Jan 18, 2022
You Can't Choose Your Control Family
I’m back with another edition of “Changes to the CJIS Security Policy.” In our last episode, the CJIS community discovered that changes were afoot with CJIS Security Policy. Let’s continue with one of those changes.
So, the previous newsletter talked about a new format for items in the CSP. These items are called controls and they are presented as part of what is called a “Security and Privacy Control Family”, in a format that includes Title, Control, Discussion, Related Controls, Control Enhancements, References.
The Control Family that was approved by the Advisory Policy Board (APB) back in December 2021 was Media Protection or MP. To start with, I’m gonna do these one at a time so we can deal with them in “bite-sized” pieces. Let’s begin with the first one of the Media Protection control family: MP-1 Policy and Procedures. FYI - Anything italicized below are my comments.
MP-1 POLICY AND PROCEDURES (“MP-1” is the Control Identifier, and “Policy and Procedures” is the Control Name; this is the Title. Also, like I mentioned in the previous newsletter, this control and the others of the MP family do not have Control Enhancements)
Control: (This is where the requirements are found, kind of replaces the shall statements.)
Develop, document, and disseminate to authorized individuals:
1. Agency-level media protection policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;
b. Designate an individual with security responsibilities to manage the development, documentation, and dissemination of the media protection policy and procedures; and
c. Review and update the current media protection:
1. Policy at least annually and following any security incidents involving digital and/or non-digital media; and
2. Procedures at least annually and following any security incidents involving digital and/or non-digital media.
Related Controls: PS-8, SI-12.
(Note: PS-8 is Personnel Sanctions and SI-12 is Information Management and Retention. These control families have not been developed and approved, but they are coming.)
References: [OMB A-130], [SP 800-12], [SP 800-30], [SP 800-39], [SP 800-100].
(FYI - In each control family, the first control is for policy and procedures, except for Program Management PM-1 Information Security Program Plan, which is about your whole program.)
So this is the first control. This one essentially replaces the first two shall statements of 5.8 requiring your agency to have media protection policies and procedures.
First, notice that there are no “Shall statements”; we now have controls that are kind of like shall statements.
Second, as I brought up in the previous newsletter, your agency is probably already doing these things. This control formalizes items that should be addressed in your policy for a designated individual to oversee and facilitate annual reviews/updates.
Again, this is one of the first controls approved by the APB, so there is more to come. I’m sure there are going to be questions about these updates. CJIS ACE is there to help you understand the changes. For you Insight customers, we’ll go through this together.
To learn more about what we can do for you and your agency, send me an email. I’d enjoy a chance to chat with you.