MP — Media Protection
Media Protection covers the data once it leaves the running system and lives on something you can pick up: a drive, a tape, a USB stick, a phone, a snapshot sitting in a bucket. MP governs who can touch that media, how it’s labeled, where it’s stored, how it moves, and (the part that carries most of the family’s weight) how it gets sanitized before it’s reused, sold, recycled, or shredded. It is not access control for the live system, that’s AC, and it is not the physical security of the room the media sits in, that’s PE. MP is the handling discipline for the storage object itself, and it most often falls apart the moment that object stops being useful and someone has to decide what “wiped” actually means.
MP is a control catalog family from SP 800-53, not a step in the RMF. The RMF is the SP 800-37 process: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor. MP controls get pulled in at Select based on your FIPS 199 categorization, stood up at Implement, and graded at Assess, with the failures landing in the POA&M. So “doing MP for the RMF” means the 800-53B baseline for your impact level handed you a set of MP controls, and now those need real implementations and SSP narratives that survive an assessor who knows the difference between a destruction receipt and a sentence claiming one exists.
What’s actually in the family
Rev 5 runs MP-1 through MP-8. If your control list stops at MP-7 and calls that the family, you’re quoting a stale enumeration. MP-8 Media Downgrading is a live Rev 5 control. It isn’t in the Low, Moderate, or High baselines from 800-53B, so most federal systems never select it, but it’s real and shows up under CNSSI 1253 overlays and NSS selections where downgrading classified or controlled media is a thing people genuinely do.
- MP-1, Policy and Procedures. The family’s -1. Org-level media protection policy plus the procedures that make it operational. In every baseline, and the first thing an assessor reaches for because everything below inherits its existence from here.
- MP-2, Media Access. Restricts access to digital and non-digital media to authorized personnel. This is the “who’s allowed to handle it” control. Don’t confuse it with MP-7 (below); they get smeared together constantly and they are not the same thing.
- MP-3, Media Marking. Marking media with distribution limitations, handling caveats, and applicable security markings. Not in the Low baseline. It first goes live at Moderate, which surprises people who assume labeling is universal.
- MP-4, Media Storage. Physically controls and securely stores media within controlled areas. Moderate and up.
- MP-5, Media Transport. Protects and controls media in transit, maintains accountability, and (the operative phrase) documents activities associated with transport. This is the chain-of-custody control. The old Rev 4 enhancements MP-5(1) and MP-5(2) were withdrawn and folded into the base control in Rev 5, while MP-5(4) cryptographic protection wasn’t folded into MP-5 at all, it moved to SC-28(1), so an SSP still citing MP-5(4) by that number is mixing revisions. MP-5(3) custodians survives as a live enhancement, just not baseline-allocated.
- MP-6, Media Sanitization. The load-bearing control of the whole family, and the one I’ll spend real time on below. Sanitizes media before disposal, release out of organizational control, or release for reuse. In every baseline, Low included.
- MP-7, Media Use. Restricts or prohibits the use of specific types of media on systems or components. This is the USB-and-removable-storage control, not an access-control restatement. The Rev 4 enhancement MP-7(1) for portable storage with no identifiable owner was withdrawn in Rev 5 and folded into base MP-7 (part b), so the no-owner prohibition now lives in the base control, not in a numbered enhancement.
- MP-8, Media Downgrading. Live in Rev 5, baseline-allocated only via overlays and NSS selection. Names a downgrading process and the review/test that goes with it.
Baselines and where the controls come from
The baselines moved out of the catalog. In Rev 4 the Low/Moderate/High allocations sat in Appendix D of 800-53 itself; Rev 5 split them into SP 800-53B, which is what you tailor against. FIPS 199 sets the categorization, FIPS 200 sets the minimum-security floor, 800-53B turns the impact level into a starting control set, and for national-security systems CNSSI 1253 overlays it instead. The drivers here are FISMA, FIPS 200, your agency RMF process, and for DoD systems DoDI 8510.01 feeding eMASS. Consumer-privacy law like GDPR or CCPA has nothing to do with MP selection on a federal system, and any reference page telling you otherwise was written by something that didn’t know what room it was in.
