Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Physically controls and securely stores [FedRAMP Assignment: (M)(H) all types of digital and non-digital media with sensitive information] within [FedRAMP Assignment: (M)(H) the service provider defines controlled areas within facilities where the information and information system reside.]; and
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
NIST 800-53 (r4) Supplemental Guidance:
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3.
References: FIPS Publication 199; NIST Special Publications 800-56, 800-57, 800-111.
NIST 800-53 (r5) Discussion:
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection.
38North Guidance:
Meets Minimum Requirement:
The company maintains a list of all locations where company data, information systems, digital media, and non-digital media are stored
The company maintains physical security over facilities where sensitive data is stored (digital and non-digital)
The company security policy must identify the tools, equipment, techniques and procedures used to destroy media where company data was stored and are no longer needed
The company must follow the security policy to destroy media where sensitive data once was stored
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
The company's list of locations where the company digital and non-digital media is located
The physical security layout, systems, and procedures at all locations where data is stored
The company's security policy section addressing destruction of media where company data was once stored
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited
Page updated
Report abuse