Doc:NIST SP 800-53Ar1 FPD Appendix F/Enhanced/MP

Template:Doc:NIST SP 800-53r3 Appendix F/MP-1

Determine if: (i) the organization develops and formally documents media protection policy; (ii) the organization media protection policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented media protection policy to elements within the organization having associated media protection roles and responsibilities; (iv) the organization develops and formally documents media protection procedures; (v) the organization media protection procedures facilitate implementation of the media protection policy and associated media protection controls; and (vi) the organization disseminates formal documented media protection procedures to elements within the organization having associated media protection roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Media protection policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media protection responsibilities].

Determine if: (i) the organization defines the frequency of media protection policy reviews/updates; (ii) the organization reviews/updates media protection policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of media protection procedure reviews/updates; (iv) the organization reviews/updates media protection procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Media protection policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media protection responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-2

Determine if: (i) the organization defines: digital and non-digital media requiring restricted access; individuals authorized to access the media; security measures taken to restrict access; and (ii) the organization restricts access to organization-defined information system media to organization-defined authorized individuals using organization-defined security measures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media access; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media protection responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-2/1

Determine if: (i) the organization employs automated mechanisms to restrict access to media storage areas; and (ii) the organization employs automated mechanisms to audit access attempts and access granted to media storage areas.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media access; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control devices; access control records; audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing access restrictions to media storage areas].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-2/2

Determine if the information system uses cryptographic mechanisms to protect and restrict access to information on portable digital media.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media access; other relevant documents or records].

Test: [SELECT FROM: Cryptographic mechanisms protecting and restricting access to information system information on portable digital media].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-3

Determine if: (i) the organization defines removable media types and information system output that require marking; (ii) the organization marks removable media and information system output in accordance with organizational policies and procedures, indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; (iii) the organization defines: removable media types and information system output exempt from marking; controlled areas designated for retaining removable media and information output exempt from marking; and (iv) removable media and information system output exempt from marking remain within designated controlled areas.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media labeling; physical and environmental protection policy and procedures; security plan; removable storage media and information system output; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media protection and marking responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-4

Determine if: (i) the organization defines: types of digital and non-digital media physically controlled and securely stored within designated controlled areas; controlled areas designated to physically control and securely store the media; security measures to physically control and securely store the media within designated controlled areas; (ii) the organization physically controls and securely stores organization-defined information system media within organization-defined controlled areas using organization-defined security measures; and (iii) the organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; security plan; information system media; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media protection and storage responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-4/1

Determine if the organization employs cryptographic mechanisms to protect information in storage.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media access; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control devices; access control records; audit records; other relevant documents or records].

Test: [SELECT FROM: Cryptographic mechanisms protecting information in storage].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-5

Determine if: (i) the organization defines: types of digital and non-digital media protected and controlled during transport outside of controlled areas; security measures (e.g., locked container, encryption) for such media transported outside of controlled areas; (ii) the organization protects and controls organization-defined information system media during transport outside of controlled areas using organization-defined security measures; (iii) the organization maintains accountability for information system media during transport outside of controlled areas; (iv) the organization identifies personnel authorized to transport information system media outside of controlled areas; and (v) the organization restricts the activities associated with transport of information system media to authorized personnel.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media transport; physical and environmental protection policy and procedures; access control policy and procedures; security plan; list of organization-defined personnel authorized to transport information system media outside of controlled areas; information system media; information system media transport records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media transport responsibilities].

[Withdrawn: Incorporated into MP-5].

[Withdrawn: Incorporated into MP-5].

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

[Withdrawn: Incorporated into MP-5].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-5/2

Determine if the organization documents activities associated with the transport of information system media.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media transport; physical and environmental protection policy and procedures; access control policy and procedures; security plan; information system media transport records; audit records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-5/3

Determine if the organization employs an identified custodian throughout the transport of information system media.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media transport; physical and environmental protection policy and procedures; information system media transport records; audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media transport responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-5/4

Determine if the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media transport; information system media transport records; audit records; other relevant documents or records].

Test: [SELECT FROM: Cryptographic mechanisms protecting information during transportation outside controlled areas].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-6

Determine if: (i) the organization sanitizes information system media both digital and non-digital prior to: disposal; release out of organizational control; or release for reuse; and (ii) the organization employs sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media sanitization and disposal; media sanitization records; audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-6/1

Determine if the organization tracks, documents, and verifies media sanitization and disposal actions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy and procedures; media sanitization records; audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-6/2

Determine if: (i) the organization defines the frequency for testing sanitization equipment and procedures to verify correct performance; and (ii) the organization tests sanitization equipment and procedures to verify correct performance in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media sanitization and disposal; media sanitization equipment test records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-6/3

Determine if: (i) the organization defines circumstances requiring sanitization of portable, removable storage devices prior to connecting such devices to the information system; and (ii) the organization sanitizes portable, removable storage devices prior to connecting such devices to the information system under organization-defined circumstances.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy and procedures; media sanitization records; audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-6/4

Determine if the organization sanitizes information system media containing CUI or other sensitive information in accordance with applicable organizational and/or federal standards and policies.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media sanitization and disposal; media sanitization equipment test records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-6/5

Determine if the organization sanitizes information system media containing classified information in accordance with NSA standards and policies.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy and procedures; media sanitization records; audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/MP-6/6

Determine if the organization implements the media destruction process for information system media that cannot be sanitized.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Information system media protection policy; procedures addressing media sanitization and disposal; media sanitization equipment test records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system media sanitization responsibilities].