3.8.8—Media Protection - Derived
Derived Requirement
>Control Description
Prohibit the use of portable storage devices when such devices have no identifiable owner.
>Discussion
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code).
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern prohibiting remote access to CUI backup media?
- •What procedures ensure backup media is not remotely accessible?
- •Who verifies backup media remote access restrictions?
- •How do you handle backup media storage and access?
- •What governance prevents unauthorized remote backup access?
Technical Implementation:
- •How do you technically isolate backup media from remote access?
- •What network segmentation prevents remote backup access?
- •How do you implement air-gapped or offline backups?
- •What controls restrict backup media to local access only?
- •How do you monitor for unauthorized remote backup access attempts?
Evidence & Documentation:
- •Can you show backup media is not remotely accessible?
- •What network diagrams demonstrate backup isolation?
- •Can you provide evidence of air-gapped backup systems?
- •What logs verify no remote access to backup media?
- •What audit findings confirm backup media access restrictions?
Ask AI
Configure your API key to use AI features.