NIST 800-53 REV 5 • MEDIA PROTECTION
MP-4 — Media Storage
Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
Supplemental Guidance
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection.
Practitioner Notes
Media containing organizational data must be physically controlled and securely stored. This means locked storage in a protected area — not sitting loose on desks or in unlocked drawers.
Example 1: Store all removable media (USB drives, backup tapes, external drives) in a GSA-approved security container or a locked media safe when not in active use. Keep the safe in a room with access controls. Maintain an inventory of all stored media and verify it quarterly.
Example 2: For server hard drives, ensure they are stored in locked server racks within a secured server room with badge access. When drives are decommissioned, remove them from the server and transfer them immediately to secure storage pending sanitization or destruction.