3.8.7 has a weight of -5 points

(Media Protection Family) 7/9

Control the use of removable media on system components.

Video:

Example of Sysytem Security Plan (SSP):

System Security Plan (SSP) for Control 3.8.7

Control the use of removable media on system components.

2. Control Description: This control actively governs the management and use of mobile media within our organization. It reinforces the antivirus measures in place, provides guidelines for different types of portable storage, and ensures the ongoing confidentiality and integrity of Controlled Unclassified Information (CUI).

3. Purpose: We’ve established a comprehensive cybersecurity infrastructure that incorporates proactive antivirus protocols, removable media restrictions, and distinct processes for mobile media usage, ensuring the unwavering protection of sensitive data.

4. Implemented Measures:

  • Antivirus Measures:
    • Any removable media, such as USB sticks inserted into our machines, instantly undergoes an antivirus scan.
    • Our IT department consistently sanitizes all removable media using a dedicated air-gapped machine equipped with the latest antivirus software.
  • Mobile Media Usage Protocols:
    • Specific Media Restrictions: Certain removable media types, especially flash drives, face restrictions or are entirely prohibited.
    • Physical Measures: Our workstations are equipped with physical barriers like cages, preventing access to specific external ports, limiting the use of portable storage devices.
    • Capability Limitations: We’ve deactivated or entirely removed the ability to read, write, or insert particular removable media.
    • Approved Devices Only: We permit only organization-sanctioned devices. Personal device use is minimized to deter security risks.
    • Writable Device Restrictions: We’ve controlled writing to portable storage devices, either disabling or removing the capability.
    • We mandate clearance from our IT department for any removable media usage. Each approved medium bears a CUI sticker, indicating its sanitized status and rightful ownership.
    • Our company’s cybersecurity policy meticulously documents these processes and media usage records.
  • CCB Oversight and Device Management:
    • Our employees must secure approval from the Change Control Board (CCB) to use removable media.
    • The Facility Security Officer (FSO) is actively managing the issuance of organization-approved USB drives.
    • Our FSO meticulously maintains an inventory control log, recording device issuance, return dates, and unique identifiers.
    • After usage, devices are returned to the FSO, sanitized, and reset.
  • Training and Awareness:
    • Our team undergoes regular training sessions on the established policies and procedures. This reinforces understanding and emphasizes the importance of security risks.

Example of Plan of Action and Milestones ( POA & M):

Plan of Action and Milestones (POA&M) for Removable Media Control – Control 3.8.7

Objective:
To enhance and monitor the implemented measures that govern the management and use of mobile media, ensuring the protection of Controlled Unclassified Information (CUI).

1. Antivirus Integration:
Status: Ongoing

  • Action: Upgrade antivirus software on the air-gapped machine to the latest version every six months.
  • Milestone: Next update scheduled for [Month, Year].
  • Responsible Party: IT Department

2. Mobile Media Usage Protocols:
Status: Partially Implemented

  • Action: Evaluate and update the list of restricted/prohibited removable media types annually.
  • Milestone: Next evaluation scheduled for [Month, Year].
  • Responsible Party: Cybersecurity Committee

3. Physical Protection Measures:
Status: Ongoing

  • Action: Conduct bi-annual inspections to ensure the physical barriers on workstations are intact and functioning correctly.
  • Milestone: Next inspection scheduled for [Month, Year].
  • Responsible Party: Facility Maintenance Team

4. Device Approval Protocols:
Status: Ongoing

  • Action: Review and update criteria for organization-sanctioned devices every year.
  • Milestone: Criteria review scheduled for [Month, Year].
  • Responsible Party: IT Department and FSO

5. Training and Awareness:
Status: Ongoing

  • Action: Update training content annually to include the latest risks and protocols associated with removable media.
  • Milestone: Next training module update by [Month, Year].
  • Responsible Party: Training Department and Cybersecurity Committee

6. CCB Oversight:
Status: Ongoing

  • Action: Quarterly review of CCB decisions to ensure alignment with the removable media policy.
  • Milestone: Next review meeting scheduled for [Month, Year].
  • Responsible Party: Change Control Board (CCB)

7. FSO Device Management:
Status: Ongoing

  • Action: Audit the inventory control log bi-annually to ensure accurate device tracking.
  • Milestone: Next audit scheduled for [Month, Year].
  • Responsible Party: Facility Security Officer (FSO)

This POA&M will be reviewed and updated on a semi-annual basis to ensure continued alignment with organizational needs and cybersecurity best practices. The next review is scheduled for [Month, Year].

Document Approved by:
[Name, Title, Date]

RELEVANT INFORMATION:

In contrast to requirement 3.8.1, which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may control the use of portable storage devices based on the type of device, prohibiting the use of writeable, portable devices, and implementing this

restriction by disabling or removing the capability to write to such devices.



Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.