This requirement applies to portable storage devices (e.g., USB memory sticks, digital video disks, compact disks, external or removable hard disk drives). See [NIST CRYPTO].  [SP 800-] provides guidance on storage encryption technologies for end user devices. 

Priority: High   

Category: Network Security 

Services Associated with AWS:   

  • AWS Key Management Service (KMS), AWS CloudHSM, AWS Secrets Manager 

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: supporting documentation to demonstrate how cryptographic solutions are implemented
  • Technical: screenshot of sanitization technology, if applicable 

Possible Technology Considerations : 

  • Cryptographic Solution (data at rest)
  • Physical Access Control (PAC) 

What needs to be answered :  

Are cryptographic mechanisms used to protect digital media during transport outside of controlled areas? Does removable media support physical encryption? Is key vaulting utilized to ensure recoverability? Are data backups encrypted on media before removal from the company's secured facility?  

  • Cryptographic Protection of CUI during Media Transport
    Description: This check ensures that organizations implement cryptographic mechanisms to protect the confidentiality of Controlled Unclassified Information (CUI) stored on digital media during transport, unless the media is already protected by alternative physical safeguards. Portable storage devices, such as USB memory sticks, digital video disks, compact disks, and external or removable hard disk drives, are susceptible to data breaches if lost or stolen during transport. Cryptographic protection provides an additional layer of security by encrypting the CUI stored on the media, making it inaccessible to unauthorized individuals in case of a breach. Organizations should follow cryptographic guidelines and standards, such as those provided by NIST, to select and implement appropriate encryption algorithms and key management practices.

More Details:   

CUI is not stored on removable media.