MP-05 Media Transport
a. Protect and control mp-05_odp.01 during transport outside of controlled areas using mp-5_prm_2;
b. Maintain accountability for system media during transport outside of controlled areas;
c. Document activities associated with the transport of system media; and
d. Restrict the activities associated with the transport of system media to authorized personnel.
| Parameter ID | Definition |
|---|---|
| mp-5_prm_2 | organization-defined controls |
| mp-05_odp.01 | types of system media |
| mp-05_odp.02 | controls |
| mp-05_odp.03 | controls |
Baselines
- L
- M
- H
- P
Guidance
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.
References 3
- FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
- SP 800-60-1 Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
- SP 800-60-2 Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
Control Enhancements 4
- MP-05(01) Protection Outside of Controlled Areas
- MP-05(02) Documentation of Activities
- MP-05(03) Custodians L M H P
- MP-05(04) Cryptographic Protection
Related controls 12
- AC-07 Unsuccessful Logon Attempts L M H P
- AC-19 Access Control for Mobile Devices L M H P
- CP-02 Contingency Plan L M H P
- CP-09 System Backup L M H P
- MP-03 Media Marking L M H P
- MP-04 Media Storage L M H P
- PE-16 Delivery and Removal L M H P
- PL-02 System Security and Privacy Plans L M H P
- SC-12 Cryptographic Key Establishment and Management L M H P
- SC-13 Cryptographic Protection L M H P
- SC-28 Protection of Information at Rest L M H P
- SC-34 Non-modifiable Executable Programs L M H P