implementation, management, and continuous monitoring of the secure handling, transportation, and management of CUI data.
Action Items:

a. Training & Awareness:
- Task: Conduct an awareness briefing for all employees accessing CUI.
- Milestone: Completion of initial briefing.
- Expected Completion Date: [Date]
- Responsible Party: HR/Training Department
b. Electronic Data Protection:
- Task: Implement password protection for all electronic CUI data.
- Milestone: Full implementation of password protection protocols.
- Expected Completion Date: [Date]
- Responsible Party: IT Department
c. Physical Data Transportation:
- Task: Procure locked briefcases for secure transportation of physical CUI data.
- Milestone: Distribution of locked briefcases to authorized employees.
- Expected Completion Date: [Date]
- Responsible Party: Procurement/Security Department
- Task: Develop and implement a transport log for tracking physical CUI data movement.
- Milestone: Successful implementation and usage of transport log.
- Expected Completion Date: [Date]
- Responsible Party: FSO
d. Log Maintenance:
- Task: Create electronic storage and backup procedures for transport log.
- Milestone: Complete backup and security protocols for log data.
- Expected Completion Date: [Date]
- Responsible Party: FSO and IT Department
Monitoring and Updates:
- Task: Set up quarterly reviews of the protocol to track compliance and effectiveness.
- Milestone: Successful completion of first quarterly review.
- Expected Completion Date: [3 Months from Implementation Date]
- Responsible Party: FSO and Security Team
Breach Protocols:
- Task: Develop and implement a protocol for handling breaches and non-compliance.
- Milestone: Protocol communicated to all relevant departments and personnel.
- Expected Completion Date: [Date]
- Responsible Party: FSO and Legal Department

RELEVANT INFORMATION:

Controlled areas are areas or spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting systems and information. Controls to maintain accountability for media during transport include locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.

Resources to consider:



Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.



Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.



User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.



Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.



Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.



Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.



Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.



User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.