home || catalog: SP800-53rev3 / class: Operational / family: (MP) Media Protection ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP

MP-01
MP-02 *
MP-03
MP-04
MP-05
MP-06

PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  MP-02: Media Access  

base control objective:
The organization restricts access to [Assignment: organization-defined types of digital and non-digital media] to [Assignment: organization-defined list of authorized individuals] using [Assignment: organization-defined security measures].

supplemental objective information:
Information system media includes both digital media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). This control also applies to mobile computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). An organizational assessment of risk guides the selection of media and associated information contained on that media requiring restricted access. Organizations document in policy and procedures, the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed that the physical access controls where the media resides provide adequate protection.

enhancements to the base objective:

(1) The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.
Enhancement Supplemental Guidance: This control enhancement is primarily applicable to media storage areas within an organization where a significant volume of media is stored and is not applicable to every location where some media is stored (e.g., in individual offices).

(2) The information system uses cryptographic mechanisms to protect and restrict access to information on portable, digital media.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1)     HIGH: base (1)  

related (regimented) controls:

MP-04   Media Storage
PE-03   Physical Access Control

documents referenced in SP800-53rev3 for MP-02:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
NIST SP800-124 July, 2008 current   Guidelines on Cell Phone and PDA Security
NIST SP800-72 November, 2004 current   Guidelines on PDA Forensics

Search SP800-53rev3 catalog: