We’ll continue our examination of the NIST SP 800.171 DFARS requirements with three security families: Media Protection, Personnel Security, and Physical Protection.
These security families all relate to the concept of physical data protection. Even though our imaginations are captured by the idea of a hacker breaking into systems from across the world, physical data loss is a much more common -- but equally serious -- security threat. Numerous breaches in the last few years have involved unsecured removable storage devices being stolen, or unsanitized media being sold or disposed of improperly. So the requirements in these three families are just as important to implement in order to ensure a safe, compliant network.
Media Protection Security Requirements
First, we’ll discuss the Media Protection security requirement family. There are three derived requirements in this family:
- Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
- Limit access to CUI on system media to authorized users.
- Sanitize or destroy system media containing CUI before disposal or release for reuse.
System media here refers to both removable media and anything else that could contain CUI -- backup tapes, hard drives, microfilm, decommissioned hard drives, etc. These devices need to be protected from unauthorized access, either physically or digitally, even at the end of their life.
The derived security requirements shed some more light on how to accomplish this:
- Mark media with necessary CUI markings and distribution limitations.
- Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
- Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
A clear process needs to be in place for handling and transporting media containing CUI in an unencrypted format, including logging and accountability. Of course if the media is properly encrypted, then the requirements are less stringent. Either way, steps need to be taken to ensure that confidential information is protected in all formats.
There are also some system-level media safeguards that need to be put in place:
- Control the use of removable media on system components.
- Prohibit the use of portable storage devices when such devices have no identifiable owner.
- Protect the confidentiality of backup CUI at storage locations.
Technical steps must be taken to prevent the use of unauthorized or unprotected media on workstations and servers. BitLocker now includes features that can disable the use of unencrypted removable storage devices on domain computers. Or, Group Policy can be used to prevent the use of any removable media on the operating system. These policies have the added benefit of reducing the spread of malware via removable media.
Personnel Security Requirements
The Personnel Security requirement family has just two basic requirements:
- Screen individuals prior to authorizing access to organizational systems containing CUI.
- Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
While the first requirement mainly has to do with company policy, the second requirement does have some technical impact for sysadmins.
In many companies, poor communication between HR and IT can result in delays between an employee departing and her computer account being disabled. A clear organizational policy and good cooperation from both HR and IT can prevent such a scenario. For example, where should the request be sent? What information is needed? What “special handling” is required for a more serious incident such as an immediate termination?
Having all of this down in writing will help you to ensure compliance with these requirements.
Physical Protection Security Requirements
Finally, we’ll discuss the requirements of the Physical Protection family. Again, there are two basic requirements:
- Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
- Protect and monitor the physical facility and support infrastructure for organizational systems.
Whether you have a small telecom closet or a large datacenter, physical security is key to maintaining secure systems. If an intruder can get physical access to your systems, then just about any other security measures you’ve taken are moot. So physical access especially to datacenters and infrastructure should be limited to only those who absolutely require access.
The derived requirements offer some important points for physical security:
- Escort visitors and monitor visitor activity.
- Maintain audit logs of physical access.
- Control and manage physical access devices.
- Enforce safeguarding measures for CUI at alternate work sites.
Even those who have a need to access a datacenter should only do so when absolutely necessary, since most management tasks can and should be handled remotely. Logging and good physical access controls (i.e., locks) will help maintain physical security of your systems.