Media Protection Plan

Approach basics → §4.x

Tooling and roles that anchor the rest of the plan.

Media inventory system (one-liner) * Where storage media are inventoried (e.g., 'CMDB media-asset module', 'Dedicated media-tracker spreadsheet under version control', 'Inherited from cloud — no system-managed physical media').

Sanitization service / vendor * Who performs media sanitization (e.g., 'Internal IT Operations using Blancco Drive Eraser', 'NSA-listed vendor for Purge / Destroy', 'GSA-schedule contract destruction vendor').

Destruction-certificate storage location * Where certificates of destruction are retained (records-management system, GRC tool, secure file share).

Transport chain-of-custody workflow Brief phrase summarizing transport workflow (e.g., 'GSA-bonded courier with sealed tamper-evident container; chain-of-custody form per shipment', 'Encrypted transport via FedEx with signature-required tracking + post-transit verification').

Removable-media policy summary (one-liner) Brief phrase summarizing the removable-media posture (e.g., 'USB ports disabled by GPO with allowlist for org-issued encrypted drives', 'Read-only USB enforcement via DLP', 'Physical port blockers on all hosts; allowlist enforcement at endpoint').

Media Inventory → §2.x

Categories of media in scope and how they are tracked.

Digital media categories

Internal hard drives (HDD / SSD) in servers / workstations / laptops Removable hard drives USB flash drives Optical media (CD / DVD / Blu-ray) Magnetic tapes (LTO, etc.) Memory cards (SD, microSD, CF) Solid-state media (M.2, NVMe) Smartphone / tablet internal storage Embedded firmware media (printers, MFPs) Cloud-provider object / block storage (logical, but governance applies)

Non-digital media categories

Printed reports / hardcopy CUI Handwritten notes containing system data Whiteboard captures (digital photos) Microfilm / microfiche (legacy archives) Paper forms (PII) Not in scope (digital-only)

Inventory-tracked attributes

Asset tag / serial Media type Encryption status Classification / handling marking Owner role Storage location Issued to (current user) Lifecycle state (in-use / sanitized / destroyed / lost) Sanitization method applied Destruction-certificate reference

Media-inventory reconciliation cadence How often the media inventory is reconciled with physical reality (e.g., 'Quarterly with annual full audit').

Media Access (MP-2) → §4.x

Who can access media and on what basis.

Access-controlled media categories

Backup tapes Removable hard drives Encrypted USB drives Optical media containing CUI Hardcopy printouts containing CUI Cryptographic-key media Privileged-utility media (recovery USBs)

Authorization criteria What entitles a person to access controlled media (need-to-know, role-based, screening level — reference PS-3).

Access-logging requirement When access events to controlled media are logged. Sign-in / sign-out for physical media; system audit for digital media access (overlaps with AU-2).

Authorization-list review cadence How often the authorized-access list is reviewed (typical: 'Annually + on personnel change'). MP-2 ODV.

Media Marking (MP-3) → §4.x

Classification labels and handling markings.

Marking systems in use

CUI marking per 32 CFR Part 2002 (CUI Basic / Specified) Classified marking per ISOO (Confidential / Secret / Top Secret) FIPS 199 categorization labels Internal classification (Public / Internal / Confidential / Restricted) PII / PHI / PCI / FTI handling labels Export-controlled (ITAR / EAR) labels

Marking method by media type How each media type is marked. Example: 'Backup tapes: serialized adhesive label with classification + asset tag; portable drives: laser-engraved housing + register entry; hardcopy: top-and-bottom-of-each-page banner per 32 CFR Part 2002.'

Marking exemptions (MP-3 ODV) Per MP-3 ODV, types of media exempted from marking requirements (e.g., 'Public-information media in a controlled facility'). Document rationale.

Marking-audit cadence How often the marking is audited (e.g., 'Quarterly random sample of media items'). Captures markings degraded by wear or improperly applied at issue.

Media Storage (MP-4) → §4.x

Where and how media at rest is physically protected.

Storage location types

GSA-approved security container (classified) Locked cabinet with key control Locked room with PIV / CAC access Tape library with encryption + access control Off-site provider storage (Iron Mountain etc.) Cloud-provider managed storage (logical, but inventory tracked) Personal-issue secure container (laptop, encrypted drive)

Cryptographic protection of stored media (MP-4) How stored media is cryptographically protected. SED + LUKS + BitLocker / FileVault for portable media. Reference SC-12 / SC-28 for keys + at-rest encryption.

Environmental protection Temperature, humidity, EMI / magnetic-field protection where applicable (especially for tape archives). Reference PE-14 for facility environmental.

Off-site media-storage arrangement If applicable: off-site provider name, contract, access-control posture, audit cadence. Reference SA-9.

Media Transport (MP-5) → §4.x

Movement of media outside controlled areas.

