Apr 1, 2022
Mark My Words or Media...
Hello again, Everyone!
We’re still working through the changes to the Media Protection Section (5.8) that were approved by the CJIS Advisory Policy Board (APB) back in December 2021. If all goes accordingly, you should see them in the next iteration of the CJIS Security Policy (CSP) in the next month or so.
We have two Controls down, five more to go (including this one.) The Control for this newsletter is MP-3 Media Marking. This is a new one, folks, as we haven’t seen this requirement before in the CSP (by the way, in the future the acronym “CSP” will no longer refer to the CJIS Security Policy, but more on that in another newsletter...)
MP-3 MEDIA MARKING
Control: (remember the Control is the thing(s) you gotta do)
a. Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
b. Exempt digital and non-digital media containing CJI from marking if the media remain within physically secure locations and controlled areas.
Discussion: (the Discussion kinda describes/expounds on what the Control is requiring) Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non- digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002]. Security markings are generally not required for media that contains information determined by agencies to be in the public domain or to be publicly releasable. Some agencies may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
Related Controls: CP-9, MP-5, SI-I2.
References: [EO I3556], [32 CFR 2002], [FIPS I99].
End of MP-3
This one is going to require some additional clarification from the APB, FBI CJIS ISO, and/or the CJIS Systems Agencies (CSAs). Up until this point, markings have not been specifically required or defined by the CSP. I can probably guess what these markings might look like, but I don’t get to make that call anymore, and I wouldn’t want to speculate as it might cause confusion.
From my time working with classified documents in the Air Force, I know there are a whole host of requirements involving the proper way to mark documents. We’re gonna need more info. In that world, typically, marking a document involves “stamping” the classification on all pages, top and bottom with the classification and caveats.
Generally, this Control (a.) says you have to mark media, then it says there is an exemption (b.) for digital and non-digital (defined in the Description), and the exemption applies IF the media stays in a physically secure location (PSL) or controlled area (CA).
Y’all know, “stuff” gets taken to other places all of the time for official purposes. You can probably assume that at some point CJI is going to leave the PSL and/or CA. As such, marking all documents that contain CJI could be an effective way of complying with this control.
As always, I know there are going to be bunch’o questions about these updates. CJIS ACE is there to help you understand the changes so you can do the things you need to do. For CJIS ACE Insight customers, we’ll go through this together as Insight gets updated.
To learn more about what we at CJIS ACE can do for you and your agency, send me an email. I’d enjoy a chance to talk with you; gimme a call.
Y'all take care.