Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization restricts access to [FedRAMP Assignment: (H) any digital and non-digital media deemed sensitive] to [Assignment: organization-defined personnel or roles].
NIST 800-53 (r4) Supplemental Guidance:
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team. Related controls: AC-3, IA-2, MP-4, PE-2, PE-3, PL-2.
References: FIPS Publication 199; NIST Special Publication 800-111.
NIST 800-53 (r5) Discussion:
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.
38North Guidance:
Meets Minimum Requirement:
Must maintain a list of the company's digital and non-digital sensitive data
For each sensitive data on the list, identify the location, tools and means the company is using to restrict access to authorized personnel only
The company must have an approval process to grant access to sensitive data
The company must keep records of which users have access to sensitive data and references to the approval granting them access, for each individual access
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
List of digital and non-digital media deemed to be sensitive, and how access is restricted for each
Approval process to grant individuals access to sensitive media
List of individuals that currently have access to sensitive media, and accompanying approval granting them access (e.g. ticket, email, active directory group, assigned role, physical access control, etc)
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited
Page updated
Report abuse