MP - Media Protection
- Controls Count: 10
- Controls IDs: MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-6 (1), MP-6 (2), MP-6 (3), MP-7
Controls
MP-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level media protection policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;
Designate an an official to manage the media protection policy and procedures is defined; to manage the development, documentation, and dissemination of the media protection policy and procedures; and
Review and update the current media protection:
Policy the frequency with which the current media protection policy is reviewed and updated is defined; and following events that would require the current media protection policy to be reviewed and updated are defined; ; and
Procedures the frequency with which the current media protection procedures are reviewed and updated is defined; and following events that would require media protection procedures to be reviewed and updated are defined;.
Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
a media protection policy is developed and documented;
the media protection policy is disseminated to personnel or roles to whom the media protection policy is to be disseminated is/are defined;;
media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;
the media protection procedures are disseminated to personnel or roles to whom the media protection procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level media protection policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level media protection policy addresses scope;
the organization-level, mission/business process-level, and/or system-level media protection policy addresses roles;
the organization-level, mission/business process-level, and/or system-level media protection policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level media protection policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level media protection policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level media protection policy compliance;
the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the media protection policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.
the current media protection policy is reviewed and updated the frequency with which the current media protection policy is reviewed and updated is defined;;
the current media protection policy is reviewed and updated following events that would require the current media protection policy to be reviewed and updated are defined;;
the current media protection procedures are reviewed and updated the frequency with which the current media protection procedures are reviewed and updated is defined;;
the current media protection procedures are reviewed and updated following events that would require media protection procedures to be reviewed and updated are defined;.
Media protection policy and procedures
organizational risk management strategy
system security plan
privacy plan
other relevant documents or records
Organizational personnel with media protection responsibilities
organizational personnel with information security and privacy responsibilities
MP-2: Media Access
Restrict access to organization-defined types of digital and/or non-digital media to organization-defined personnel or roles.
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.
access to types of digital media to which access is restricted are defined; is restricted to personnel or roles authorized to access digital media is/are defined;;
access to types of non-digital media to which access is restricted are defined; is restricted to personnel or roles authorized to access non-digital media is/are defined;.
System media protection policy
procedures addressing media access restrictions
access control policy and procedures
physical and environmental protection policy and procedures
media storage facilities
access control records
system security plan
other relevant documents or records
Organizational personnel with system media protection responsibilities
organizational personnel with information security responsibilities
system/network administrators
Organizational processes for restricting information media
mechanisms supporting and/or implementing media access restrictions
MP-3: Media Marking
Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
Exempt types of system media exempt from marking when remaining in controlled areas are defined; from marking if the media remain within controlled areas where media is exempt from marking are defined;.
Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002 . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;
types of system media exempt from marking when remaining in controlled areas are defined; remain within controlled areas where media is exempt from marking are defined;.
System media protection policy
procedures addressing media marking
physical and environmental protection policy and procedures
list of system media marking security attributes
designated controlled areas
system security plan
other relevant documents or records
Organizational personnel with system media protection and marking responsibilities
organizational personnel with information security responsibilities
Organizational processes for marking information media
mechanisms supporting and/or implementing media marking
MP-4: Media Storage
Physically control and securely store organization-defined types of digital and/or non-digital media within organization-defined controlled areas ; and
Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection.
types of digital media to be physically controlled are defined (if selected); are physically controlled;
types of non-digital media to be physically controlled are defined (if selected); are physically controlled;
types of digital media to be securely stored are defined (if selected); are securely stored within controlled areas within which to securely store digital media are defined;;
types of non-digital media to be securely stored are defined (if selected); are securely stored within controlled areas within which to securely store non-digital media are defined;;
system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
System media protection policy
procedures addressing media storage
physical and environmental protection policy and procedures
access control policy and procedures
system media
designated controlled areas
system security plan
other relevant documents or records
Organizational personnel with system media protection and storage responsibilities
organizational personnel with information security responsibilities
Organizational processes for storing information media
mechanisms supporting and/or implementing secure media storage/media protection
MP-5: Media Transport
Protect and control types of system media to protect and control during transport outside of controlled areas are defined; during transport outside of controlled areas using organization-defined controls;
Maintain accountability for system media during transport outside of controlled areas;
Document activities associated with the transport of system media; and
Restrict the activities associated with the transport of system media to authorized personnel.
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.
types of system media to protect and control during transport outside of controlled areas are defined; are protected during transport outside of controlled areas using controls used to protect system media outside of controlled areas are defined;;
types of system media to protect and control during transport outside of controlled areas are defined; are controlled during transport outside of controlled areas using controls used to control system media outside of controlled areas are defined;;
accountability for system media is maintained during transport outside of controlled areas;
activities associated with the transport of system media are documented;
personnel authorized to conduct media transport activities is/are identified;
activities associated with the transport of system media are restricted to identified authorized personnel.
