MP-4(1) — Cryptographic Protection

This enhancement requires cryptographic protection for media in storage. Even in a locked cabinet, encrypted media provides an additional layer of defense against theft or unauthorized access.

Example 1: Enable BitLocker full-disk encryption on all systems and removable media. For servers, use BitLocker with TPM and a startup PIN. Store recovery keys in Active Directory and back them up to a separate secured location.

Example 2: For backup media, use your backup software's encryption feature (Veeam, Commvault, or Veritas all support AES-256 encryption for backup jobs). Enable encryption for all backup jobs and manage encryption keys separately from the backup media themselves.