DFARS 252.204-7012: What are the best ways to protect media and CUI?
The DFARS 252.204-7012 clause sets high standards governing the protection, sanitization, and secure destruction of controlled unclassified information (CUI). Compliance is mandatory for any organization that makes up part of the 200,000-strong Defense Industrial Base (DIB), which is the supply chain of the US DoD. Audits may be carried out at any time, so it is crucial that any organization hoping to win requests for proposals (RFPs) in the capacity of a defense contractor proactively prepares themselves. This requires adherence to the NIST SP 171 rev 2 framework, which covers fourteen control domains governing the protection of CUI.
Related article: A Guide to Understanding DFARS Requirements
In this article, we will be looking at the physical protection of media and CUI.
An overview of the information lifecycle
Given the trend for dematerialization of computing assets, it is often easy to overlook the importance of physical protection. After all, all data has to be stored somewhere on a physical device, even in cases where it exists in a virtual machine in a vast data center. Regardless of where your data lives, it needs to be managed throughout its entire lifecycle from the moment it is first created to the moment it is destroyed. Compliance with DFARS 7012 requires that all CUI be stored within the US and monitored and protected until it is securely disposed of.
Related article: DFARS 252.204-7012: How effective are your access controls?
#1. Cloud storage
Ensuring the physical protection and data lifecycle management across cloud storage systems can be especially complicated, simply because it falls outside your ability. For example, when storing data in Amazon AWS, Microsoft Azure, or any other cloud storage platform, physical protection is the responsibility of the service provider. Whether you have a hybrid, private, or public cloud, it is essential that the service provider gives you the degree of control you need to protect data throughout its lifecycle and securely erase it as required. Every contractor and subcontractor must themselves provide DFARS 7012-compliant storage solutions that let you retain full control over the data.
#2. Direct-attached storage
Direct-attached storage (or DAS) refers to any type of storage system connected directly to the computer, such as hard drives, solid state drives, and external media connected to USB ports. Although not as popular as it once was in the era of cloud computing, these physical storage devices present some unique challenges when it comes to maintaining data integrity, as well as when securely deleting data. Furthermore, portable DAS devices, such as flash drives and other removable media, face an added risk of loss or theft. All DAS devices, including internal and external ones, that store CUI, should be encrypted and securely erased according to DoD standards at the end of their lifecycle.
#3. Network-attached storage
Network-attached storage (NAS) and storage area networks (SANs) are internal systems that are entirely dedicated to data storage. They are often used for backup and archiving and, due to the low costs of storage, they generally use traditional hard drives. One of the key benefits of NAS or SAN systems is that they facilitate easy collaboration throughout the local network, and they can also be connected to a wide-area network (WAN) to facilitate file-sharing across branches and other off-site locations. That said, the physical hard drives and other assets that make up the system must be protected and managed like any other, combining physical room-level security, video surveillance cameras, and technical measures like full disk encryption.
#4. Backup and archive media
Many established companies still retain archives of data, including CUI, on legacy media, such as tape drives and other removable devices. Data on such media also needs to be protected and managed throughout its lifecycle, but this can be challenging given the lack of compatibility with more modern systems. As such, many organizations are migrating their archives over to newer systems, such as software-defined storage and hyperconverged storage and securely retiring their deprecated storage assets in the process. However, there is still a strong case in certain circumstances for keeping physical, local copies of data, in which case that data needs to be physically secured and permanently destroyed once it is retired.
Charles IT helps organizations manage their digital assets throughout their entire lifecycles to maintain compliance with NIST SP 171 rev 2 and other industry standards. Get in touch today to schedule your first consultation.