MP-7—Media Use
>Control Description
☑Restrict; Prohibit the use of ⚙organization-defined types of system media on ⚙organization-defined systems or system components using ⚙organization-defined controls; and
Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.
>FedRAMP Baseline Requirements
No FedRAMP-specific parameter values or requirements for this baseline.
>Discussion
System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm.
Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media.
Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices.
Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.
>Cross-Framework Mappings
>Programmatic Queries
Related Services
CLI Commands
aws ssm list-inventory-entries --instance-id INSTANCE_ID --type-name AWS:Applicationaws workspaces describe-workspace-directories --query 'Directories[].WorkspaceAccessProperties'aws configservice describe-config-rules --config-rule-names ec2-instance-managed-by-ssmaws ssm list-compliance-items --resource-ids INSTANCE_ID --resource-types ManagedInstance>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of MP-7 (Media Use)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring MP-7?
- •How frequently is the MP-7 policy reviewed and updated, and what triggers policy changes?
- •What governance structure ensures MP-7 requirements are consistently applied across all systems?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce MP-7 requirements.
- •What automated tools, systems, or technologies are deployed to implement MP-7?
- •How is MP-7 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce MP-7 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of MP-7?
- •What audit logs, records, reports, or monitoring data validate MP-7 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of MP-7 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate MP-7 compliance?
Ask AI
Configure your API key to use AI features.