home || catalog: SP800-53rev3 / class: Operational / family: (MP) Media Protection ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP

MP-01
MP-02
MP-03
MP-04
MP-05 *
MP-06

PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  MP-05: Media Transport  

base control objective:
The organization:
a. Protects and controls [Assignment: organization-defined types of digital and non-digital media] during transport outside of controlled areas using [Assignment: organization-defined security measures];
b. Maintains accountability for information system media during transport outside of controlled areas; and
c. Restricts the activities associated with transport of such media to authorized personnel.

supplemental objective information:
Information system media includes both digital media (e.g., diskettes, magnetic tapes, removable hard drives, flash/thumb drives, compact disks, digital video disks) and non-digital media (e.g., paper, microfilm). This control also applies to mobile computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices) that are transported outside of controlled areas. Telephone systems are also considered information systems and may have the capability to store information on internal media (e.g., on voicemail systems). Since telephone systems do not have, in most cases, the identification, authentication, and access control mechanisms typically employed in other information systems, organizational personnel use caution in the types of information stored on telephone voicemail systems that are transported outside of controlled areas. A controlled area is any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system.
Physical and technical security measures for the protection of digital and non-digital media are approved by the organization, commensurate with the classification or sensitivity of the information residing on the media, and consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Locked containers and cryptography are examples of security measures available to protect digital and non-digital media during transport. Cryptographic mechanisms can provide confidentiality and/or integrity protections depending upon the mechanisms used. An organizational assessment of risk guides the selection of media and associated information contained on that media requiring protection during transport. An organizational assessment of risk guides the selection and use of storage containers for transporting non-digital media. Authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service).

enhancements to the base objective:

(1) Withdrawn: Incorporated into MP-05 (base).

(2) The organization documents activities associated with the transport of information system media.
Enhancement Supplemental Guidance: Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with the organizational assessment of risk to include the flexibility to define different record keeping methods for different types of media transport as part of an overall system of transport-related records..

(3) The organization employs an identified custodian throughout the transport of information system media.
Enhancement Supplemental Guidance: Custodial responsibilities can be transferred from one individual to another as long as an unambiguous custodian is identified at all times.

(4) The organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
Enhancement Supplemental Guidance: This control enhancement also applies to mobile devices. Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones).

mapping to FIPS199 baseline:

  LOW: null     MOD: base (2) (4)     HIGH: base (2) (3) (4)  

related (regimented) controls:

MP-04   Media Storage

documents referenced in SP800-53rev3 for MP-05:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
NIST SP800-124 July, 2008 current   Guidelines on Cell Phone and PDA Security
NIST SP800-57, part1 August, 2005 current   Recommendation for Key Management, part 1
NIST SP800-57, part2 August, 2005 current   Recommendation for Key Management, part 2
NIST SP800-72 November, 2004 current   Guidelines on PDA Forensics
NIST SP800-92 September, 2006 current   Guide to Computer Security Log Management

Search SP800-53rev3 catalog: