Larry Coffee
Feb 4, 2022
Do You Have Access?
Hey y’all,
It’s time for the next installment of “Changes to the CJIS Security Policy.” Last time I talked about the new media protection policy (MP-1). It was kinda long, so I’m gonna give y’all a break this month.
The Control for this time is MP-2 Media Access.
MP-2 MEDIA ACCESS
Control: Restrict access to digital and non-digital media to authorized individuals.
Discussion: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.
Related Controls: AC-19, AU-9, CP-2, CP-9, CP-10, MA-5, MP-4, MP-6, PE-2, PE-3, SC-12, SC-13, SI-12.
References: [OMB A-130], [FIPS 199], [SP 800-111]. End of MP-2
Just looking at the Control and the Discussion, it doesn’t specify it, but the digital and non-digital media it’s referring to is criminal justice information (CJI). Additionally, to be an “authorized individual”, you have to pass a fingerprint based background check and be current in the appropriate level of security awareness training, and in some cases sign a Security Addendum Certification Page.
See, like I said, this is not new. You are already restricting access to CJI as part of your operations.
Yes, this is an easy one, but it’s gonna get more interesting as we proceed with the other MP controls. As always, I’m sure there are going to be questions about these updates. CJIS ACE is there to help you understand the changes. For CJIS ACE Insight customers, we’ll go through this together.
To learn more about what we at CJIS ACE can do for you and your agency, send me an email. I’d enjoy a chance to chat with you.
Take care.