1907 Media Protection Policy

Georgia State Seal

Department of Human Services
Online Directives Information System

Index:

POL1907

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

This policy establishes the Georgia Department of Human Services (DHS) Enterprise Media Protection Policy, for managing risks from media access, media storage, media transport, and media protection through the establishment of an effective Media Protection program. The Media Protection program helps DHS implement security best practices with regard to enterprise media usage, storage, and disposal.

Authority

  1. United States Department of Commerce National Institute for Standards and Technology (NIST)

  2. United States Internal Revenue Service

  3. United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)

  4. United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)

  5. Georgia Technology Authority

  6. Social Security Administration

  7. Federal Bureau Investigation (Criminal Justice Information Services)

References

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

Media

Data storage material divided into three broad categories according to the recording method: (1) Magnetic, such as diskettes, disks, tapes, (2) Optical, such as microfiche, and (3) Magneto-Optical, such as CDs and DVDs.

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Responsibilities

DHS shall adopt the Media Protection principles established in NIST SP 800-53 “Media Protection,” Control Family guidelines, as the official policy for this domain. The following subsections outline the Media Protection standards that constitute DHS policy. Each DHS Business System is then bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related to the documented standards.

MP-1 Media Protection Procedures

  1. Develop, document, and disseminate to designated agency personnel:

    1. All organizational level media protection policy that:

      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

    2. Procedures to facilitate the implementation of the media protection policy and the associated controls.

  2. Designate an agency official to manage the development, documentation, and dissemination of the media protection and procedures; and

  3. Review and update the current media protection:

    1. Policy every one (1) year (or if there is a significant change); and

    2. Procedures every one (1) year, (or when there is a significant change).

MP-2 Media Access

Restrict access to all types of digital and/or non-digital media containing CUI to authorized individuals.

MP-3 Media Marking

  1. Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

  2. Exempt information media or hardware components containing CUI, as specified, in writing, by the Chief Information Officer (CIO) or their designated representative,from marking if the media remain within agency-controlled areas.

MP-4 Media Storage

  1. Physically control and securely store digital and non-digital media containing CUI within agency-controlled areas; and

  2. Protect system media types defined in MP-4(1.) until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

MP-5 Media Transport

  1. Protect and control digital and/or non-digital media containing CUI during transport outside of controlled areas using organization defined safeguards in accordance with (i) secure storage section and (ii) SC-28 control requirements;

    1. Most current FIPS 140-compliant encryption module;

    2. Locked/securable containers or tamper-evident packaging transported via authorized personnel;

    3. A trackable receipt by the commercial shipping carrier; and

    4. Sealed packing cartons for non-digital media containing sensitive information.

  2. Maintain accountability for system media during transport outside of controlled areas;

  3. Document activities associated with the transport of system media; and

  4. Restrict the activities associated with the transport of system media to authorized personnel.

MP-5 (3) Custodians:

Employ an identified custodian during transport of system media outside of controlled areas.

MP-6 Media Sanitization

  1. Sanitize digital and non-digital media containing CUI prior to disposal, release out of organizational control, or release for reuse using NIST 800-88, Guidelines for Media Sanitization approved sanitization techniques and procedures; and

  2. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

MP-6 (1) Review, Approve, Track, Document, and Verify:

Review, approve, track, document, and verify media sanitization and disposal actions.

IRS.1:

Clear or purge any CUI from the system BIOS or UEFI before a computer system is disposed of and leaves the agency. Reset the BIOS or UEFI to the manufacturer’s default profile, to ensure the removal of sensitive settings such as passwords or keys.

IRS.2:

Media provided by foreign visitors (end users) may only be loaded into a standalone agency system. The system must remain standalone until such time as it is sanitized. Additionally, no other media loaded into the standalone system can be loaded into a non-standalone agency system until sanitized.

MP-6 (2) Equipment Testing:

Test sanitization equipment and procedures within every one (1) year to ensure that the organization achieves the intended sanitization.

MP-7: Media Use

  1. Prohibit the use of personally-owned media on agency systems or system components (e.g., flash drives, external hard disk drives, and other portable storage and media devices) on organization-defined systems and networks using organization-defined security safeguards; and

  2. Prohibit the use of portable storage devices in agency systems when such devices have no identifiable owner.

IRS.1:

Develop policy to disable all portable storage devices with the exception of those required for explicit business need, which shall be restricted to specific workstations or laptops. In the absence of an agency-developed and issued policy, the default policy is:

  1. That the connection of non-agency portable storage devices is disallowed; and

  2. Technical controls are implemented to enforce the policy (e.g., Implement data loss prevention software to limit the use of removable media to known devices, blacklist usb-storage, prevent the mounting of USB storage, Deny All Access to All Removable Storage Classes).

History

Date Change User Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

  1. Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.

  2. Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.