03.08.07: Media Use
Control Familly: Media Protection
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-111 [51]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.08.07
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
MP-07
a. Restrict or prohibit the use of [Assignment: organization-defined types of system media].
b. Prohibit the use of removable system media without an identifiable owner.
Discussion:
In contrast to requirement 03.08.01, which restricts user access to media, this requirement restricts or prohibits the use of certain types of media, such as external hard drives, flash drives, or smart displays. Organizations can use technical and nontechnical measures (e.g., policies, procedures, and rules of behavior) to control the use of system media. For example, organizations may control the use of portable storage devices by using physical cages on workstations to prohibit access to external ports or disabling or removing the ability to insert, read, or write to devices.
Organizations may limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Organizations may also control the use of portable storage devices based on the type of device — prohibiting the use of writeable, portable devices — and implement this restriction by disabling or removing the capability to write to such devices. Limits on the use of organization-controlled system media in external systems include restrictions on how the media may be used and under what conditions. Requiring identifiable owners (e.g., individuals, organizations, or projects) for removable system media reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the media (e.g., insertion of malicious code).
Assessment Methods and Objectives
Examine [SELECT FROM: system media protection policy and procedures; system use policy; procedures for media usage restrictions; rules of behavior; system audit records; system design documentation; system configuration settings; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with system media use responsibilities; personnel with information security responsibilities; system administrators]
Test [SELECT FROM: processes for media use; mechanisms for restricting or prohibiting the use of system media on systems or system components]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.08.07.ODP[01]: types of system media with usage restrictions or that are prohibited from use are defined.
A.03.08.07.a: the use of the following types of system media is restricted or prohibited: <A.03.08.07.ODP[01]: types of system media>.
A.03.08.07.b: the use of removable system media without an identifiable owner is prohibited.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A