University of Idaho - I Banner
A student works at a computer

SlateConnect

U of I's web-based retention and advising tool provides an efficient way to guide and support students on their road to graduation. Login to SlateConnect.

Media Protection

Overview

This updated standard is to help align existing practices within Office of Information Technology (OIT) around Media Protection controls to the requirements in NIST 800-171 (MP | 3.8.x) as well as industry best practices. This document does not give full coverage of 3.8.x controls within 171 due to existing limitations and other requirements that are specific to CUI.

What is in this document:

  • Acceptable methods of media disposal
  • Encryption requirements
  • Banning of personal devices for high-risk data
  • Marking requirements

What is NOT in this document:

  • Procedures for disposing media
  • Encryption deployment details or procedures
  • Marking procedures 

Policy Reference

APM 10.41 Surplus Property Inventory and Disposal Procedure

APM 20.13 University Communication Devices and Services

APM 30.11 University Data Classification and Standards

APM 30.12 Acceptable Use of Technology Resources

APM 30.14 Cyber Incident Reporting and Response

APM 30.16 Technology Hardware Lifecycle Management

Purpose

This Media Protection standard supports APM 30.11 University Data Classification and Standards and other relevant university policies.

Scope

These Standards are the minimum baseline for all managed and unmanaged systems that access, store or process University of Idaho data (see APM 30.14 C-6) or using University of Idaho technology resources (see APM 30.12 C-1) at the Low, Moderate or High risk levels (see APM 30.11) not otherwise covered by an approved system security plan.

Standards

Sanitize or destroy information system media before disposal or release for reuse as per APM 30.16 Section D-8.

  1. Any media must be sanitized prior to reuse or destroyed prior to disposal using an approved method.

    This applies to: Low/Moderate/High-Risk data.

    1. Hard Drives
      1. If the device will not be reused, the device must be destroyed via OIT drive crusher.
      2. Overwrite the data on the drive with a minimum of one pass of all zeros or per NIST 800-88.
      3. Use one of the ATA Sanitize Device feature set commands, if supported.
      4. Use the ATA Security feature set's "SECURE ERASE UNIT" command, if supported
    2. Solid state drives (SSDs)
      1. If the device will not be reused, the device must be destroyed via Shred, Disintegrate, Pulverize or Incinerate by burning the device in a licensed incinerator as per NIST SP 800-88.
      2. Use the ATA Security feature set's "SECURITY ERASE UNIT" command if supported.
      3. Use the ATA Sanitize command, if supported (block erase, cryptographic erase).
        1. High-risk and regulated data must use FIPS 140 validated encryption modules.
      4. For NVMe SSDs, use the NVM Express Format command, if supported.
      5. ActiveKill software has been approved for disk wipe.
      6. Cryptographic Erase by issuing commands as necessary to cause all MEKs to be changed.
    3. Removable Media
      1. If the device will not be reused, the device must be destroyed via Shred, Disintegrate, Pulverize or Incinerate by burning the device in a licensed incinerator as per NIST SP 800-88.
      2. Overwrite the data on the drive with two passes. (Non-solid state media only)
        1. The first pass should use a fixed value, and it's complemented for the second pass.
      3. Cryptographic Erase by issuing commands as necessary to cause all MEKs to be changed.
        1. High-risk and regulated data must use FIPS 140 validated encryption modules.
    4. Optical Media
      1. The device must be destroyed via shredding using some paper shredders, or via an approved destruction service as per NIST SP 800-88.
    5. Mobile devices
      1. If the device will not be reused, does not support encryption or has no factory erase/wipe function, the device must be destroyed via Shred, Disintegrate, Pulverize or Incinerate by burning the device in a licensed incinerator as per NIST SP 800-88.
      2. Manufacturer method of media sanitization such as but not limited to factory reset or erase data function.
        1. Devices must be encrypted prior to sanitization.
      3. For unmanaged personal devices Microsoft app protection is considered sufficient.
        1. If unmanaged applications are used on personal devices for U of I data, the data or device may be wiped by the university as per APM 20.13.

  1. An appropriate attestation of either disposal or sanitization must be provided and updated within the IT asset management system.

    This applies to: Low/Moderate/High Risk data.

  2. Certificate of destruction from an authorized application or vendor such as but not limited to the Activekill Erase certificate or Iron Mountain certificate of destruction.
  3. Verification from OIT personnel of successful destruction via the drive crusher within a ticket associated with asset.
  4. Verification from OIT personnel of successful completion for mobile device sanitization.

