CMS Media Protection (MP) Handbook
Guidance for protecting physical and digital media at CMS in accordance with requirements from NIST and the CMS Acceptable Risk Safeguards (ARS)
Last reviewed: 9/4/2024
Related Resources
What is Media Protection (MP)?
Media Protection (MP) is the safeguarding of media within an organization. The term “media” broadly refers to physical devices or writing surfaces. This includes all channels of communication with storage capabilities — everything from printed paper to digital data onto which information is recorded, stored, or printed within an information system.
Tracking the creation, distribution, storage and use of any form of media can be challenging, so it’s important for government agencies to have clear policies and guidance around media protections for their information systems. Organizations must clearly define:
- Who has the authority to access, transport, and share media
- Which devices can be used to store and transport media
- How to properly destroy expired media
Having clear policies around these practices allows government agencies to protect the data that is critical to their missions. CMS provides this handbook as a guide for implementing the Media Protection (MP) family of controls at the organization, process, and/or system level for all CMS information assets and data.
Media Protection at CMS
The MP security requirements addressed in this handbook are taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53, Rev 5 and tailored to the Centers for Medicare and Medicaid Services (CMS) environment in the CMS Acceptable Risk Safeguards (ARS).
The ARS MP minimum standard controls are designed to protect CMS media and files from unauthorized access, use, or disclosure to ensure the safe handling of media and files in their life cycle, and to ensure the safe destruction of media and files when they are no longer needed.
By following the processes outlined below, CMS can:
- Promote accountability for handling media responsibly
- Reduce risk by limiting events that could expose media to unauthorized use or disclosure loss, theft, or other mishandling
- Ensure CMS compliance with federal laws and regulations such as FISMA and HIPAA
Getting help
For policy and guidance questions regarding Media Protection at CMS, contact the ISPG Policy and Privacy team via email at: CISO@cms.hhs.gov. Or find us in CMS Slack: #ispg-sec_privacy-policy.
If you have questions or need assistance regarding various aspects of Media Protection at CMS, you can reach out to the following groups:
- CMS Office of Strategic Operations and Regulatory Affairs (OSORA) | OSORA_Regs_Scheduling@cms.hhs.gov
- CMS Records Retention | Records_Retention@cms.hhs.gov
Media Access
As part of CMS media protection, there are rules about who can access CMS system media that contains sensitive information. This is known as Media Access control. It applies to both digital media and hard copy media (such as paper, microfilm, or microfiche). It applies to mobile devices with storage capabilities, and to systems that process, store, or transmit Personally Identifiable Information (PII) or Protected Health Information (PHI). Media Access guidelines are described below.
Limit access to people who need it
The Media Access rules that identify who can access sensitive media are defined in the System Security and Privacy Plan for any CMS system. Access is restricted to defined personnel or roles with a valid need to know based on the functions required to perform their job duties. Activities that limit access can include:
- Disabling Compact Disk (CD)/Digital Versatile Disk (DVD) writers
- Allowing access to CD/DVD viewing and downloading capabilities only to authorized persons or roles (defined in the applicable System Security and Privacy Plan)
- Disabling access to Universal Serial Bus (USB) ports and allowing access to using USB device capabilities only to authorized persons or in defined roles (defined in the applicable System Security and Privacy Plan)
Require training before giving access
Before accessing any CMS systems or data, all CMS employees and contractors with potential access to sensitive information, such as PII or PHI, must complete yearly Information System Security and Privacy Awareness (ISSPA) training, along with any role-based training required for their level of access to CMS information and systems. These trainings must be completed within 60 days of hire (and annually thereafter).
For additional processes that need to be followed by all CMS employees and contractors with potential access to CMS data and/or sensitive information, please see the CMS Access Control (AC) Handbook and Personnel Security (PS) Handbook.
Media Marking
Media Marking is a process that identifies the security markings, distribution limitations, and handling caveats for information system media. NIST and the National Archives and Records Administration (NARA) both provide guidance on security marking and labeling as required by the Executive Order (E.O.) 13526 and its implementing directive, 32 CFR Part 2001, to prescribe a uniform security classification system.
Within NIST SP 800-53, the guidance on Media Marking includes:
- Security marking: This is the application or use of human-readable attributes to enable organizational process-based enforcement of information security policies. Security marking is typically written upon the media.
- Security labeling: This is the explicit or implicit marking of a data structure or output media associated with an information system representing the FIPS 199 security category. It could also indicate distribution limits or handling caveats of the information contained within the media. Security labeling is typically internal to the media.
