MP.L2-3.8.8 Shared Media
Prohibit the use of portable storage devices when such devices have no identifiable owner.
Source: NIST SP 800-171 Rev 2 3.8.8
Discussion: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code).
Assessment Objectives:
Determine if:
- [a] the use of portable storage devices is prohibited when such devices have no identifiable owner.
Examine: [SELECT FROM: System media protection policy; system use policy; procedures addressing media usage restrictions; security plan; rules of behavior; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system media use responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for media use; mechanisms prohibiting use of media on systems or system components].
SPRS Score: 3
POA&M Allowed: No