Hey Y’all,

We’re still working our way through the changes to the Media Protection Section (5.8) that were approved by the CJIS Advisory Policy Board (APB) back in December 2021. Just a quick heads up, there's still no word as to when the new policy will be released but we will be on the front lines and let you know when it appears. As soon as I hear something, I’ll send something out. 

The Control for this newsletter is MP-5 Media Transportation, and it too, like the previous from the last newsletter (MP-4 Media Storage), is not really new. The BOLD emphasis is mine. And here we go...

MP-5 MEDIA Transportation

Control:

a. Protect and control digital and non-digital media to help prevent compromise of the data during transport outside of the physically secure locations or controlled areas using encryption, as defined in Section 5.10.1.2 of this Policy. Physical media will be protected at the same level as the information would be protected in electronic form. Restrict the activities associated with transport of electronic and physical media to authorized personnel;

b. Maintain accountability for system media during transport outside of the physically secure location or controlled areas;

c. Document activities associated with the transport of system media; and

d. Restrict the activities associated with the transport of system media to authorized personnel.

Discussion: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which agencies provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the agency. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Agencies establish documentation requirements for activities associated with the transport of system media in accordance with agency assessments of risk. Agencies maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.

Related Controls: AC-7, AC-I9, CP-2, CP-9, MP-3, MP-4, PE-I6, PL-2, SC-I2, SC-I3, SC-28. References: [FIPS I99], [SP 800-60-I], [SP 800-60-2].

This is another one that is pretty much in line with the existing policy. Again, “no earth shattering Ka-Booms!” This control may require some things that are a little more in-depth than your existing policy (if you have one, and you should), but this should be a tweak, not an extensive rewrite or a new creation. Your existing policy, which has been required since 2011, should include controls and security measures to protect digital and physical media during transport, and restrict those activities to authorized personnel.

Let me say this again, y’all are probably going to have questions about these updates. CJIS ACE is there to help you understand the changes so you can do the things you need to do. For CJIS ACE Insight customers, we’ll go through this together as Insight gets updated.

You can always learn more about what we at CJIS ACE can do for you and your agency. I’d enjoy a chance to talk with you; gimme a call or send me an email.

Y'all take care.