Transport scenarios in scope

Backup-tape rotation to off-site storage Decommissioned-drive shipment to sanitization vendor Portable-drive courier between facilities Laptop + external drive transport for telework Vendor-maintenance-component shipment Hardcopy shipment for review / signature

Chain-of-custody requirements

Sealed tamper-evident container Signature-tracked courier Two-person hand-off at each transfer GPS / RFID tracking Pre-transport encryption verification Post-transport integrity verification Time-stamped log entries Signed COC form retained per shipment

Authorized couriers (MP-5 ODV) Couriers authorized to transport media outside controlled areas. Cleared employees, GSA-bonded carriers, vendor-cleared personnel. MP-5 ODV.

Transport-encryption requirement — Select — Mandatory for all media leaving facility (FIPS 140-3 validated) Mandatory for CUI / classified; exempt for public Mandatory for digital media; physical sealing for non-digital Best-effort (with documented rationale)

Media Sanitization (MP-6) → §4.x

Sanitization methods, certificates, and decision criteria.

Sanitization categories applied (NIST SP 800-88 r1)

Clear (logical erasure — overwrite or factory reset) Purge (cryptographic erase, degauss for magnetic, NVMe sanitize, ATA secure-erase) Destroy (physical destruction — shred / incinerate / pulverize) Per data classification — Clear for Low; Purge for Moderate; Destroy for High / Classified

Sanitization-decision matrix How the sanitization category is chosen. Reference NIST SP 800-88 r1 Decision Tree (Reuse vs Recycle, Internal vs External, Sensitivity).

Sanitization-validation requirement How sanitization is validated. Tooling logs (Blancco / Killdisk certificate), random-sample re-read tests, vendor-provided certificate of destruction with serial-number match.

Destruction techniques per media type How each media type is physically destroyed when destroy is required (e.g., 'HDDs: degauss + shred; SSDs: cryptographic erase + shred; tapes: shred; optical: shred').

Witness requirement — Select — Required for classified / high-sensitivity destruction Required for all destruction events Documented but not actively witnessed (vendor self-attestation) Not formally required

Sanitization-process review cadence How often the sanitization process / equipment is reviewed for effectiveness. MP-6 ODV.

Media Use (MP-7) → §4.x

Restrictions on removable and portable media use.

Prohibited media types

Personal USB drives Personal optical media Personal external hard drives Personal smartphones (data sync) Smart cards from non-trusted issuers Wireless storage (WiFi-enabled drives) Promotional / unsolicited media (received in mail)

Authorized media types

Org-issued encrypted USB drives Org-issued external hard drives (encrypted) Optical media for software installation (read-only) Removable backup tapes for backup workflow Privileged recovery USBs (for IT staff) PIV / CAC smart cards

Enforcement mechanism How media-use policy is enforced (DLP, GPO, MDM port restrictions, physical port blockers, BIOS password).

Exception process Workflow for granting exceptions to media-use policy (e.g., for vendor-supplied installation media). Time-limited exception with retroactive review.

Media-origin restriction (MP-7) Per MP-7 ODV, restriction on media without identifiable owner (anonymous origin). Common posture: prohibited for non-public information.

Media Scope and Coverage → §2.x

Quantitative scope numbers that anchor metrics later in the plan.

Active media items in inventory Approximate count of media items currently in the inventory. Anchors the inventory-reconciliation effort.

Quarterly decommission volume Approximate count of media items sanitized / destroyed per quarter.

Quarterly transport events Approximate count of MP-5 transport events per quarter.

Authorized-access list size (MP-2) Count of personnel on the authorized-media-access list.

Media-Protection Metrics & KPIs → §6.x

Metrics tracked to demonstrate MP control effectiveness.

Tracked metrics

Add item

Suggested: + Media-inventory currency rate (% items reconciled in last cycle) + Sanitization-certificate completeness rate (% decommissions with cert on file) + MP-5 transport SLA compliance rate + Lost / unaccounted media items (target: 0) + Removable-media policy violations per quarter + Marking-audit findings per cycle + Mean time from decommission decision to sanitization-certificate filed + MP-7 enforcement-tool coverage rate + Open POA&M items linked to MP controls

Lost-Media Incident Response → §6.x

How lost-media events are detected and handled.

Lost-media detection signals

Inventory reconciliation gap Self-report from custodian Audit finding Failed return after off-site use Failed delivery / transport tracking Random-spot-check finding

Response workflow Workflow when media is reported lost. Immediate: spinning up IR investigation, assessing data exposure (encrypted vs cleartext), notification obligations (per legal counsel + privacy officer if PII).

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the MP control implementations are summarized (e.g., 'SSP §13.8').

POA&M ID prefix for MP findings Convention for MP-related POA&M items (e.g., 'POAM-MP-' for general).

PE handoff How MP-5 transport events route through the PE-16 delivery / removal workflow.

MA handoff How MP-6 sanitization is invoked before vendor maintenance per MA-2; how MA-3(2) media-inspection echoes MP scanning practice.

SC handoff How MP-4 / MP-5 cryptographic protection uses SC-12 keys and SC-28 at-rest encryption mechanisms.

SI handoff How MP-6 / MP-7 lifecycle aligns with SI-12 information management.

IR handoff How lost-media incidents trigger the IR plan workflow.

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying MP continuous-monitoring metrics to the broader ConMon plan.