BRACKETOLOGY | FEDRAMP
MP-4: MEDIA STORAGE
-
FedRAMP Baseline Membership MP-4:
- MODERATE
- HIGH
FedRAMP Bracketology
Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH
Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.
Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.
To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open
Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.
The organization:
- a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
- b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.
There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.
The organization:
- a. Physically controls and securely stores all types of digital and non-digital media with sensitive information within organization-defined controlled areas (See additional FedRAMP requirements and guidance); and
- b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
FedRAMP REQUIREMENT:
The service provider defines controlled areas within facilities where the information and information system reside.
The organization:
- a. Physically controls and securely stores all types of digital and non-digital media with sensitive information within organization-defined controlled areas (See additional FedRAMP requirements and guidance); and
- b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
FedRAMP REQUIREMENT:
The service provider defines controlled areas within facilities where the information and information system reside.
SUPPLEMENTAL GUIDANCE
Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection.
RELATED CONTROLS: MP-4
CONTROL ENHANCEMENTS
MP-4 (1) MEDIA STORAGE | CRYPTOGRAPHIC PROTECTION
[Withdrawn: Incorporated into SC-28 (1)].
MP-4 (2) MEDIA STORAGE | AUTOMATED RESTRICTED ACCESS
The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.
Supplemental Guidance:
Automated mechanisms can include, for example, keypads on the external entries to media storage areas.
RELATED CONTROLS: MP-4 (2)
REFERENCES:
- FIPS Publication 199
- NIST Special Publication 800-111
- NIST Special Publication 800-56
- NIST Special Publication 800-57