Hey y’all,

I’m back with another edition of “Changes to the CJIS Security Policy.” In our last episode, the CJIS community discovered that changes were afoot with CJIS Security Policy. Let’s continue with one of those changes.

So, the previous newsletter talked about a new format for items in the CSP. These items are called controls and they are presented as part of what is called a “Security and Privacy Control Family”, in a format that includes Title, Control, Discussion, Related Controls, Control Enhancements, References.

The Control Family that was approved by the Advisory Policy Board (APB) back in December 2021 was Media Protection or MP. To start with, I’m gonna do these one at a time so we can deal with them in “bite-sized” pieces. Let’s begin with the first one of the Media Protection control family: MP-1 Policy and Procedures. FYI - Anything italicized below are my comments.

MP-1 POLICY AND PROCEDURES (“MP-1” is the Control Identifier, and “Policy and Procedures” is the Control Name; this is the Title. Also, like I mentioned in the previous newsletter, this control and the others of the MP family do not have Control Enhancements)

Control: (This is where the requirements are found, kind of replaces the shall statements.)

1. Develop, document, and disseminate to authorized individuals:

1. Agency-level media protection policy that:

1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and

2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

2. Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;

b. Designate an individual with security responsibilities to manage the development, documentation, and dissemination of the media protection policy and procedures; and

c. Review and update the current media protection:

1. Policy at least annually and following any security incidents involving digital and/or non-digital media; and 

2. Procedures at least annually and following any security incidents involving digital and/or non-digital media.

Discussion: (This is additional information designed to help with the implementation of the control.) Media protection policy and procedures address the controls in the MP family that are implemented within systems and agencies. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the agency level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of agencies. Procedures can be established for security and privacy programs, for mission or business processes, and/or systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an agency policy or procedure (my emphasis).

Related Controls: PS-8, SI-12.

  (Note: PS-8 is Personnel Sanctions and SI-12 is Information Management and Retention. These control families have not been developed and approved, but they are coming.)

References: [OMB A-130], [SP 800-12], [SP 800-30], [SP 800-39], [SP 800-100].

(FYI - In each control family, the first control is for policy and procedures, except for Program Management PM-1 Information Security Program Plan, which is about your whole program.)

So this is the first control. This one essentially replaces the first two shall statements of 5.8 requiring your agency to have media protection policies and procedures.

First, notice that there are no “Shall statements”; we now have controls that are kind of like shall statements.

Second, as I brought up in the previous newsletter, your agency is probably already doing these things. This control formalizes items that should be addressed in your policy for a designated individual to oversee and facilitate annual reviews/updates. 

Again, this is one of the first controls approved by the APB, so there is more to come. I’m sure there are going to be questions about these updates. CJIS ACE is there to help you understand the changes. For you Insight customers, we’ll go through this together.

To learn more about what we can do for you and your agency, send me an email. I’d enjoy a chance to chat with you.

Take care.