One thing the table below makes obvious: marking, storage, and transport (MP-3/4/5) don’t appear in the Low baseline at all. Sanitization (MP-6) and media use (MP-7) do. A Low system still has to wipe a drive before it leaves the building; it doesn’t necessarily have to label and custody-track every tape.
| Control | Typical first live at | What an assessor actually checks |
|---|---|---|
| MP-1 | Low | The policy exists, is current, and names who owns media handling. |
| MP-2 | Low | Who can physically get to the media library or backup safe, and how that list is maintained. |
| MP-3 | Moderate | Sample media for actual markings; confirm the marking scheme matches the categorization and any caveats. |
| MP-4 | Moderate | The storage location is controlled; walk to it, confirm it’s locked and access-logged, not a cabinet anyone can open. |
| MP-5 | Moderate | Pull custodian logs for media that left the boundary. Gaps in the chain are the finding. |
| MP-6 | Low | Sanitization records: method, verification, who signed. Cross-check method against media type. |
| MP-6(1) | High | Sanitization actions are reviewed, approved, tracked, documented, and verified, with the evidence to show it. |
| MP-7 | Low | The removable-media restriction is enforced technically, and the exception list (if any) is documented and current. |
Treat “first live at” as directional. Your overlay moves things, and an enhancement absent from the Moderate baseline (MP-6(1) is High-only) often becomes mandatory once you hit High or an overlay pulls it in.
MP-6 is the whole game
If you only get one MP control right, make it sanitization, and the document that defines “right” is NIST SP 800-88, now at Rev 2 (September 2025), which supersedes the Rev 1 most older SSPs still cite. The clear / purge / destroy taxonomy carries over, and the distinction is not academic, but Rev 2 stops hand-holding on technique: it pushes the actual method specifications out to IEEE 2883, NSA specs, or an organizationally approved standard, and reframes the guidance around running a sanitization program rather than picking a wipe by hand. Clear is a logical overwrite that defeats simple non-invasive recovery (a standard format or single-pass overwrite). Purge is a state where recovery is infeasible even with lab techniques (cryptographic erase on a self-encrypting drive, a firmware secure-erase, or degaussing for magnetic media). Destroy is physical: shred, disintegrate, incinerate. Treat the three as categories of assurance, and reach to the referenced media-specific standard for the technique that actually achieves each on the hardware in front of you.
“Sanitize before disposal” misses two-thirds of the control. MP-6 applies before disposal, before release out of your control, and before reuse. The drive you’re redeploying to another project still has to be sanitized to the right level for what was on it. 800-88 ties the method to the media’s confidentiality categorization and to whether it’s leaving your control, not to a flat “always shred” rule.
Three enhancements do the real work. MP-6(1) is the review/approve/track/document/verify wrapper that turns an unsupervised drill-press into an auditable process. MP-6(2) is periodic testing of the sanitization equipment (a degausser drifted out of spec is a degausser producing recoverable drives). MP-6(3) covers nondestructive techniques for portable storage before connecting it under defined conditions.
Here’s the flag I’ll plant: degaussing an SSD is sanitization theater, and “destroy everything” is over-prescribed. Degaussing works on magnetic media because it scrambles the magnetic domains. Flash has no magnetic domains. Run an SSD through a degausser and you’ve accomplished nothing except a checkbox and a warm magnet. For flash you need a verified cryptographic erase (assuming the controller actually purges the key and you can confirm it) or physical destruction per 800-88. The inverse over-correction is just as common: shredding perfectly redeployable drives at Moderate because “destroy” feels safer, when a verified purge would have let you reuse the hardware. Destruction is the right answer for High-confidentiality media leaving your control and for flash you can’t trust the firmware on. It is not the universal answer, and treating it as one turns a hardware budget into landfill.
Deeper: cloud media you can’t physically touch.
