MP - Media Protection

Controls Count: 3
Controls IDs: MP-3, MP-4, MP-5

Controls

MP-3: Media Marking

Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

Exempt types of system media exempt from marking when remaining in controlled areas are defined; from marking if the media remain within controlled areas where media is exempt from marking are defined;.

Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002 . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;

types of system media exempt from marking when remaining in controlled areas are defined; remain within controlled areas where media is exempt from marking are defined;.

System media protection policy

procedures addressing media marking

physical and environmental protection policy and procedures

list of system media marking security attributes

designated controlled areas

system security plan

MP-4: Media Storage

Physically control and securely store organization-defined types of digital and/or non-digital media within organization-defined controlled areas ; and

Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection.

types of digital media to be physically controlled are defined (if selected); are physically controlled;

types of non-digital media to be physically controlled are defined (if selected); are physically controlled;

types of digital media to be securely stored are defined (if selected); are securely stored within controlled areas within which to securely store digital media are defined;;

types of non-digital media to be securely stored are defined (if selected); are securely stored within controlled areas within which to securely store non-digital media are defined;;

system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

System media protection policy

procedures addressing media storage

physical and environmental protection policy and procedures

access control policy and procedures

system media

designated controlled areas

system security plan

MP-5: Media Transport

Protect and control types of system media to protect and control during transport outside of controlled areas are defined; during transport outside of controlled areas using organization-defined controls;

Maintain accountability for system media during transport outside of controlled areas;

Document activities associated with the transport of system media; and

Restrict the activities associated with the transport of system media to authorized personnel.

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.

types of system media to protect and control during transport outside of controlled areas are defined; are protected during transport outside of controlled areas using controls used to protect system media outside of controlled areas are defined;;

types of system media to protect and control during transport outside of controlled areas are defined; are controlled during transport outside of controlled areas using controls used to control system media outside of controlled areas are defined;;

accountability for system media is maintained during transport outside of controlled areas;

activities associated with the transport of system media are documented;

personnel authorized to conduct media transport activities is/are identified;

activities associated with the transport of system media are restricted to identified authorized personnel.

System media protection policy

procedures addressing media storage

physical and environmental protection policy and procedures

access control policy and procedures

authorized personnel list

system media

designated controlled areas

system security plan