Physical Media Protection

  • 2 minutes to read

Purpose

This SOP outlines the procedures for handling, storing, transporting, and disposing of physical media containing Controlled Unclassified Information (CUI). It ensures compliance with NIST 800-171r2, Control 3.8 and CMMC 2.0, minimizing the risk of unauthorized access, loss, or compromise.

Scope

This procedure applies to the Organization seeking certification (OSC) and defines its responsibilities in managing physical media securely.

Organization seeking certification (OSC) Steps

Step 1: Identify and Classify Physical Media

  • Identify all physical media (e.g., USB drives, external hard drives, DVDs, printed documents) that may contain CUI.
  • Apply appropriate labeling in accordance with organizational classification policies.
  • Maintain a log of all CUI physical media, including the custodian, location, and purpose.

Step 2: Secure Physical Media Storage

  • Store CUI physical media in a locked, access-controlled environment.
  • Use fireproof, tamper-evident, and access-restricted storage containers for high-risk media.
  • Maintain an access control list of authorized personnel who can retrieve media.

Step 3: Transport Physical Media Securely

  • Encrypt electronic media before transport, when feasible.
  • Use locked transport cases or tamper-evident packaging for physical media.
  • Maintain a chain-of-custody log for all physical media leaving a controlled environment.
  • If using a courier, require tracking and signed receipt upon delivery.

Step 4: Limit and Monitor Physical Media Usage

  • Restrict the use of removable media on company systems unless explicitly authorized.
  • Prohibit unauthorized copying, duplication, or distribution of physical media.
  • Regularly audit physical media inventory and track usage.

Step 5: Proper Disposal of Physical Media

  • Paper documents: Use cross-cut shredders or certified document destruction services.
  • Electronic storage media (USBs, HDDs, SSDs):
    • Sanitize using NIST 800-88 compliant methods.
    • Use degaussing or physical destruction (e.g., shredding, incineration).
  • Maintain disposal records, including date, method, and personnel responsible.

Step 6: Incident Response for Lost or Stolen Media

  • If physical media containing CUI is lost or stolen:
    • Immediately report the incident to security personnel.
    • Conduct an impact assessment and determine whether CUI exposure occurred.
    • Notify relevant authorities as required by incident response policies.
    • Implement corrective measures to prevent future occurrences.

Step 7: Revoking Access and Decommissioning Media

  • When an employee leaves or no longer requires access:
    • Retrieve any assigned CUI physical media.
    • Verify proper sanitization or destruction before media disposal.
    • Update asset records to reflect decommissioned media.

Review & Maintenance

This SOP will be reviewed quarterly or as required by updates to NIST 800-171r2, CMMC 2.0, or organizational policies.