MP-5—Media Transport
>Control Description
Protect and control ⚙organization-defined types of system media during transport outside of controlled areas using ⚙organization-defined controls;
Maintain accountability for system media during transport outside of controlled areas;
Document activities associated with the transport of system media; and
Restrict the activities associated with the transport of system media to authorized personnel.
>FedRAMP Baseline Requirements
Parameter Values
Additional Requirements and Guidance
MP-5 (a) Requirement: The service provider defines security measures to protect digital and non-digital media in transport.
>Discussion
System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper.
Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented.
Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.
Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.
>Cross-Framework Mappings
>Programmatic Queries
Related Services
CLI Commands
aws transfer list-servers --query 'Servers[].{Id:ServerId,Protocol:Protocols,State:State}'aws datasync list-tasks --query 'Tasks[].{Arn:TaskArn,Status:Status}'aws s3api get-bucket-policy --bucket BUCKET_NAME --query 'Policy' | grep -i sslaws snowball list-jobs --query 'JobListEntries[].{Id:JobId,State:JobState,Type:JobType}'>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of MP-5 (Media Transport)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring MP-5?
- •How frequently is the MP-5 policy reviewed and updated, and what triggers policy changes?
- •What governance structure ensures MP-5 requirements are consistently applied across all systems?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce MP-5 requirements.
- •What automated tools, systems, or technologies are deployed to implement MP-5?
- •How is MP-5 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce MP-5 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of MP-5?
- •What audit logs, records, reports, or monitoring data validate MP-5 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of MP-5 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate MP-5 compliance?
Ask AI
Configure your API key to use AI features.