Hello, and welcome to the NIST 800-171 Learning Path. My name is Dave Heather. I'm your instructor for this class and this is Course 2, understanding and implementing the 110 NIST 800-171 requirements. In this video, we'll take a look at requirements family 3.8 media protection. That's about making sure that physical media is labeled and protected from unauthorized access during handling, storage, transportation, and destruction. There are nine requirements in requirements family 3.8. Let's dive right in. The first requirement is 3.8.1, protect, ie physically control and securely store system media containing CUI, both paper and digital. It's important to remember CUI obviously can be in physical form as well as digital form, and NIST is telling you here you need to make sure that you're accounting for that in your plans to protect CUI. This is a basic requirement, includes digital and physical media. You need to restrict access, perform inventories, and maintain control over stored media. You can check out this special publication 800-111 for guidance on storage-related encryption technologies. 3.8.2 is limit access to CUI on system media to authorized users. Another basic requirement, pretty straightforward, we want to make sure that we're limiting physical access to any media that contains CUI as well as storage areas that contain CUI to only users that are authorized to access CUI. 3.8.3, sanitize or destroy system media containing CUI before disposal or release for reuse. We talked about sanitization in media or in maintenance with any media that might be leaving for maintenance. Same concept here, basic requirement, we want to make sure that we're sanitizing physical and digital media that's subject to reuse. We want to wipe media so that information cannot be retrieved or reconstructed, and you can check out this special publication 800-88 for guidance on media sanitization. Obviously, there are different ways you can sanitize media. Again, that's a great special publication that can help with that, and different ways that you can look at sanitizing media depending on if it's going to be re-used or it's okay to destroy it, or things like cleaning, purging, cryptographic, erase or obviously destruction, degaussing, that sort of thing. You're going to have to figure out what the right thing is for the media in question, but you have a lot of options, and again, check out special publication 800-88 for further guidance on that. You've got 3.8.4, mark media with necessary CUI markings and distribution limitations. This is a derived requirement, and it's about applying human-readable security markings per applicable laws, directives, regulations, executive orders, and policies. You've got 3.8.5, control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. Another derived requirement. NIST says, "Controlled areas are areas or spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting systems and information." This can include locked containers and/or encryption. Again, it's just making sure that wherever this stuff is stored, you're managing the control of those areas, making sure there's only authorized views, people who have access to CUI, that sort of thing. We've got 3.8.6, implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport, unless otherwise protected by alternative physical safeguards. Another derived requirement, you need to encrypt data on portable storage devices during transport, so if you're going to put data on a thumb drive, on a tape, something like that, you need to make sure that's encrypted. You can turn to this special publication, 800-111 for guidance on storage-related encryption technologies. We've got 3.8.7, control the use of removable media on system components. This is a derived requirement. You want to restrict the use of portable media on systems that contain CUI, perhaps you block plugging in a USB drive or a thumb drive, that's sort of thing. Organizations may limit the use of portable storage devices to those on a whitelist. That would be one way to not just entirely block everything, but to use a whitelist. This can include technical and non-technical mechanisms to prevent their use. I've even heard of people doing things like using super glue to fill USB ports on a device so that a USB thumb drive can't be plugged in. Probably extreme in most cases, but hey, whatever works. Then we got 3.8.8, prohibit the use of portable storage devices when such devices have no identifiable owner. This is a derived requirement, and the idea here is if you can clearly track a device back to its owner, it's less likely to be used for some nefarious purpose because obviously, it would be easy to go back and figure out who was behind that. Identifiable owners help to ensure responsibility and accountability. Then the last requirement in this requirement family 3.8 media protection, 3.8.9 protect the confidentiality of backup CUI storage locations. A derived requirement. Basic bottom line here is, best thing you can do, simply encrypt the backups and then of course have good discipline around the encryption keys and such. That gets us through all of the requirements of 3.8 media protection. I will see you in the next video for family 3.9. Thank you.
