Device Class 2: Media Storage

Control ID: MP-4 Media Storage Family: Media Protection Source: NIST 800-53r4
Control: The organization:
  1. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
  2. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
Supplemental Guidance:
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. In the case of C-ITS, this control applies to device design and related information developed during the development phase of a device's life cycle.

Related Controls: CP-9, MP-2, MP-7, PE-3, CP-6
Control Enhancements: N/A
References: N/A
Mechanisms:

  • Any media storing sensitive information physical or digital shall be stored and disposed of securely.
  • All physical media storing sensitive information will be securely locked away when it is not in use.
  • The organization will make use of proper document shredding practices including having secure receptacles for disposing sensitive documents.
  • All digital media storing sensitive information will be sufficiently encrypted at rest. i
  • All digital media including hard drives, portable drives, and RAM will be properly wiped and destroyed (all bits set to 0) following industry best practices when it is no longer needed.
Protocol Implementation Conformance Statements: N/A