>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

MP-5Media Transport

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Protect and control organization-defined types of system media during transport outside of controlled areas using organization-defined controls;

b

Maintain accountability for system media during transport outside of controlled areas;

c

Document activities associated with the transport of system media; and

d

Restrict the activities associated with the transport of system media to authorized personnel.

>DoD Impact Level Requirements

FedRAMP Parameter Values

MP-5 (a) [all media with sensitive information] [prior to leaving secure/controlled environment: for digital media, encryption in compliance with Federal requirements and utilizes FIPS validated or NSA approved cryptography (see SC-13.); for non-digital media, secured in locked container]

Additional Requirements and Guidance

MP-5 (a) Requirement: The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB/AO.

>Discussion

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper.

Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented.

Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.

Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.

>Programmatic Queries

Beta

Related Services

AWS Transfer Family
AWS DataSync
AWS Snowball

CLI Commands

List Transfer Family servers (SFTP/FTPS)
aws transfer list-servers --query 'Servers[].{Id:ServerId,Protocol:Protocols,State:State}'
List DataSync tasks for secure transfer
aws datasync list-tasks --query 'Tasks[].{Arn:TaskArn,Status:Status}'
Check S3 bucket policy enforces TLS
aws s3api get-bucket-policy --bucket BUCKET_NAME --query 'Policy' | grep -i ssl
List Snowball jobs (physical media transport)
aws snowball list-jobs --query 'JobListEntries[].{Id:JobId,State:JobState,Type:JobType}'
Open AWS ConsoleDocumentation

>Related Controls

AC-7
AC-19
CP-2
CP-9
MP-3
MP-4
PE-16
PL-2
SC-12
SC-13
SC-28
SC-34

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of MP-5 (Media Transport)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring MP-5?
  • How frequently is the MP-5 policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures MP-5 requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce MP-5 requirements.
  • What automated tools, systems, or technologies are deployed to implement MP-5?
  • How is MP-5 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce MP-5 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of MP-5?
  • What audit logs, records, reports, or monitoring data validate MP-5 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of MP-5 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate MP-5 compliance?

Ask AI

Configure your API key to use AI features.