Media protection
Estimated reading time: 5 minutesMP-1 Media Protection Policy And Procedures
Description
The organization:
- Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
- A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
- Reviews and updates the current:
- Media protection policy [Assignment: organization-defined frequency]; and
- Media protection procedures [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
MP-2 Media Access
Description
The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].
Control Information
Responsible role(s) - Organization
MP-3 Media Marking
Description
The organization:
- Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
- Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas].
Control Information
Responsible role(s) - Organization
MP-4 Media Storage
Description
The organization:
- Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
- Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
Control Information
Responsible role(s) - Organization
MP-4 (2) Automated Restricted Access
Description
The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.
Control Information
Responsible role(s) - Organization
MP-5 Media Transport
Description
The organization:
- Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
- Maintains accountability for information system media during transport outside of controlled areas;
- Documents activities associated with the transport of information system media; and
- Restricts the activities associated with the transport of information system media to authorized personnel.
Control Information
Responsible role(s) - Organization
MP-5 (3) Custodians
Description
The organization employs an identified custodian during transport of information system media outside of controlled areas.
Control Information
Responsible role(s) - Organization
MP-5 (4) Cryptographic Protection
Description
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
Control Information
Responsible role(s) - Organization
MP-6 Media Sanitization
Description
The organization:
- Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and
- Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
Control Information
Responsible role(s) - Organization
MP-6 (1) Review / Approve / Track / Document / Verify
Description
The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions.
Control Information
Responsible role(s) - Organization
MP-6 (2) Equipment Testing
Description
The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved.
Control Information
Responsible role(s) - Organization
MP-6 (3) Nondestructive Techniques
Description
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices].
Control Information
Responsible role(s) - Organization
MP-6 (7) Dual Authorization
Description
The organization enforces dual authorization for the sanitization of [Assignment: organization-defined information system media].
Control Information
Responsible role(s) - Organization
MP-6 (8) Remote Purging / Wiping Of Information
Description
The organization provides the capability to purge/wipe information from [Assignment: organization-defined information systems, system components, or devices] either remotely or under the following conditions: [Assignment: organization-defined conditions].
Control Information
Responsible role(s) - Organization
MP-7 Media Use
Description
The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
Control Information
Responsible role(s) - Organization
MP-7 (1) Prohibit Use Without Owner
Description
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
Control Information
Responsible role(s) - Organization
MP-7 (2) Prohibit Use Of Sanitization-Resistant Media
Description
The organization prohibits the use of sanitization-resistant media in organizational information systems.
Control Information
Responsible role(s) - Organization
MP-8 Media Downgrading
Description
The organization:
- Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization-defined strength and integrity];
- Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
- Identifies [Assignment: organization-defined information system media requiring downgrading]; and
- Downgrades the identified information system media using the established process.
Control Information
Responsible role(s) - Organization
MP-8 (1) Documentation Of Process
Description
The organization documents information system media downgrading actions.
Control Information
Responsible role(s) - Organization
MP-8 (2) Equipment Testing
Description
The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
MP-8 (3) Controlled Unclassified Information
Description
The organization downgrades information system media containing [Assignment: organization-defined Controlled Unclassified Information (CUI)] prior to public release in accordance with applicable federal and organizational standards and policies.
Control Information
Responsible role(s) - Organization
MP-8 (4) Classified Information
Description
The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies.
Control Information
Responsible role(s) - Organization