What media must be marked?
Security marking is typically required for any media that contains information with distribution limits or handling caveats. This includes sensitive, controlled, classified, or confidential information.
Security marking is generally not required for media containing information determined to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable.
Media Marking process at CMS
At CMS, everyone should mark and label system media appropriately to ensure it is protected according to its sensitivity. All CMS information system media, both digital and non-digital, must be marked in accordance with the relevant CMS policies and procedures for Media Protection that can be found in the CMS IS2P2 and ARS.
The CMS process for Media Marking includes the following:
Media Marking for digital media
- For external media types such as CDs and USB Drives, the Business or System Owner (BO/SO) is responsible for ensuring the appropriate media marking/labeling (including the CUI Control Marking and the designating organization).
- The BO should follow the CMS CUI Program Guide, which includes guidelines for marking/labeling media as CUI, Sensitive, Confidential, etc. More information on CMS Controlled Unclassified Information (CUI) can be found here (internal link; CMS login required).
- For questions about marking and managing of CUI at CMS, contact the CMS Office of Strategic Operations and Regulatory Affairs (OSORA).
- For overall guidance about CUI marking, see the CUI Marking Handbook from NARA.
- Volume serial number (VOLSER) scans are performed on Unix and Mainframe media prior to shipment to the secure, off-site storage facility.
- Media are classified and labeled as Confidential.
Media Marking for non-digital media
Non-digital media, such as paper and microfilm, should also be marked appropriately to indicate the sensitivity classification of the information they contain (based on applicable record retention regulations).
Report mishandling of protected information
Advise CMS management immediately if any CMS sensitive information is disclosed, mishandled, or used in an inconsistent manner (whether intentionally or unintentionally). The CMS Incident Response Handbook outlines the procedures for reporting all suspected security incidents.
Media Storage
Media Storage is the process that ensures the security of media containing sensitive information when it’s not actively in use or in transit. CMS physically controls and securely stores digital and non-digital media in accordance with:
- NIST SP 800-88 (Guidelines for Media Sanitization)
- HHS Policy for Information Security and Privacy Protection (IS2P)
- HHS Policy for Rules of Behavior for Use of Information and IT Resources (ROB)
By aligning CMS Media Storage processes with these authorities, we ensure sufficient physical and procedural safeguards to meet the federal requirements established for protecting information and information systems.
How does Media Storage affect me?
Everyone at CMS is expected to follow proper media storage requirements for any media they create, store, or manage that contains CMS sensitive information. This applies to both digital and non-digital media. It applies to CMS employees, staff, contractors, interns, and personnel — whether they are working onsite at CMS, or working from a telework or alternate duty station (ADS) location.
Business and System Owners are responsible for documenting the entire media protection process, including handling, storage, and sanitization.
Securing media storage areas
CMS media storage areas are secured using authorized CMS badge-controlled entry systems. The Physical Access Control System Central (PACS Central) is the system used by CMS for this purpose.
If you have a CMS Personal Identity Verification (PIV) card, you can use it to request access to secure areas. You can also use it to get remote access to PACS via CMS Virtual Private Network (VPN). Upon approval, access to the requested area will be added to your PIV card.
CMS is responsible for granting and monitoring access to media storage areas. Contact the Security Control Center (24 hours a day) by calling 410-786-2929 or by emailing security@cms.hhs.gov.
Physical control of media storage
These are the guidelines for the physical control of media storage at CMS:
- Storage for digital media originating from or related to an information system must adhere to the HHS STANDARD § 164.310(d)(1) for Device and Media Control. Following these guidelines, the media must be securely stored in secure off-site storage, or using the safeguards prescribed for the highest security level.
- Non-digital media relating to an information system are stored in access-controlled spaces. However, MP processes must be adopted to cover all CMS locations, including but not limited to IaaS Cloud, PaaS Cloud, and Virtual Data Centers (VDCs). These methods protect media until they are destroyed or sanitized using CMS-approved equipment, techniques, and procedures that comply with NIST SP 800-88, Guidelines for Media Sanitization.
- All information — both digital and non-digital — must adhere to the HHS STANDARD § 164.310(d)(1) for Device and Media Control. The information must be treated and labeled appropriately to identify that it may contain sensitive information when stored at the off-site storage facility. All information, including encrypted media, must be secured and locked.
