SPARC

Media Protection

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 55

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

MP-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}: 1. {{ insert: param, mp-01_odp.03 }} media protection policy that: (a) Addresses purpose, scope, roles, respons...

► View parameters

Param ID	Label	Constraint / Choices
mp-1_prm_1	organization-defined personnel or roles	Organization-defined
mp-01_odp.01	personnel or roles	personnel or roles to whom the media protection policy is to be disseminated is/are defined;
mp-01_odp.02	personnel or roles	personnel or roles to whom the media protection procedures are to be disseminated is/are defined;
mp-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
mp-01_odp.04	official	an official to manage the media protection policy and procedures is defined;
mp-01_odp.05	frequency	the frequency with which the current media protection policy is reviewed and updated is defined;
mp-01_odp.06	events	events that would require the current media protection policy to be reviewed and updated are defined;
mp-01_odp.07	frequency	the frequency with which the current media protection procedures are reviewed and updated is defined;
mp-01_odp.08	events	events that would require media protection procedures to be reviewed and updated are defined;

—

MP-02

Media Access 6 params

Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
mp-2_prm_1	organization-defined types of digital and/or non-digital media	Organization-defined
mp-2_prm_2	organization-defined personnel or roles	Organization-defined
mp-02_odp.01	types of digital media	types of digital media to which access is restricted are defined;
mp-02_odp.02	personnel or roles	personnel or roles authorized to access digital media is/are defined;
mp-02_odp.03	types of non-digital media	types of non-digital media to which access is restricted are defined;
mp-02_odp.04	personnel or roles	personnel or roles authorized to access non-digital media is/are defined;

—

MP-02(01)

Automated Restricted Access

—

MP-02(02)

Cryptographic Protection

—

MP-03

Media Marking 2 params

a. Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and b. Exempt {{ insert: param, mp-03_odp.01 }} fro...

► View parameters

Param ID	Label	Constraint / Choices
mp-03_odp.01	types of media exempted from marking	types of system media exempt from marking when remaining in controlled areas are defined;
mp-03_odp.02	controlled areas	controlled areas where media is exempt from marking are defined;

—

MP-04

Media Storage 8 params

a. Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and b. Protect system media types defined in MP-4a until the media are destroye...

► View parameters

Param ID	Label	Constraint / Choices
mp-4_prm_1	organization-defined types of digital and/or non-digital media	Organization-defined
mp-4_prm_2	organization-defined controlled areas	Organization-defined
mp-04_odp.01	types of digital media	types of digital media to be physically controlled are defined (if selected);
mp-04_odp.02	types of non-digital media	types of non-digital media to be physically controlled are defined (if selected);
mp-04_odp.03	types of digital media	types of digital media to be securely stored are defined (if selected);
mp-04_odp.04	types of non-digital media	types of non-digital media to be securely stored are defined (if selected);
mp-04_odp.05	controlled areas	controlled areas within which to securely store digital media are defined;
mp-04_odp.06	controlled areas	controlled areas within which to securely store non-digital media are defined;

—

MP-04(01)

Cryptographic Protection

—

MP-04(02)

Automated Restricted Access 4 params

Restrict access to media storage areas and log access attempts and access granted using {{ insert: param, mp-4.2_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
mp-4.2_prm_1	organization-defined automated mechanisms	Organization-defined
mp-04.02_odp.01	automated mechanisms	automated mechanisms to restrict access to media storage areas are defined;
mp-04.02_odp.02	automated mechanisms	automated mechanisms to log access attempts to media storage areas are defined;
mp-04.02_odp.03	automated mechanisms	automated mechanisms to log access granted to media storage areas are defined;

—

MP-05

Media Transport 4 params

a. Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }}; b. Maintain accountability for system media during t...

► View parameters

Param ID	Label	Constraint / Choices
mp-5_prm_2	organization-defined controls	Organization-defined
mp-05_odp.01	types of system media	types of system media to protect and control during transport outside of controlled areas are defined;
mp-05_odp.02	controls	controls used to protect system media outside of controlled areas are defined;
mp-05_odp.03	controls	controls used to control system media outside of controlled areas are defined;

—

MP-05(01)

Protection Outside of Controlled Areas

—

MP-05(02)

Documentation of Activities

—

MP-05(03)

Custodians

Employ an identified custodian during transport of system media outside of controlled areas.

—

MP-05(04)

Cryptographic Protection

—

MP-06

Media Sanitization 8 params

a. Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and b. Employ sanitization mec...

► View parameters

Param ID	Label	Constraint / Choices
mp-6_prm_1	organization-defined system media	Organization-defined
mp-6_prm_2	organization-defined sanitization techniques and procedures	Organization-defined
mp-06_odp.01	system media	system media to be sanitized prior to disposal is defined;
mp-06_odp.02	system media	system media to be sanitized prior to release from organizational control is defined;
mp-06_odp.03	system media	system media to be sanitized prior to release for reuse is defined;
mp-06_odp.04	sanitization techniques and procedures	sanitization techniques and procedures to be used for sanitization prior to disposal are defined;
mp-06_odp.05	sanitization techniques and procedures	sanitization techniques and procedures to be used for sanitization prior to release from organizational control are d...
mp-06_odp.06	sanitization techniques and procedures	sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;

—

MP-06(01)

Review, Approve, Track, Document, and Verify

Review, approve, track, document, and verify media sanitization and disposal actions.

