Navigate

SC-34 (2)

SC-34 (2): Integrity Protection / Read-Only Media

The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media.

Supplemental

Security safeguards prevent the substitution of media into information systems or the reprogramming of programmable read-only media prior to installation into the systems. Security safeguards include, for example, a combination of prevention, detection, and response.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to SC-34 (2).

Control	Description
AC-5	The organization: AC-5a.: Separates [Assignment: organization-defined duties of individuals]; AC-5b.: Documents separation of duties of individuals; and AC-5c.: Defines information system access authorizations to support separation of duties.
CM-3	The organization: CM-3a.: Determines the types of changes to the information system that are configuration-controlled; CM-3b.: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; CM-3c.: Documents configuration change decisions associated with the information system; CM-3d.: Implements approved configuration-controlled changes to the information system; CM-3e.: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; CM-3f.: Audits and reviews activities associated with configuration-controlled changes to the information system; and CM-3g.: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
CM-5	The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.
CM-9	The organization develops, documents, and implements a configuration management plan for the information system that: CM-9a.: Addresses roles, responsibilities, and configuration management processes and procedures; CM-9b.: Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; CM-9c.: Defines the configuration items for the information system and places the configuration items under configuration management; and CM-9d.: Protects the configuration management plan from unauthorized disclosure and modification.
MP-2	The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].
MP-4	The organization: MP-4a.: Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and MP-4b.: Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
MP-5	The organization: MP-5a.: Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; MP-5b.: Maintains accountability for information system media during transport outside of controlled areas; MP-5c.: Documents activities associated with the transport of information system media; and MP-5d.: Restricts the activities associated with the transport of information system media to authorized personnel.
SA-12	The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.
SC-28	The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].
SI-3	The organization: SI-3a.: Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; SI-3b.: Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; SI-3c.: Configures malicious code protection mechanisms to: SI-3c.1.: Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and SI-3c.2.: [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and SI-3d.: Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

Enhancements

The controls below (if any) add on to the requirements of SC-34 (2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SC-34 (2).

CCI	Definition
CCI-001216	The organization protects the integrity of information prior to storage on read-only media.
CCI-002507	The organization controls read-only media after information has been recorded onto the media.