MP

Media Protection

Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations  |  Controls: 50

← Back to Catalog
Control ID Title / Statement Priority Baseline Impact
MP-1
Media Protection Policy and Procedures 3 params
The organization: a. Develops, documents, and disseminates to {{ insert: param, mp-1_prm_1 }}: 1. A media protection policy that addresses purpose, scope, roles, responsibilities, management ...
View parameters
Param ID Label Constraint / Choices
mp-1_prm_1 organization-defined personnel or roles Organization-defined
mp-1_prm_2 organization-defined frequency Organization-defined
mp-1_prm_3 organization-defined frequency Organization-defined
MP-2
Media Access 2 params
The organization restricts access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}.
View parameters
Param ID Label Constraint / Choices
mp-2_prm_1 organization-defined types of digital and/or non-digital media Organization-defined
mp-2_prm_2 organization-defined personnel or roles Organization-defined
MP-2(1)
Automated Restricted Access
MP-2(2)
Cryptographic Protection
MP-3
Media Marking 2 params
The organization: a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and b. Exempts {{ in...
View parameters
Param ID Label Constraint / Choices
mp-3_prm_1 organization-defined types of information system media Organization-defined
mp-3_prm_2 organization-defined controlled areas Organization-defined
MP-4
Media Storage 2 params
The organization: a. Physically controls and securely stores {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }}; and b. Protects information system media until the media are...
View parameters
Param ID Label Constraint / Choices
mp-4_prm_1 organization-defined types of digital and/or non-digital media Organization-defined
mp-4_prm_2 organization-defined controlled areas Organization-defined
MP-4(1)
Cryptographic Protection
MP-4(2)
Automated Restricted Access
The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.
MP-5
Media Transport 2 params
The organization: a. Protects and controls {{ insert: param, mp-5_prm_1 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }}; b. Maintains accountability for in...
View parameters
Param ID Label Constraint / Choices
mp-5_prm_1 organization-defined types of information system media Organization-defined
mp-5_prm_2 organization-defined security safeguards Organization-defined
MP-5(1)
Protection Outside of Controlled Areas
MP-5(2)
Documentation of Activities
MP-5(3)
Custodians
The organization employs an identified custodian during transport of information system media outside of controlled areas.
MP-5(4)
Cryptographic Protection
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
MP-6
Media Sanitization 2 params
The organization: a. Sanitizes {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} in accordance w...
View parameters
Param ID Label Constraint / Choices
mp-6_prm_1 organization-defined information system media Organization-defined
mp-6_prm_2 organization-defined sanitization techniques and procedures Organization-defined
MP-6(1)
Review / Approve / Track / Document / Verify
The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions.
MP-6(2)
Equipment Testing 1 param
The organization tests sanitization equipment and procedures {{ insert: param, mp-6.2_prm_1 }} to verify that the intended sanitization is being achieved.
View parameters
Param ID Label Constraint / Choices
mp-6.2_prm_1 organization-defined frequency Organization-defined
MP-6(3)
Nondestructive Techniques 1 param
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: {{ insert: ...
View parameters
Param ID Label Constraint / Choices
mp-6.3_prm_1 organization-defined circumstances requiring sanitization of portable storage devices Organization-defined
MP-6(4)
Controlled Unclassified Information
MP-6(5)
Classified Information
MP-6(6)
Media Destruction
MP-6(7)
Dual Authorization 1 param
The organization enforces dual authorization for the sanitization of {{ insert: param, mp-6.7_prm_1 }}.
View parameters
Param ID Label Constraint / Choices
mp-6.7_prm_1 organization-defined information system media Organization-defined
MP-6(8)
Remote Purging / Wiping of Information 2 params
The organization provides the capability to purge/wipe information from {{ insert: param, mp-6.8_prm_1 }} either remotely or under the following conditions: {{ insert: param, mp-6.8_prm_2 }}.
View parameters
Param ID Label Constraint / Choices
mp-6.8_prm_1 organization-defined information systems, system components, or devices Organization-defined
mp-6.8_prm_2 organization-defined conditions Organization-defined
MP-7
Media Use 4 params
The organization {{ insert: param, mp-7_prm_1 }} the use of {{ insert: param, mp-7_prm_2 }} on {{ insert: param, mp-7_prm_3 }} using {{ insert: param, mp-7_prm_4 }}.
View parameters
Param ID Label Constraint / Choices
mp-7_prm_1 Select one: restricts; prohibits
mp-7_prm_2 organization-defined types of information system media Organization-defined
mp-7_prm_3 organization-defined information systems or system components Organization-defined
mp-7_prm_4 organization-defined security safeguards Organization-defined
MP-7(1)
Prohibit Use Without Owner
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
MP-7(2)
Prohibit Use of Sanitization-resistant Media
The organization prohibits the use of sanitization-resistant media in organizational information systems.
MP-8
Media Downgrading 3 params
The organization: a. Establishes {{ insert: param, mp-8_prm_1 }} that includes employing downgrading mechanisms with {{ insert: param, mp-8_prm_2 }}; b. Ensures that the information system medi...
View parameters
Param ID Label Constraint / Choices
mp-8_prm_1 organization-defined information system media downgrading process Organization-defined
mp-8_prm_2 organization-defined strength and integrity Organization-defined
mp-8_prm_3 organization-defined information system media requiring downgrading Organization-defined
MP-8(1)
Documentation of Process
The organization documents information system media downgrading actions.
MP-8(2)
Equipment Testing 2 params
The organization employs {{ insert: param, mp-8.2_prm_1 }} of downgrading equipment and procedures to verify correct performance {{ insert: param, mp-8.2_prm_2 }}.
View parameters
Param ID Label Constraint / Choices
mp-8.2_prm_1 organization-defined tests Organization-defined
mp-8.2_prm_2 organization-defined frequency Organization-defined
MP-8(3)
Controlled Unclassified Information 1 param
The organization downgrades information system media containing {{ insert: param, mp-8.3_prm_1 }} prior to public release in accordance with applicable federal and organizational standards and poli...
View parameters
Param ID Label Constraint / Choices
mp-8.3_prm_1 organization-defined Controlled Unclassified Information (CUI) Organization-defined
MP-8(4)
Classified Information
The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and po...
mp-1a Develops, documents, and disseminates to {{ insert: param, mp-1_prm_1 }}:
mp-1a.1 A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities...
mp-1a.2 Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
mp-1b Reviews and updates the current:
mp-1b.1 Media protection policy {{ insert: param, mp-1_prm_2 }}; and
mp-1b.2 Media protection procedures {{ insert: param, mp-1_prm_3 }}.
mp-3a Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the informat...
mp-3b Exempts {{ insert: param, mp-3_prm_1 }} from marking as long as the media remain within {{ insert: param, mp-3_prm_2 }}.
mp-4a Physically controls and securely stores {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }}; and
mp-4b Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
mp-5a Protects and controls {{ insert: param, mp-5_prm_1 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};
mp-5b Maintains accountability for information system media during transport outside of controlled areas;
mp-5c Documents activities associated with the transport of information system media; and
mp-5d Restricts the activities associated with the transport of information system media to authorized personnel.
mp-6a Sanitizes {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp...
mp-6b Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
mp-8a Establishes {{ insert: param, mp-8_prm_1 }} that includes employing downgrading mechanisms with {{ insert: param, mp-8_prm_2 }};
mp-8b Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the informa...
mp-8c Identifies {{ insert: param, mp-8_prm_3 }}; and
mp-8d Downgrades the identified information system media using the established process.