MP-6 assumes you can lay hands on the media. In a FedRAMP environment you can’t. You cannot witness a CSP shred a drive that held your tenant data, and you cannot verify the crypto-erase yourself. So the honest SSP narrative for cloud MP-6 is reliance on the CSP’s attestation and their own 800-88-conformant process, documented as inherited from the provider’s authorization, not a clean inheritance you can stand behind. Same shape as the AC-20 inheritance problem: the customer-responsibility matrix draws the line, and “inherited” written against a row the CRM marks customer-responsibility is a finding waiting to happen. Snapshots, ephemeral volumes, and orphaned backup copies are the genuinely hard part, because the media boundary for a cloud tenant is fuzzy in a way a tape library never was.
Where the rest of the family goes brittle
MP-7 blanket prohibitions with a secret exception list. The common pattern is an SSP that says USB mass storage is prohibited, full stop, backed by a Group Policy that disables removable storage. Clean. Then there’s an undocumented carve-out for the three engineers who need a specific encrypted USB key for an air-gapped transfer, and that carve-out lives in someone’s head or a side GPO nobody referenced. An assessor who reads the MP-7 narrative and then checks the actual device-installation policy on a sample of hosts will find the gap. If you allow exceptions, document them, cover the no-identifiable-owner case under base MP-7 (part b, where the old MP-7(1) enhancement now lives), and wire it to SC-41 and AC-19/AC-20 so the device story is consistent across families.
MP-5 custody gaps. Transport accountability is only as good as the log. Media goes off-site for backup rotation, or a drive leaves for vendor repair (really MP-5 wearing an MA-2 controlled-maintenance hat, because media leaving for maintenance is exactly the seam where data walks out unlogged). The custodian log shows the handoff out and never the return, or shows neither. Sample the media that left the boundary and follow each piece both directions.
MP-3 marking as theater. Labels that don’t match the system’s categorization, or a marking scheme inherited from a template and never reconciled against FIPS 199. Marking ties to RMF categorization and to AC-16 security attributes; if the label says one thing and the SSP categorization says another, that’s a real inconsistency, not cosmetic.
The cross-family wiring an assessor expects you to have thought about: MP-6 touches SR supply-chain disposal and CM media handling; MP-4/MP-5 lean on PE physical protection; MP feeds IR when media spillage becomes an incident. An SSP that treats MP as a self-contained island usually has a seam where data leaves unaccounted for.
Artifacts
MP evidence is physical and specific, which is why it’s hard to fake. Sanitization records naming the method (clear/purge/destroy), the media type, the verification, and a signature. Destruction receipts (DoD shops will recognize the DD Form 2581 / 2501 family of custody and destruction paperwork; confirm the current form number for your environment). The NSA/CSS Evaluated Products List for degaussers and destruction devices, if you’re claiming a particular machine meets the standard. Custodian logs for MP-5. The SSP carries the narrative, the SAR the assessor’s verdict, the POA&M the failures. If your MP narratives could be pasted into another system’s SSP unchanged, they’re too generic to pass, same as every other family.
Sources
- SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations (NIST)
- SP 800-53B, Control Baselines for Information Systems and Organizations (NIST)
- SP 800-88 Rev. 2, Guidelines for Media Sanitization (NIST) (published 2025-09-26, supersedes Rev. 1)
- SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations (NIST)
- FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (NIST)
- FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (NIST)
- CNSSI 1253, Security Categorization and Control Selection for National Security Systems (CNSS)
- DoDI 8510.01, Risk Management Framework for DoD Systems (DoD)
Adjacent material on this site
- PE, Physical and Environmental Protection (where stored and in-transit media physically lives)
- MA, Maintenance (MA-2 controlled maintenance, the seam where media leaves for repair)
- SR, Supply Chain Risk Management (disposal and component handling)
- IR, Incident Response (where media spillage becomes an incident)
- AC, Access Control (MP-7 ties to AC-19/AC-20; the inheritance problem MP-6 shares with AC-20)
- RMF control families overview
- RMF roadmap