NIST.SP.800-161
NIST.SP.800-161
NIST.SP.800-161
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Special Publication 800-<strong>161</strong><br />
Supply Chain Risk Management Practices for Federal<br />
Information Systems and Organizations<br />
________________________________________________________________________________________________________<br />
FAMILY: MEDIA PROTECTION<br />
MP-1 MEDIA PROTECTION POLICY AND PROCEDURES [BACK TO SCRM CONTROL]<br />
Control: The organization:<br />
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:<br />
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management<br />
commitment, coordination among organizational entities, and compliance; and<br />
2. Procedures to facilitate the implementation of the media protection policy and associated media<br />
protection controls; and<br />
b. Reviews and updates the current:<br />
Media protection policy [Assignment: organization-defined frequency]; and<br />
1. Media protection procedures [Assignment: organization-defined frequency].<br />
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective<br />
implementation of selected security controls and control enhancements in the MP family. Policy and<br />
procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards,<br />
and guidance. Security program policies and procedures at the organization level may make the need for<br />
system-specific policies and procedures unnecessary. The policy can be included as part of the general<br />
information security policy for organizations or conversely, can be represented by multiple policies<br />
reflecting the complex nature of certain organizations. The procedures can be established for the security<br />
program in general and for particular information systems, if needed. The organizational risk management<br />
strategy is a key factor in establishing policy and procedures. Related control: PM-9.<br />
Control Enhancements: None.<br />
References: <strong>NIST</strong> Special Publications 800-12, 800-100.<br />
Priority and Baseline Allocation:<br />
P1 LOW MP-1 MOD MP-1 HIGH MP-1<br />
MP-5 MEDIA TRANSPORT [BACK TO SCRM CONTROL]<br />
Control: The organization:<br />
a. Protects and controls [Assignment: organization-defined types of information system media] during<br />
transport outside of controlled areas using [Assignment: organization-defined security safeguards];<br />
b. Maintains accountability for information system media during transport outside of controlled areas;<br />
c. Documents activities associated with the transport of information system media; and<br />
d. Restricts the activities associated with the transport of information system media to authorized<br />
personnel.<br />
Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media<br />
includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact<br />
disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control<br />
also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers)<br />
that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations<br />
provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting<br />
information and/or information systems.<br />
Physical and technical safeguards for media are commensurate with the security category or classification<br />
of the information residing on the media. Safeguards to protect media during transport include, for<br />
APPENDIX B PAGE B-52