System media includes digital and non-digital media. Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team. Physically controlling system media includes conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library.  Access to CUI on system media can be limited by physically controlling such media, which includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media.  [SP 800-] provides guidance on storage encryption technologies for end user devices. 

Priority: High   

Category: Procedures / Rules of Behavior 

Services Associated with AWS:   

  • AWS Secrets Manager, AWS Key Management Service (KMS), AWS Identity and Access Management (IAM) 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: documented data classification scheme
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation to demonstrate how Data Loss Prevention (DLP) is implemented, if applicable
    Technical: screenshot of DLP technology, if applicable

Possible Technology Considerations : 


What needs to be answered :  

Are documented workflow, data access controls, and media policy enforced to ensure proper access controls? Is the system media securely stored in protected areas? Do only approved individuals have access to media from CUI systems? Is an audit log of any media removed from these systems? 

  • Protect Physical and Digital System Media Containing CUI
    Description: This check ensures that organizations have appropriate measures in place to protect system media containing Controlled Unclassified Information (CUI). System media includes both physical and digital media, such as diskettes, magnetic tapes, external hard drives, flash drives, paper documents, and microfilm. Protecting system media involves physically controlling access to the media, securely storing it, conducting inventories, and maintaining accountability for all stored media.

More Details: 

Policies and workflow documentation in place for all systems containing CUI.