Program-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization restricts access to all types of removable digital and non-digital media including, but not limited to, hard disks, floppy disks, zip drives, CDs, DVDs, thumb drives, pen drives, flash drives, and similar universal serial bus (USB) storage devices in accordance with the Insider Threat Mitigation Guidance. A Two-Person Integrity (TPI) Media Custodian will be designated in writing and will be responsible for implementing locally defined security measures, i.e. media sign-out logs, media accountability logs, etc.
Where appropriate, all portable media with a moderate or high confidentiality rating shall be encrypted using either NSA approved.
All digital media, and the use of such media, must be authorized by the designee, prior to being introduced. Organizations are required to ensure the local facility SOP defines personnel/roles and security measures used to control access to media (i.e. centralized safe, media sign-out logs, media accountability logs, entry/exit procedures, etc.). Maintain a list of authorized users and their respective authorized use privileges. Personally-owned thumb drives, CDs, and DVDs are prohibited from entering accredited facilities without approval.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
All information storage media must be appropriately marked and protected to prevent the loss of information through poor security procedures. Likewise, to prevent security compromises, all output products (to include printed material) must be appropriately marked and protected. Each user is ultimately responsible for the marking, handling, and storage of media and paper products within their assigned area of responsibility. In addition, security markings will be displayed on all servers, server cabinets, desktops/laptops, removable/external hard drives, monitors and printers. Thin clients must also be marked. In the case of multi-level devices the security marking shall reflect the highest classification level authorized to be processed.
All IS storage media shall have external security markings clearly indicating the classification of the information. All information storage media will be marked. [MP-3(a)] See the NISPOM for additional media marking information.
The organization:
Marks IS media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information
Click here to enter text.
Exempts new, unused, factory-sealed media from marking as long as the media remains within the locked media cabinet or storage area
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
All organizations must comply with the Insider Threat Mitigation guidance.
Commercial software maintained within the facility by IT personnel and used to update systems or maintain proof of license or purchase may be handled separately from the facility tracking log or system. This media must be locked away in a separate container or cabinet and treated as unclassified provided the write protection or verification of closed session was verified by IT personnel once it was used in a classified computer system. Commercial media still in shrink-wrap may remain this way and be secured in the same cabinet as other commercial media.
All media shall be accounted for under the direct management of the Top Secret Control Officer (TSCO).
Each organization will audit information storage media accountability records for accuracy at least annually or as specified by the AO. The results of these audits shall be documented in an internal report to remain on file within the organization for at least one (1) year or one review cycle whichever is longer. Organizations must be able to demonstrate positive control and accounting of information storage media when reviewed by inspection authorities. Discrepancies shall be reported to the ISSM/ISSO for further reporting to the AO or designee, as required.
The organization:
Physically controls and securely stores all digital media regardless of classification and/or non-digital media containing classified information within an area and/or contained approved for processing and storing media based on the classification of the information contained within the media
Click here to enter text.
Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Approved procedures shall be implemented to address mobile devices traveling to and returning from a location that the organization deems to be of significant risk. Information should be transported electronically whenever possible. When electronic transport is not possible, movement of all media shall be coordinated through the appropriate security personnel (ISSM/ISSO.) following approved procedures. [MP- 5(a)]
Activities associated with the transport of media shall be documented by the organization. Appropriate entries in the organization’s media accounting system shall be made. [MP-5(b)]
The organization:
Protects and controls all types of digital and non-digital media during transport outside of controlled areas using AO approved security measures, to include courier and digital media encryption
Click here to enter text.
Maintains accountability for information system media during transport outside of controlled areas
Click here to enter text.
Documents activities associated with the transport of information system media
Click here to enter text.
Restricts the activities associated with the transport of information system media to authorized personnel. Transport of media shall be restricted to an authorized custodian by means of a courier card\letter
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.16.5.1MP-5(3) – Media Transport: Custodians (+ Classified Overlay) – NEW
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization employs an identified custodian during transport of information system media outside of controlled areas. Transport of media shall be restricted to an authorized custodian by means of a courier card/letter.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.16.5.2MP-5(4) – Media Transport: Cryptographic Protection (+ Classified)
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). Cryptographic mechanisms during transport outside of controlled areas shall be either NSA approved or FIPS 140-2 compliant.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
See the DAA PM, MP-6, for additional sanitization requirements for specific types of media.
The organization:
Sanitizes all digital and non-digital media prior to disposal, release out of organizational control or release for reuse IAW NSA/CSS PM 9-12 in accordance with applicable federal and organizational standards and policies
Click here to enter text.
Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.16.6.1MP-6(1) – Media Sanitization: Review/Approve/Track/Document/Verify (+ Classified)
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the IS. The use of nondestructive sanitization techniques (e.g., not destroying the hard drive) are for initial sanitization of media prior to first use and not when the contents of the digital media require retention.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.16.6.4MP-6(4) – Media Sanitization: Controlled Unclassified Information WITHDRAWN Incorporated Into MP-6
10.16.6.5MP-6(5) – Media Sanitization: Classified Information WITHDRAWN Incorporated Into MP-6
10.16.6.6MP-6(6) – Media Sanitization: Media Destruction WITHDRAWN Incorporated Into MP-6
10.16.7MP-7 – Media Use (+ Classified Overlay) – NEW BASELINE
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Using technical safeguards, the organization prohibits the use of certain types of media on IS; e.g., restricting the use of flash drives or external hard disk drives without the express authorization of the AO.
Media Reuse. Certain types of electronic media that have been previously classified under one program may be reused by another program of the same classification level or higher (e.g., S//ABC hard disk is transferred to S//XYZ, or S//ABC hard disk is transferred to TS//LMNO). The individual types of media required for reuse must have specific procedures documented and approved by the system AO. Best practices for wiping magnetic media or SSD for reuse include: 1. One time overwrite utilizing a known pattern and an AO approved product, and then verifying that the overwrite was successful utilizing a hex editor tool from the first to last sector; or 2. Encrypt the whole media with an AO approved whole disk encryption (WDE) tool and then destroy the key. For any media type the spirit of the procedures must ensure any labels or evidence of the previous program has been removed prior to handoff to the gaining ISSM or Security Officer.
Least Privilege [AC-6] and Separation of Duties [AC-5] are related controls and should be enforced to the maximum extent possible to prevent unauthorized removal of information from the system.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.16.7.1MP-7(1) – Media Use: Prohibit Use without Owner – NEW BASELINE
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization:
Establishes a media downgrading process that includes employing downgrading mechanisms based on the classification of the media
Click here to enter text.
Ensures that the IS media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization downgrades IS media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies. This control may only need to be addressed if a system downgrade or tech transfer is required, e.g., based on an authorized administrative information downgrade (classification/program levels) by an Original Classification Authority (OCA).