NIST 800-53 REV 5 • MEDIA PROTECTION
MP-5 — Media Transport
Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }}; Maintain accountability for system media during transport outside of controlled areas; Document activities associated with the transport of system media; and Restrict the activities associated with the transport of system media to authorized personnel.
Supplemental Guidance
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.
Practitioner Notes
When media is transported outside your facility — whether it is a laptop, backup tape, or USB drive — it needs protection and accountability. You should know where the media is at all times during transport.
Example 1: Require all media leaving the facility to be encrypted (BitLocker, hardware-encrypted drives) and transported in a locked bag or container. Maintain a media transport log that records what left, when, who carried it, and the destination. Verify receipt at the destination.
Example 2: For backup tape offsite rotation, use a bonded courier service (Iron Mountain, Recall) that provides chain-of-custody documentation. Track each tape with a barcode or serial number. Reconcile your tape inventory monthly against the courier's records.