MP-2(2) — Cryptographic Protection

This enhancement requires cryptographic protection for media. Encryption ensures that even if someone gains physical access to the media, they cannot read the data without the decryption key.

Example 1: Enable BitLocker on all laptop drives and removable media through GPO at Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption. Require BitLocker To Go for any USB storage device used with company systems. Store recovery keys in Active Directory.

Example 2: Use hardware-encrypted USB drives (such as Kingston IronKey or Apricorn Aegis) for any removable media that stores organizational data. Purchase only FIPS 140-2 validated encrypted drives and document approved models in your media protection policy.