Establishes requirements for protecting, sanitizing, and controlling system media containing CUI — covering 9 controls per NIST SP 800-171 Rev 2.
OCSI shall protect, limit access to, sanitize, and control the transport of media containing CUI. Digital and non-digital media shall be marked, tracked, and destroyed in accordance with NIST guidelines.
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| 3.8.1 | Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital | Digital CUI stored in browser localStorage on authorized devices only. No server-side CUI storage. Physical media policy requires locked storage for any printed CUI. Authorized devices tracked in asset inventory. | Implemented |
| 3.8.2 | Limit access to CUI on system media to authorized users | Command Center requires authentication (SHA-256 verified credentials) for access to CUI data. localStorage data isolated per browser origin. No public access to CUI-containing pages. | Implemented |
| 3.8.3 | Sanitize or destroy system media containing CUI before disposal or release for reuse | Device disposal policy: browser localStorage cleared (localStorage.clear()) and browser history purged. Physical media shredded using cross-cut shredder. external MSSP consulted for digital media sanitization verification. | Implemented |
| 3.8.4 | Mark media with necessary CUI markings and distribution limitations | All security protocol documents marked with CUI banner. Exported data files tagged with "CUI" header. Command Center export function includes CUI marking in output files. | Implemented |
| 3.8.5 | Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas | All data transport occurs via encrypted FTP channel. No portable media (USB, CD) authorized for CUI transport. Cloud backup requires encrypted transfer. Transport logs maintained. | Implemented |
| 3.8.6 | Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media | NOT IMPLEMENTED. CUI in localStorage is stored as plaintext JSON — no encryption at rest. Browser same-origin policy is NOT encryption. HTTPS protects data in transit only. Device-level encryption depends on user configuration (not enforced by OCSI). | Not Implemented |
| 3.8.7 | Control the use of removable media on system components | Organizational policy: removable media (USB drives, external storage) not authorized for CUI. All data transfer performed via encrypted network connections only. | Implemented |
| 3.8.8 | Prohibit the use of portable storage devices when such devices have no identifiable owner | Policy prohibits use of any unidentified portable storage. All authorized devices registered in asset inventory with owner assignment. | Implemented |
| 3.8.9 | Protect the confidentiality of backup CUI at storage locations | NOT VERIFIED. Command Center data export produces JSON files. However, backup procedures have not been documented or tested. No evidence that backups are stored on encrypted devices. No backup schedule exists. | Not Verified |
| Media Type | Authorized | CUI Storage | Disposal Method |
|---|---|---|---|
| Browser localStorage | Yes (authorized devices) | Permitted | localStorage.clear() + browser purge |
| Printed documents | Limited | Permitted (marked) | Cross-cut shredding |
| USB/removable media | No | Prohibited | N/A |
| Cloud storage | No (future consideration) | Not applicable | N/A |