System media protection policy
procedures addressing media storage
physical and environmental protection policy and procedures
access control policy and procedures
authorized personnel list
system media
designated controlled areas
system security plan
other relevant documents or records
Organizational personnel with system media protection and storage responsibilities
organizational personnel with information security responsibilities
system/network administrators
Organizational processes for storing information media
mechanisms supporting and/or implementing media storage/media protection
MP-6: Media Sanitization
Sanitize organization-defined system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures ; and
Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information.
system media to be sanitized prior to disposal is defined; is sanitized using sanitization techniques and procedures to be used for sanitization prior to disposal are defined; prior to disposal;
system media to be sanitized prior to release from organizational control is defined; is sanitized using sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined; prior to release from organizational control;
system media to be sanitized prior to release for reuse is defined; is sanitized using sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined; prior to release for reuse;
sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.
System media protection policy
procedures addressing media sanitization and disposal
applicable federal standards and policies addressing media sanitization policy
media sanitization records
system audit records
system design documentation
records retention and disposition policy
records retention and disposition procedures
system configuration settings and associated documentation
system security plan
privacy plan
other relevant documents or records
Organizational personnel with media sanitization responsibilities
organizational personnel with records retention and disposition responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Organizational processes for media sanitization
mechanisms supporting and/or implementing media sanitization
MP-6 (1): Review, Approve, Track, Document, and Verify
Review, approve, track, document, and verify media sanitization and disposal actions.
Organizations review and approve media to be sanitized to ensure compliance with records retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken and personnel who performed the verification, and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal.
media sanitization and disposal actions are reviewed;
media sanitization and disposal actions are approved;
media sanitization and disposal actions are tracked;
media sanitization and disposal actions are documented;
media sanitization and disposal actions are verified.
System media protection policy
procedures addressing media sanitization and disposal
records retention and disposition policy
records retention and disposition procedures
media sanitization and disposal records
review records for media sanitization and disposal actions
approvals for media sanitization and disposal actions
tracking records
verification records
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with system media sanitization and disposal responsibilities
organizational personnel with records retention and disposition responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Organizational processes for media sanitization
mechanisms supporting and/or implementing media sanitization
mechanisms supporting and/or implementing verification of media sanitization
MP-6 (2): Equipment Testing
Test sanitization equipment and procedures organization-defined frequency to ensure that the intended sanitization is being achieved.
Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers.
sanitization equipment is tested frequency with which to test sanitization equipment is defined; to ensure that the intended sanitization is being achieved;
sanitization procedures are tested frequency with which to test sanitization procedures is defined; to ensure that the intended sanitization is being achieved.
System media protection policy
procedures addressing media sanitization and disposal
procedures addressing testing of media sanitization equipment
results of media sanitization equipment and procedures testing
system audit records
records retention and disposition policy
records retention and disposition procedures
system security plan
privacy plan
other relevant documents or records
Organizational personnel with system media sanitization responsibilities
organizational personnel with records retention and disposition responsibilities
organizational personnel with information security and privacy responsibilities
Organizational processes for media sanitization
automated mechanisms supporting and/or implementing media sanitization
automated mechanisms supporting and/or implementing media sanitization procedures
sanitization equipment
MP-6 (3): Nondestructive Techniques
Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: circumstances requiring sanitization of portable storage devices are defined;.
Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.
non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under circumstances requiring sanitization of portable storage devices are defined;.
System media protection policy
procedures addressing media sanitization and disposal
information on portable storage devices for the system
list of circumstances requiring sanitization of portable storage devices
media sanitization records
audit records
system security plan
other relevant documents or records
Organizational personnel with system media sanitization responsibilities
organizational personnel with information security responsibilities
Organizational processes for media sanitization of portable storage devices
mechanisms supporting and/or implementing media sanitization
MP-7: Media Use
restrictorprohibit the use of types of system media to be restricted or prohibited from use on systems or system components are defined; on systems or system components on which the use of specific types of system media to be restricted or prohibited are defined; using controls to restrict or prohibit the use of specific types of system media on systems or system components are defined; ; and
Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.
System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2 , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.
the use of types of system media to be restricted or prohibited from use on systems or system components are defined; is restrictorprohibit on systems or system components on which the use of specific types of system media to be restricted or prohibited are defined; using controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;;
the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.
System media protection policy
system use policy
procedures addressing media usage restrictions
rules of behavior
system design documentation
system configuration settings and associated documentation
audit records
system security plan
other relevant documents or records
Organizational personnel with system media use responsibilities
organizational personnel with information security responsibilities
system/network administrators
Organizational processes for media use
mechanisms restricting or prohibiting the use of system media on systems or system components