Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Protects and controls [FedRAMP Assignment: (M)(H) all media with sensitive information] during transport outside of controlled areas using [FedRAMP Assignment: (M)(H) prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container];
Additional FedRAMP Requirements and Guidance: (M)(H) The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB.
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel.
NIST 800-53 (r4) Supplemental Guidance:
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.
Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28.
References: FIPS Publication 199; NIST Special Publication 800-60.
NIST 800-53 (r5) Discussion:
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.
38North Guidance:
Meets Minimum Requirement:
The company's security policy must prohibit the departure of digital and non-digital media storing sensitive information from protected boundaries without proper protective measures
Such measures must include secure physical containers for all media and FIPS 140-2 validated encryption for digital media
All media transport activities and transactions must be logged
A list of personnel authorized to transport media with sensitive data must be maintain. Only personnel on that list are to be permitted to conduct media transportation activities
Best Practice:
TBD
Unofficial FedRAMP Guidance: Encryption using a FIPS 140-2 validated encryption module must be used
Assessment Evidence:
Company's security policy section addressing the company's permitted personnel and procedures for media transportation outside of secure boundaries
A list of personnel authorized to transport media
A list of physical security devices, such as lock boxes and containers, used during media transportation
Prior media transportation logs demonstrating that transportation activities are tracked
The company's FIPS 140-2 encryption modules used for media transportation
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited
Page updated
Report abuse