home || catalog: SP800-53rev3 / class: Operational / family: (MP) Media Protection ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP

MP-01
MP-02
MP-03
MP-04 *
MP-05
MP-06

PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  MP-04: Media Storage  

base control objective:
The organization:
a. Physically controls and securely stores [Assignment: organization-defined types of digital and non-digital media] within [Assignment: organization-defined controlled areas] using [Assignment: organization-defined security measures];
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

supplemental objective information:
Information system media includes both digital media (e.g., diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). This control applies to mobile computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). Telephone systems are also considered information systems and may have the capability to store information on internal media (e.g., on voicemail systems). Since telephone systems do not have, in most cases, the identification, authentication, and access control mechanisms typically employed in other information systems, organizational personnel use extreme caution in the types of information stored on telephone voicemail systems. A controlled area is any area or space for which the organization has confidence that the physical and procedural protections are sufficient to meet the requirements established for protecting the information and/or information system. An organizational assessment of risk guides the selection of media and associated information contained on that media requiring physical protection. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on the organization or individuals if accessed by other than authorized personnel. In these situations, it is assumed that the physical access controls to the facility where the media resides provide adequate protection.
As part of a defense-in-depth strategy, the organization considers routinely encrypting information at rest on selected secondary storage devices. The organization implements cryptographic key management in support of secondary storage encryption and provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users.

enhancements to the base objective:

(1) The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical protection measures:
(a) The information system implements FIPS-validated cryptography to encrypt sensitive or Controlled Unclassified Information (CUI) at rest;
(b) The information system implements FIPS-validated cryptography to encrypt collateral, classified, national security information (i.e., other than Sources and Methods Information [SAMI]) at rest; and
(c) The organization employs NSA-approved cryptography to protect Sensitive Compartmented Information (SCI) at rest.
Enhancement Supplemental Guidance: The employment of cryptographic mechanisms is at the discretion of the information owner/steward. The selection and strength of cryptographic mechanisms is based upon maintaining the confidentiality of the information. The strength of the cryptographic mechanism is commensurate with the classification and sensitivity of the information. Alternative physical protection measures include, for example, a Sensitive Compartmented Information Facility (SCIF).

(2) The organization employs effective cryptographic key management in support of secondary storage encryption and provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users.

(3) The organization employs NSA-approved cryptography to protect stored Sources and Methods Information (SAMI) if the information is accessed by individuals without an appropriate security clearance.

mapping to FIPS199 baseline:

  LOW: null     MOD: base     HIGH: base  

related (regimented) controls:

AC-19   Access Control for Mobile Devices
CP-06   Alternate Storage Site
CP-09   Information System Backup
MP-02   Media Access
PE-03   Physical Access Control

documents referenced in SP800-53rev3 for MP-04:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
NIST SP800-56a March, 2006 current   Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
NIST SP800-57, part1 August, 2005 current   Recommendation for Key Management, part 1
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-88 September, 2006 current   Guidelines for Media Sanitization
NIST SP800-92 September, 2006 current   Guide to Computer Security Log Management

Search SP800-53rev3 catalog: