May 4, 2022
No Need for Storage Wars
We’re still working through the changes to the Media Protection Section (5.8) that were approved by the CJIS Advisory Policy Board (APB) back in December 2021. If all goes accordingly, you should see them in the next iteration of the CJIS Security Policy (CSP) in the next month or so.
We continue to work through the Media Protection Controls that will become part of the CJISSECPOL in the near future. The Control for this newsletter is MP-4 Media Storage, and guess what? This one is not really new.
MP-4 MEDIA STORAGE
a. Physically control and securely store digital and non-digital media within physically secure locations or controlled areas and encrypt CJI on digital media when physical and personnel restrictions are not feasible; and
b. Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
Discussion: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on agencies, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection.
Related Controls: AC-I9, CP-2, CP-6, CP-9, CP-I0, MP-2, MP-7, PE-3, PL-2, SC-I2, SC-I3, SC-28, SI-I2.
References: [FIPS I99], [SP 800-56A], [SP 800-56B], [SP 800-56C], [SP 800-57-I], [SP 800- 57-2], [SP 800-57-3], [SP 800-III].
This is one that is pretty much in line with the existing policy. As I like to say “there are no earth shattering Ka-Booms!” in these Controls, however the Discussion adds points that may not have been considered in the past regarding physically controlling CJI.
As a heads up, these Controls originate from a National Institute of Standards and Technology (NIST) document, and typically, but not always, they can be focused on classified information and “libraries” of information. Now, since 1993, I can’t remember running across a criminal justice agency with a library of CJI/CHRI. That doesn’t mean it’s not out there, it’s just that I haven’t seen one.
Your main focus should be ensuring you have locked rooms, cabinets, or secure storage where you keep your CJI away from unauthorized people, and that the CJI is protected until it is properly disposed of. Y’all this is pretty much a common sense requirement; you should already be doing this one. I don’t believe you need to overthink this one.
As always, y’all are probably going to have questions about these updates. CJIS ACE is there to help you understand the changes so you can do the things you need to do. For CJIS ACE Insight customers, we’ll go through this together as Insight gets updated.
You can always learn more about what we at CJIS ACE can do for you and your agency. I’d enjoy a chance to talk with you; gimme a call or send me an email.
Y'all take care.