To ensure data is protected while stored on systems the following standards must be met:

  1. Workstations and laptops will be encrypted by default using Bitlocker for Windows and Filevault on MacOS.
    1. Workstations and laptops explicitly categorized for only low-risk data may be exempted without a formal risk exception.
    2. Encryption will be AES-256 or stronger unless otherwise approved by OIT Security.
  2. University data on mobile devices must use apps that are encrypted via the OIT Managed Microsoft Application Protection Policy.
  3. High-risk applications require that a system is encrypted prior to access, including mobile devices.
  4. High-risk data must be encrypted using OIT-managed encryption when stored media including but not limited to:
    1. System drives such as hard disks and solid state drives.
    2. Removable media such as usb drives or external drives.
  5. Systems that are housed within approved university data centers are exempt from this encryption requirement.

To ensure the confidentiality of data across networks the following standards must be met:

  1. Moderate- and high-risk application data must be encrypted.
    1. Authentication Secrets such as passwords, API keys or PSKs, are considered high-risk.
  2. Regulated data must meet encryption requirements for the regulation.

Personal devices or devices otherwise not managed or approved by OIT must not be used to access, store, transmit or process high-risk data.

Backups containing moderate- and high-risk data must be protected by current encryption standards or other approved safeguards.

To ensure data is handled appropriately data and assets containing data must be marked appropriately.

  1. Regulated data such as CUI must also be marked in accordance with regulation.

    Applies to: Moderate / High

Other References

1. NIST SP800-171r2 (February 2020)

All referenced controls are NIST 800-171r2 unless otherwise noted.

2. NIST SP800-53r5 (September 2020)

3. NIST SP800-88r1 (September 2014)

4. Device Retirement and Media Sanitization Guidelines

5. Surplus Process for TSPs and Local Support

Definitions

1. Licensed incinerator

Organization licensed in terms of section 19 and 50 of the Waste Act or which in terms of section 80 of the Waste Act may continue to operate under a license issued under the Environmental Conservation Act (Act 73 of 1989).

2. Cryptographic Erase

“A method of Sanitization in which the Media Encryption Key (MEK) for the encrypted Target Data (or the Key Encryption Key — KEK) is sanitized, making recovery of the decrypted Target Data infeasible.” (NIST SP 800-88)

3. Advanced Technology Attachment (ATA)

“Magnetic media interface specification. Also known as ‘IDE’ — Integrated Drive Electronics.” (NIST SP 800-88)

4. Non-Volatile Memory Express (NVMe)

Interface for system’s non-volatile storage media.

5. Media Encryption Key (MEK)

Cryptographic key used for encrypting media.

6. Disposal

A method of release of media that is not intended to be reused by the university. Including but not limited to, releasing media to waste management services, releasing media for surplus disposition (APM 10.41).

7. Reuse

A method of release of media that is intended to be used for a new purpose or user by the university as defined by APM 30.16 section D-8.

8. Media

“Material on which data are or may be recorded, such as paper, punched cards, magnetic tape, magnetic disks, solid state devices or optical discs.” (NIST SP 800-88)

9. Hard Drives

“A rigid magnetic disk fixed permanently within a drive unit and used for storing data. It could also be a removable cartridge containing one or more magnetic disks.” (NIST SP 800-88)

10. Solid state drive (SSD)

“A Solid State Drive (SSD) is a storage device that uses solid-state memory to store persistent data.” (NIST SP 800-88)

11. Removable Media

“Portable data storage medium that can be added to or removed from a computing device or network.” (CMMC Glossary)

12. Optical Media

“A plastic disk that is read using an optical laser device.” (NIST SP 800-88)

  1. Examples: CD, DVD or Blu-ray.

13. Mobile devices

“A portable computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable/removable data storage; and includes a self-contained power source.” (NIST SP 800-171)

Standard Owner

OIT Security is responsible for the content and management of these standards.

To request an exception to this standard.

Contact: oit-security@uidaho.edu

Revision History

3/1/2024 — Minor updates

  • Minor formatting/wording/reference changes.

6/23/2023 — Original standard

  • Full re-write to align with NIST 800-171r2

Physical Address:

Teaching Learning Center Room 128

Office Hours:

Monday - Friday
8 a.m. to 5 p.m.

Summer Hours:

Monday - Friday
7:30 a.m. to 4:30p.m.

Phone: 208-885-4357 (HELP)

Email: support@uidaho.edu

Map