CMS policy on using external storage devices
Due to security concerns, the use of external storage devices is highly restricted. CMS doesn't want anyone to use external storage devices (CMS or personal) for any reason. All CMS staff should use Box or SharePoint to transfer business or personal files. All standard file types are supported with Box and SharePoint.
Media Transport
Media Transport activities include the actual transporting of media from one location to another, in addition to security-related activities such as:
- Releasing media for transport in a manner consistent with regulations
- Ensuring that media goes through transport processes that are appropriate to the sensitivity level of the data that’s on the media
- Ensuring the “chain of custody” is established so that an authorized person is always in control of media containing any sensitive information
Who is authorized to transport media?
Media can be transported by approved individuals outside the organization when appropriate. Authorized transport and courier personnel may include employees from the U.S. Postal Service or a commercial delivery service such as UPS, FedEX, or DHL. for example. CMS personnel responsible for the media must ensure they can:
- Track the media in transit
- Determine a delivery confirmation (at minimum)
- Ensure a signature confirmation if required (based on the sensitivity or classification of the data contained on the media)
Controlled areas
Controlled areas are an important part of secure media transport. Controlled areas are spaces where physical or procedural controls are provided by organizations in order to meet requirements established for protecting information and systems. These controls ensure accountability in the proper handling of media that is in transport. This reduces the risk of media becoming vulnerable to unauthorized use and disclosure through loss, theft, or other mishandling.
Protecting media in transport
When media containing sensitive information is being transported outside of controlled areas, it must be protected using physical and technical safeguards. This applies to both digital and non-digital media. Whatever safeguards are implemented should align with the security category or classification of the information residing on the media.
Examples of safeguards to protect media during transport include:
- Using a FIPS 140-2 validated encryption module or mechanism where applicable on soft copy or digital media
- Using a locked and secure container for hard copy media
- Ensuring media is handled by authorized personnel to maintain the “chain of custody” during transport and delivery
- Using cryptographic mechanisms for digital assets, which can provide confidentiality and integrity protections depending upon the mechanisms used
Establishing Media Transport requirements
Business Owners are required to establish security requirements for activities associated with the transport of media related to their information systems. These requirements should:
- Align with CMS assessments of risk based on Information Type from the FIPS 199 Security Category
- Maintain accountability by restricting transport activities to authorized personnel and keeping explicit records of transport activities as the media moves through the transportation system
- Implement safeguards to prevent and detect media loss, destruction, or tampering
- Maintain the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records
Business Owners should refer to the Media Protection (MP) section of the IS2P2 when developing Media Transport requirements for their information systems. In general, the guidance is to protect and control digital and non-digital media containing sensitive information during transport outside of controlled areas using cryptography and tamper-evident packaging.
Additionally, the following safeguards should be implemented as necessary (depending on the sensitivity level of the data contained on the media).
Hand-carried media
If hand carried, use a securable container, such as a locked briefcase. Ensure the secured container is handled only by authorized personnel at every step of the media transport. CMS restricts the transport of sensitive media to authorized personnel commensurate with the sensitivity level of the data.
Shipped media
If shipped via USPS (preferred) or a commercial carrier, use tamper-evident or tamper resistant packaging. This tamper-resistant packaging should be contained within the shipping box. Utilize package tracking, with receipt of delivery confirmation as a minimum (and signature confirmation if the sensitivity of the data on the media requires it).
Foreign travel
Unless on official government travel, CMS prohibits international transportation of all devices capable of connecting to the CMS network, without explicit approval from the agency head.
All CMS employees and contractors, traveling on official CMS business outside the United States and its territories, with devices that can connect to the CMS network, are required to complete all foreign travel security awareness requirements prior to traveling.
For detailed foreign travel requirements please refer to the CMS Foreign Travel Security SOP.
Transporting backup media
Backup media are storage devices that people use to save electronic file backups. These devices can be physical, such as a hard drive, or network-based, such as cloud storage. Backup media can be used to protect personal data or critical business data.
To transport CMS backup media, it must be inserted into padded, lockable, static-resistant containers and hand-carried, by authorized personnel, to a vehicle owned by a storage facility. Then it is transported to the secure off-site storage facility, remaining under the protection of authorized personnel.
Protected Health Information (PHI)
CMS provides guidance for systems processing, storing, or transmitting Protected Health Information (PHI):
Under the HIPAA Security Rule, this is an addressable implementation specification. Using cryptographic protection allows the organization to utilize the “Safe Harbor” provision under the Breach Notification Rule. If PHI is encrypted pursuant to the Guidance Specifying the Technologies and Methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, then no breach notification is required.
