MP 5 MEDIA TRANSPORT - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Protect and control [ Assignment: organization-defined types of system media ] during transport outside of controlled areas using [ Assignment: organization-defined controls ];
• b. Maintain accountability for system media during transport outside of controlled areas;
• c. Document activities associated with the transport of system media; and
• d. Restrict the activities associated with the transport of system media to authorized personnel.

Discussion: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.

Related Controls: AC-7, AC-19, CP-2, CP-9, MP-3, MP-4, PE-16, PL-2, SC-12, SC-13, SC-28, SC-34.

Control Enhancements:

• (1) MEDIA TRANSPORT | PROTECTION OUTSIDE OF CONTROLLED AREAS
  [Withdrawn: Incorporated into MP-5.]

• (2) MEDIA TRANSPORT | DOCUMENTATION OF ACTIVITIES
  [Withdrawn: Incorporated into MP-5.]

• (3) MEDIA TRANSPORT | CUSTODIANS
  Employ an identified custodian during transport of system media outside of controlled areas.

  Discussion: Identified custodians provide organizations with specific points of contact during the media transport process and facilitate individual accountability. Custodial responsibilities can be transferred from one individual to another if an unambiguous custodian is identified.

  Related Controls: None.

• (4) MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION
  [Withdrawn: Incorporated into SC-28(1).]

References: [FIPS 199], [SP 800-60-1], [SP 800-60-2].