The eighth family in the NIST 800-171 standard is the Media Protection family. This family is about how you backup and store information as well as who has access to your backups.


Why is Media Protection important?

Media protection includes print and digital content. You want to know that your media content and communications are secure at all times. Portable flash drives, remote access and even email can make it a challenge to track the transportation of media. Having media protection written into your cybersecurity policy will clearly outline who has the authority to access and share media, which devices are allowed to store and transport media, and how to properly destroy media when it has expired. Media will also include Controlled Unclassified Information (CUI) for those working with government contracts. Controlled Unclassified Information “requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies.” (U.S. National Archives and Records Administration) CUI Policy and Guidance can be found on the National Archives website.


What is Media Protection about in NIST 800-171?

The Media Protection family contains nine controls. These controls are primarily focused on the security of media storage including who can access the stored content, how transportation is controlledand the safe use of storage devices. Some of the key points addressed in this family are:

  1. Securely store paper and digital content—Store print and digital media content in a restricted and protected area. This may a physical locked cabinet or secure server.
  2. Limit access to protected information to authorized users—Restrict access to only authorized users on your system. For physical storage areas, keys, key cards or other locks should be in place. For digital storage areas, two-factor authentication should be implemented.
  3. Mark content with CUI markings as needed—All Controlled Unclassified Information should follow the CUI marking guidelines.
  4. Control the transport and sharing of protected information—Only authorized personnel using authorized devices should be allowed to transport or share protected content. Any media that has expired the storage date requirements must be properly destroyed.
  5. Prohibit the use of portable storage devices unless assigned to an authorized user—Only devices with known and identifiable authorized users should be permitted to access your system, store data or transport data.


Check back for our next blog post and learn more about the Physical Protection family. You may also be interested in reading our last post on The Maintenance Family.


Source: CUI Policy and Guidance. National Archives.



Katherine Bennett

Katherine Bennett leads the Instructional Design team for NCMEP partner NC State Industry Expansion Solutions. She also serves as project manager for instructional design services. Katherine plays a key leadership role in supporting the IES goal of providing instructional design and development expertise that complements the field-specific expertise of IES partners, while meeting the learning needs of target audiences. Katherine holds a bachelor’s degree in Computer Science from the University of North Carolina at Charlotte and a master’s degree in Instructional Technology from East Carolina University.