Data encryption
CMS users are required to follow the data encryption standards, in accordance with the HHS Standard for Encryption of Computing Devices to ensure information is protected from unauthorized disclosure. CMS also uses data encryption software that automatically encrypts data on Government Furnished Equipment (GFE).
Media Sanitization
Media sanitization is the process of removing data from storage media in a way that makes it difficult for third parties to retrieve. The goal is to ensure that sensitive data is not accidentally released, and that even advanced forensic tools can't recover it. Media sanitization is an important aspect of protecting sensitive information throughout its life cycle.
At CMS, we follow guidance from NIST to properly sanitize media that contains sensitive information before the media is reused or disposed of. This ensures that we protect CMS sensitive information from unauthorized use or disclosure.
Once media has been sanitized, if it is not being reused, it can be destroyed or disposed of. CMS applies media destruction and disposal procedures that are approved by the federal government to ensure that information does not become available to unauthorized personnel.
Before sanitizing or disposing of media, CMS Business and System Owners should consider any regulations or requirements that may affect the disposal process.
For privacy considerations, contact designated officials with privacy responsibilities (for example, Privacy Officer).
For records retention considerations, contact Records_Retention@cms.hhs.gov.
Media Sanitization methods
According to NIST, media sanitization applies to all information system media. NIST recommendations for sanitizing media include the clearing, purging, cryptographic erasing, or destruction of sensitive information that is stored on any media — before that media is released for reuse or disposal. This includes both digital and non-digital media.
Sanitization of digital media could include removing sensitive information from scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices.
Sanitization of non-digital media could include removing a classified appendix from an otherwise unclassified document, or redacting selected sections from a document.
Before utilizing any sanitization techniques, the following steps should be taken in preparation:
- Categorize the information within the media according to its sensitivity
- Assess the nature of the medium on which the information is recorded
- Assess the risk to confidentiality if the information were to be exposed
- Determine plans for reuse or disposal of the media (being mindful of cost and environmental impact)
Acceptable minimum sanitization recommendations for media can be found in Appendix A of the NIST SP 800-88: Guidelines for Media Sanitization.
Media Sanitization requirements at CMS
The following media sanitization and disposal standards apply to everyone at CMS. This includes external contractors working outside of the CMS Central Offices and Regional Offices locations whose contract produces media on behalf of CMS. At the end of the media lifecycle, the media MUST be sanitized according to CMS policy.
Digital media
With oversight of operations of all CMS data centers (physical, virtual, and cloud), CMS personnel who are responsible for media must ensure that all confidential or classified information is sanitized and disposed of properly.
This must be done in accordance with the policies, procedures, and standards established by these federal agencies:
- NSA/CSS Storage Device Sanitization Manual (National Security Agency)
- DoD 5220.22-M, National Industrial Security Program Operating Manual (Department of Defense)
A key decision on sanitization is whether the media are planned for reuse. All media returned to the CMS Data Center (located in N1-23-00/User Lobby Window) are sanitized and excessed — they are not made available for reuse.
Obsolete magnetic media (such as hard drives) and optical media (such as CDs/DVDs) are sanitized in the CMS Data Center using an approved degausser for magnetic media and an approved optical media shredder for optical media.
Non-digital media
Paper documents are a common type of non-digital media. For proper disposal of paper documents, the CMS Central Office in Baltimore, Washington DC (and the local surrounding buildings) provides paper-shredding options. This mitigates the risk of any breach of CMS sensitive information through materials and documents that may contain PII or PHI.
Additionally, CMS has a document shredding program that performs scheduled onsite shredding services for all Sensitive/PII/PHI paper items using designated locked shredding bins (consoles). These locked bins are located throughout CMS buildings in copier rooms and frequently used areas. This program is accomplished through a collaboration with the National Association for Information Destruction (NAID) AAA Certified contractor.
Additional guidance
For additional guidance on media sanitation and disposal at CMS, please see:
- NIST SP 800-88: Guidelines for Media Sanitization (NIST)
- NSA/CSS Storage Device Sanitization Manual (National Security Agency)
- NIST Sample Certificate of Sanitization (.docx file will automatically download)
Verification of sanitization
For FIPS 199 HIGH systems, CMS must review, approve, track, document, and verify the sanitization and disposal procedures for media that is produced by or stored in the system.