—

MP-06(02)

Equipment Testing 3 params

Test sanitization equipment and procedures {{ insert: param, mp-6.2_prm_1 }} to ensure that the intended sanitization is being achieved.

► View parameters

Param ID	Label	Constraint / Choices
mp-6.2_prm_1	organization-defined frequency	Organization-defined
mp-06.02_odp.01	frequency	frequency with which to test sanitization equipment is defined;
mp-06.02_odp.02	frequency	frequency with which to test sanitization procedures is defined;

—

MP-06(03)

Nondestructive Techniques 1 param

Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: {{ insert: param, mp-06.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
mp-06.03_odp	circumstances	circumstances requiring sanitization of portable storage devices are defined;

—

MP-06(04)

Controlled Unclassified Information

—

MP-06(05)

Classified Information

—

MP-06(06)

Media Destruction

—

MP-06(07)

Dual Authorization 1 param

Enforce dual authorization for the sanitization of {{ insert: param, mp-06.07_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
mp-06.07_odp	system media	system media to be sanitized using dual authorization is defined;

—

MP-06(08)

Remote Purging or Wiping of Information 3 params

Provide the capability to purge or wipe information from {{ insert: param, mp-06.08_odp.01 }} {{ insert: param, mp-06.08_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
mp-06.08_odp.01	systems or system components	systems or system components to purge or wipe information either remotely or under specific conditions are defined;
mp-06.08_odp.02		Select one: remotely; under {{ insert: param, mp-06.08_odp.03 }}
mp-06.08_odp.03	conditions	conditions under which information is to be purged or wiped are defined (if selected);

—

MP-07

Media Use 4 params

a. {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and b. Prohibit the use of porta...

► View parameters

Param ID	Label	Constraint / Choices
mp-07_odp.01	types of system media	types of system media to be restricted or prohibited from use on systems or system components are defined;
mp-07_odp.02		Select one: restrict; prohibit
mp-07_odp.03	systems or system components	systems or system components on which the use of specific types of system media to be restricted or prohibited are de...
mp-07_odp.04	controls	controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;

—

MP-07(01)

Prohibit Use Without Owner

—

MP-07(02)

Prohibit Use of Sanitization-resistant Media

Prohibit the use of sanitization-resistant media in organizational systems.

—

MP-08

Media Downgrading 2 params

a. Establish {{ insert: param, mp-08_odp.01 }} that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the informat...

► View parameters

Param ID	Label	Constraint / Choices
mp-08_odp.01	system media downgrading process	a system media downgrading process is defined;
mp-08_odp.02	system media requiring downgrading	system media requiring downgrading is defined;

—

MP-08(01)

Documentation of Process

Document system media downgrading actions.

—

MP-08(02)

Equipment Testing 3 params

Test downgrading equipment and procedures {{ insert: param, mp-8.2_prm_1 }} to ensure that downgrading actions are being achieved.

► View parameters

Param ID	Label	Constraint / Choices
mp-8.2_prm_1	organization-defined frequency	Organization-defined
mp-08.02_odp.01	frequency	the frequency with which to test downgrading equipment is defined;
mp-08.02_odp.02	frequency	the frequency with which to test downgrading procedures is defined;

—

MP-08(03)

Controlled Unclassified Information

Downgrade system media containing controlled unclassified information prior to public release.

—

MP-08(04)

Classified Information

Downgrade system media containing classified information prior to release to individuals without required access authorizations.

—

└ mp-1a

Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:

—

└ mp-1a.1

{{ insert: param, mp-01_odp.03 }} media protection policy that:

—

└ mp-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ mp-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ mp-1a.2

Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;

—

└ mp-1b

Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and proce...

—

└ mp-1c

Review and update the current media protection:

—

└ mp-1c.1

Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and

—

└ mp-1c.2

Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}.

—

└ mp-3a

Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

—

└ mp-3b

Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}.

—

└ mp-4a

Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and

—

└ mp-4b

Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

—

└ mp-5a

Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};

—

└ mp-5b

Maintain accountability for system media during transport outside of controlled areas;

—

└ mp-5c

Document activities associated with the transport of system media; and

—

└ mp-5d

Restrict the activities associated with the transport of system media to authorized personnel.

—

└ mp-6a

Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-...

—

└ mp-6b

Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

—

└ mp-7a

{{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_o...

—

└ mp-7b

Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

—

└ mp-8a

Establish {{ insert: param, mp-08_odp.01 }} that includes employing downgrading mechanisms with strength and integrity commensurate with the securi...

—

└ mp-8b

Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be re...

—

└ mp-8c

Identify {{ insert: param, mp-08_odp.02 }} ; and

—

└ mp-8d

Downgrade the identified system media using the established process.

—