1. Home
  2. FedRAMP
  3. MP-5

BRACKETOLOGY | FEDRAMP

MP-5: MEDIA TRANSPORT

  • FedRAMP Baseline Membership MP-5:
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
    • b. Maintains accountability for information system media during transport outside of controlled areas;
    • c. Documents activities associated with the transport of information system media; and
    • d. Restricts the activities associated with the transport of information system media to authorized personnel.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The organization:

  • a. Protects and controls all media with sensitive information during transport outside of controlled areas using for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container;
  • b. Maintains accountability for information system media during transport outside of controlled areas;
  • c. Documents activities associated with the transport of information system media; and
  • d. Restricts the activities associated with the transport of information system media to authorized personnel.

FedRAMP REQUIREMENT:

MP-5a.: The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO

The organization:

  • a. Protects and controls all media with sensitive information during transport outside of controlled areas using for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container;
  • b. Maintains accountability for information system media during transport outside of controlled areas;
  • c. Documents activities associated with the transport of information system media; and
  • d. Restricts the activities associated with the transport of information system media to authorized personnel.

FedRAMP REQUIREMENT:

MP-5a.: The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO

SUPPLEMENTAL GUIDANCE

"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems.

Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records."

CONTROL ENHANCEMENTS

MP-5 (1) MEDIA TRANSPORT | PROTECTION OUTSIDE OF CONTROLLED AREAS

[Withdrawn: Incorporated into MP-5]. (See above.)

MP-5 (2) MEDIA TRANSPORT | DOCUMENTATION OF ACTIVITIES

[Withdrawn: Incorporated into MP-5]. (See above.)

MP-5 (3) MEDIA TRANSPORT | CUSTODIANS

The organization employs an identified custodian during transport of information system media outside of controlled areas.

Supplemental Guidance:

Identified custodians provide organizations with specific points of contact during the media transport process and facilitate individual accountability. Custodial responsibilities can be transferred from one individual to another as long as an unambiguous custodian is identified at all times.

MP-5 (4) MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION
  • FedRAMP Baseline Membership MP-5 (4):
  • MODERATE
  • HIGH

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

Supplemental Guidance:

This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers).

RELATED CONTROLS: MP-5 (4)

REFERENCES:

  • FIPS Publication 199
  • NIST Special Publication 800-60