Media protection (MP)

Media Protection (MP) security controls are designed to ensure sensitive information is protected from inadvertent and intentional disclosure or destruction. Information resides in many forms and can be stored in different ways. Media controls are protective measures specifically designed to safeguard electronic data and hardcopy information. This policy addresses the protection, marking, sanitization, production input/output, and disposal of media containing sensitive information. Digital media can be USB memory sticks, external hard disk drives, cameras, music players, or any device that has the ability to store data.

Policy: All Office of Personnel Management (OPM) information in printed form or on digital media shall be protected within and outside of OPM facilities. Both physical and logical access to media containing sensitive information (including but not limited to personally identifiable information – PII) shall be limited to authorized personnel. Before disposal or release for reuse, all digital and non-digital media shall be sanitized or destroyed.

All OPM personnel and contractors (internal and external) shall limit printing and transporting of media containing PII to only the minimum required to complete the mission. The responsibility for protecting PII begins when that information is first placed in the individual's custody and does not end until custody of that information is properly transferred to another responsible official. Personnel shall protect information at the office, in automobiles (government or privately owned), at home, in a hotel room, or anywhere outside of OPM controlled facilities.

Program Supervisors shall perform periodic, structured evaluations to ensure that individuals handle and protect PII according to agency policies and procedures.

6.6.1 Media Protection Policy and Procedures (MP-1)

The policies under this control are implemented with the OPM Media Protection Procedures.

Media Protection Procedures may be developed by program offices and operational groups where necessary. Media Protection Procedures shall be developed and disseminated. The procedures shall be reviewed at least annually and updated as determined necessary.

6.6.2 Media Access (MP-2)

In order to protect and secure sensitive information the media used to store or present the information shall be protected from improper access and properly destroyed when no longer required. Media shall be restricted to only authorized individuals based on the sensitivity of the data. Furthermore, appropriate physical security and access control measures shall be

established for facilities storing media, including off-site facilities.

System Owners (SO) shall ensure that only authorized users have access to information in printed form or on digital media removed from the information system using formal documented procedures.

SOs shall ensure automated mechanisms are implemented to restrict access to media storage areas and to audit access attempts and access granted. (Moderate and High)

6.6.3 Media Marking (MP-3)

In order to protect the information on stored media, the media should be appropriately labeled with its sensitivity so that individuals handling the media or information understand the level of protection that should be provided.

All users shall ensure that external labels are affixed to removable information system media and information system output indicating the distribution limitations, handling caveats, and

applicable security markings.

All portable computer storage media containing PII shall be labeled "FOR OFFICIAL USE ONLY (FOUO)".

The System Owner (SO) may exempt portable digital and non digital media from marking as long as the exempted items remain within a secure environment (locked room either accessible by manual key, key fob, electronic physical access card, or cipher lock). (Moderate and High) 6.6.4 Media Storage (MP-4)

An additional level of protection is provided by securely storing media based on the information’s required level of protection.

All users shall physically control and securely store information system media, both paper and electronic, within controlled areas using approved resources, techniques, equipment, and procedures for the information system's highest security category defined by Federal Information Processing Standard (FIPS) 199. The information system media shall be protected until the media is destroyed or sanitized using approved equipment, techniques, and procedures. (Moderate and High)

6.6.5 Media Transport (MP-5)

To prevent a possible compromise of information, the media storing the information must be protected during transport outside of organizational controlled areas.

All users shall protect, control, and maintain accountability for digital and non digital media during transport outside of controlled areas using approved resources, techniques, equipment, and procedures for the information system's highest security category defined by Federal Information Security Management Act (FIPS) 199. The SO shall restrict the activities associated with transport of such media to authorized personnel.

The SO shall use FIPS 140-2 compliant cryptographic mechanisms to protect the confidentiality and integrity of the information stored on digital media during transport outside of OPM

controlled areas. All activities associated with the transportation of information system media shall be documented. (Moderate and High)

The SO shall employ an identified custodian at all times to transport information system media.

(High)

6.6.6 Media Sanitization and Disposal (MP-6)

When media is disposed, it is necessary to properly sanitize the media to prevent compromising the data by destroying the data or destroying the media. The System Owner (SO) shall sanitize information system media, both digital and non-digital, prior to disposal, release out of OPM controlled areas, or release for reuse. The SO shall employ sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information.

The SO shall ensure:

• Media sanitization and disposal actions are tracked, documented, and verified.

• Sanitization equipment and procedures to verify correct performance are tested Annually.

• Portable, removable storage devices are sanitized prior to connecting such devices to the information system under the following circumstances:

• When devices are first purchased, prior to initial use.

• Prior to re-issuing a device.

• When the organization loses a positive chain of custody for the device.

• When a device has reached its end-of-life, and is decommissioned. (High)