Digital Media Protection

NIST defines media as Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within a system.

When populating the systems in-scope, media, and personnel involved in a Project, Lab, Environment, or System, keep in mind that an SSP is a point-in-time exercise and that it is more important to capture data that will be true at time of signing.

For general information about Cyber Security Policies, Standards, and Guidance on this and other subjects, be sure to visit

All solutions for Physical Control Options require users listed on the SSP to match those with access to systems in-scope.

The diagram below details the specifics of options for Digital Media:

Presented in another way, this matrix provides a little more insight on the expectation:

* Encryption on desktop will cause additional support overhead on desktop systems for which it is installed due to a lower probability for portability.
** Encryption and physical controls offer equivalent protection on their own, and you need only choose one to be compliant.