The documentation must ensure that the procedures:
- Comply with defined NARA records retention policies
- Establish accountability of personnel who reviewed and approved sanitization and disposal actions. The accountability is verified by logging the actions of the identified authorized personnel to include but not limited to:
- Identification of the types of media sanitized, specific files stored on the media, and the sanitization methods used
- Documentation of date/time of the sanitization
- Identification of personnel who performed the sanitization
- Verification that the sanitization of the media was effective prior to disposal
The CMS Data Center custodian and all other personnel involved in media sanitization, including those outside of CMS CO/RO, must follow MP-06(01) control guidelines (from the CMS ARS). For media that have been added to the CMS property management hand receipt inventory (asset has been issued a CMS Asset Tag number/Barcode/Decal Number) when performing these actions, it is required to complete Form HHS-22. This form includes information to support the defined sanitization and disposal actions.
Equipment testing
All CMS sanitization equipment and procedures are tested at least annually to verify they are working as expected. Testing of sanitization equipment and procedures must be conducted by qualified and authorized external entities (e.g., other federal agencies or approved external service providers).
For CMS, an approved degausser manufacturer conducts an annual certification following guidelines approved by the National Security Agency.
Nondestructive techniques
When a portable storage device is initially purchased from a manufacturer or vendor — or when a positive chain of custody for such devices is not available — NIST recommends applying nondestructive sanitization techniques prior to connecting such devices to the system. This is particularly applicable for FIPS 199 HIGH systems.
Portable storage may contain malicious code that can be transferred to information systems through USB ports or other entry portals. While scanning portable storage devices for malicious code is recommended, sanitization provides additional assurance that the devices are free of malicious code.
CMS considers the use of nondestructive sanitation techniques:
- Prior to initial use after purchase
- When obtained from an unknown (potentially untrustworthy) source
- When the organization loses a positive chain of custody
- When the device was connected to a lower assurance network/system based on FIPS 199 security categorization
Remote sanitization
CMS is required to remotely purge or wipe information on CMS High Value Asset (HVA) systems and components if the HVA or its components are obtained by unauthorized individuals.
NIST recommends several methods for remote purging or wiping of information:
- Overwriting data or information multiple times
- Destroying the key necessary to decrypt encrypted data
For any remote sanitization method, a strong authentication system should be in place to prevent unauthorized individuals from accidentally purging or wiping information from a HVA system or component.
Media Use
Guidelines around Media Use are set up to ensure appropriate use of information system media. Safeguards around Media Use can be technical or nontechnical, and they can include policies, procedures, and rules of behavior.
NIST recommends that organizations employ safeguards such as:
- Restricting the use of portable storage devices by using physical cages on workstations to prohibit access to certain external ports
- Removing the ability to insert, read, or write to such devices
- Restricting the use of portable storage devices based on the type of device (for example, prohibiting those that are writable)
- Limiting the use of portable storage devices to those that are provided by the organization (or by other approved organizations)
- Prohibiting the use of portable storage devices that are personally owned
At CMS, Media Use safeguards include:
- Restricting the use of certain types of media (such as flash drives or external hard disk drives) on CMS systems
- Prohibiting the use of portable storage devices in CMS information systems when such devices have no identifiable owner
- Requiring identifiable owners of removable media that stores sensitive information (such as PII) — so there is accountability for managing the media and responding in the event of a privacy breach
How does Media Use affect me?
Everyone at CMS should be aware that:
- CMS prohibits the use of personally owned media (such as flash drives, hard disk drives, and other portable storage devices) on CMS defined systems or system components.
- CMS prohibits the use of portable storage devices in CMS systems when such devices have no identifiable owner (including “unauthorized” devices to the GFE or VDI session).
- Wireless devices (such as Bluetooth) are not permitted to be used unless you have explicit approval from the Authorizing Official (A0).
Policies for Media Use
The safeguards on Media Use at CMS (described above) are aligned with guidance from the following policies:
- CMS ARS
- CMS IS2P2
- HHS IS2P
- HHS Policy for Mobile Devices and Removable Media
- HHS Policy for Rules of Behavior for Use of Information and IT Resources (This document establishes the acceptable and unacceptable use of desktop/laptop and other information technology resources that are owned, leased, or controlled by CMS.)
CMS Policy for Wireless Client Access (This document establishes parameters for the security of wireless access based on acceptable government and private industry standards.)