3.8.6 has a weight of -1 points
(Media Protection Family) 6/9
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Video:
Example of Sysytem Security Plan (SSP):
Control Title: Protection of CUI during Transport
Control Number: 3.8.6
Purpose: To ensure the confidentiality of CUI stored on digital media during transport and safeguard against unauthorized access.
Control Description: The organization protects the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Implementation Details:
-
Encryption Protocols:
- All digital CUI is encrypted at all times. Specifically, mobile computing platforms use FIPS mode in BitLocker. Wireless connections leverage WPA2 FIPS compliant encryption. VPNs employ 256-bit AES FIPS validated cryptography.
-
Storage:
- Company policy dictates that all CUI data is stored on a secure cloud, with access limited strictly to authorized employees.
-
Device Restrictions:
- All systems have been configured to disallow the use of external devices, effectively preventing direct data transfers to such devices.
-
Removable Media Protocol:
- Employees desiring to transfer information to removable media must formally request authorization from the Change Control Board (CCB).
- Once authorized, only company-approved USB drives will be provided for use.
- The Facility Security Officer (FSO) manages the issuance of these devices and maintains a meticulous inventory control log for each.
- Post-use, devices are to be returned to the FSO, where all data will be erased, restoring the device to its factory state.
Policy Statement:
Our organization firmly commits to ensuring the confidentiality of Controlled Unclassified Information (CUI) when transported on digital media. By integrating cryptographic mechanisms, we achieve robust protection for sensitive data, especially when alternative physical safeguards aren’t present.
Scope of Requirement:
The reach of this policy encompasses all portable storage mediums used for CUI storage and transport, including but not limited to USB memory sticks, DVDs, CDs, and external/removable hard drives.
Cryptographic Protection:
We rely on cryptographic tools to shield the confidentiality of CUI on digital media during its transport. By encrypting the data, the risk posed by potential media loss or theft is significantly reduced, preventing unauthorized data access.
Alternative Physical Safeguards:
For instances where encryption might not be applicable, alternative physical safeguards take precedence. These methods have been curated to ensure CUI’s integrity and confidentiality during transit.
Guidance on Cryptographic Mechanisms:
Our organization strictly aligns with the guidance detailed in [NIST CRYPTO]. This alignment ensures our cryptographic choices are in tandem with the industry’s best practices and standards.
Training and Awareness:
All staff members engaged in the transport of CUI on digital media undergo intensive training. This training focuses on cryptographic tool usage, reinforces the paramount importance of transit data protection, and promotes responsible digital media handling.
Example of Plan of Action and Milestones ( POA & M):
POA&M for Control 3.8.6: Protection of CUI during Transport
-
Milestone: Upgrade and Standardize Encryption Protocols
- Action Items:
- Confirm that all mobile computing platforms have FIPS mode enabled in BitLocker.
- Ensure wireless connections are set to WPA2 FIPS compliant encryption.
- Verify VPNs are using 256-bit AES FIPS validated cryptography.
- Target Completion Date: [Specific Date]
- Action Items:
-
Milestone: Secure Cloud Storage Implementation and Access Control
- Action Items:
- Review and validate the security protocols of the current cloud storage.
- Audit the list of authorized employees with access to CUI data on the cloud.
- Implement additional layers of security if deemed necessary.
- Target Completion Date: [Specific Date]
- Action Items:
-
Milestone: Enforce Device Restrictions on Systems
- Action Items:
- Conduct an assessment of ystems to ensure external devices are restricted.
- Roll out patches or configuration updates to any system not in compliance.
- Initiate periodic checks to maintain the system configurations.
- Target Completion Date: [Specific Date]
- Action Items:
-
Milestone: Streamline Removable Media Protocol
- Action Items:
- Establish a clear protocol for the CCB authorization request process.
- Update inventory and management procedures for USB devices under the FSO’s purview.
- Implement a protocol for restoring devices to factory state post-use.
- Target Completion Date: [Specific Date]
- Action Items:
-
Milestone: Enhance Training and Awareness Program
- Action Items:
- Develop a comprehensive training module on cryptographic tools and their importance.
- Schedule training sessions for all relevant staff members.
- Initiate periodic refresher training to ensure continued awareness.
- Target Completion Date: [Specific Date]
- Action Items:
-
Milestone: Develop and Refine Incident Reporting and Response Protocol
- Action Items:
- Review current incident response procedures for any gaps or inefficiencies.
- Establish a clear channel for reporting CUI-related incidents.
- Conduct mock drills to test the effectiveness of the response protocol.
- Target Completion Date: [Specific Date]
- Action Items:
-
Milestone: Ongoing Cryptographic Defense Evaluation
- Action Items:
- Set up a task force to continuously monitor industry best practices related to cryptographic defenses.
- Review and update the organization’s cryptographic measures periodically.
- Incorporate feedback from all stakeholders in the improvement process.
- Target Completion Date: [Specific Date]
- Action Items:
Example of Change Control Board (CCB) Policy):
Change Control Board (CCB) Policy
1. Purpose and Scope: This policy outlines the role and function of the Change Control Board (CCB) and its procedures for managing requests for changes or updates in projects, systems, processes, or products within [Organization Name]. The CCB ensures a structured approach to reviewing, evaluating, and approving or rejecting changes to maintain consistency and control.
2. CCB Definition: The CCB is a dedicated committee responsible for overseeing requests related to changes or updates. It is pivotal in configuration management and change management, particularly in areas such as IT, software development, and project management. The board’s primary function is to scrutinize proposed changes based on specific criteria, ensuring changes align with the organization’s goals and objectives.
3. CCB Authorization Request Process:
-
3.1. Submission:
- Any team or individual identifying a change requirement should submit a detailed request. This request must highlight the proposed change, its rationale, anticipated impacts, and any pertinent details.
-
3.2. Review:
- The CCB is tasked with reviewing each submission, focusing on its necessity, feasibility, potential risks, and implications for the existing framework.
-
3.3. Evaluation:
- Depending on the complexity and scope of the request, the CCB might call for more details, clarity, or even a feasibility assessment related to the proposed change.
-
3.4. Decision:
- Post-evaluation, the CCB will determine the request’s status, choosing between approval, deferral, or rejection. Approved changes advance to the implementation stage, deferred requests might undergo later consideration, and rejected requests will cease.
-
3.5. Communication:
- All decisions made by the CCB will be communicated to the individual or team who made the initial request. If a change is approved, the CCB may also offer further guidelines or directives about its execution.
-
3.6. Documentation:
- For transparency and future reference, all decisions, deliberations, and associated discussions will be thoroughly documented and archived.
4. Compliance: All departments and teams within [Organization Name] must comply with this policy and are expected to familiarize themselves with the CCB’s function and procedures.
5. Review and Updates: This policy will be reviewed annually or as required by changes in organizational processes or standards. Updates will be disseminated as appropriate.
6. Approvals: This policy is effective as of [Date] and has been approved by [Senior Management/Board of Directors/Relevant Authority].
RELEVANT INFORMATION:
This requirement applies to portable storage devices (e.g., USB memory sticks, digital video disks, compact disks, external or removable hard disk drives). See [NIST CRYPTO]. [SP 800-111] provides guidance on storage encryption technologies for end user devices.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.