Policy and Procedures

To meet the NIST SP 800-53 Rev 5 MP-1 “Policy and Procedures” requirement in FedRAMP Moderate, you must create a media protection policy plus supporting procedures, then document and distribute them so staff and operators can follow them. Your documents must explicitly cover purpose, scope, roles and responsibilities, management commitment, coordination, and compliance ¹.

Key takeaways:

• You need two deliverables: a media protection policy (governance) and media protection procedures (how work gets done).
• “Disseminate” means controlled distribution and proof people can access the current version.
• Examiners look for alignment between the documents and day-to-day operations (tickets, logs, inventories, training, and enforcement actions).

MP-1 is a documentation control with operational teeth. In FedRAMP work, many teams treat “policy and procedures” as paperwork, then struggle during assessment because the assessor expects traceability from the written requirement to real implementation evidence. MP-1 sets the foundation for the entire Media Protection (MP) control family: if you cannot show a clear policy stance and usable procedures, it becomes harder to defend technical controls such as media access restrictions, sanitization, transport, storage, and disposal.

This requirement is also narrow and very actionable. You are not being asked to boil the ocean; you are being asked to publish media protection governance and execution instructions with specific content elements: purpose, scope, roles, responsibilities, management commitment, coordination, and compliance ¹. If you write those sections crisply and connect them to your system boundary, data types, and operational workflows, you can operationalize quickly.

The guidance below is written for a Compliance Officer, CCO, or GRC lead who needs to stand up MP-1 in a way an assessor can test.

Regulatory text

Requirement (verbatim): “Develop, document, and disseminate a media protection policy and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination, and compliance.” ¹

What the operator must do

You must produce (1) a written media protection policy and (2) written media protection procedures, and you must distribute them in a controlled way. Both documents must explicitly address:

• Purpose (why the organization protects media)
• Scope (what systems, environments, personnel, and media types are covered)
• Roles and responsibilities (who approves, executes, monitors)
• Management commitment (formal sponsorship and expectation of compliance)
• Coordination (how security, IT ops, privacy, legal, HR, facilities, and third parties coordinate)
• Compliance (how adherence is monitored, enforced, and evidenced)

This is not satisfied by a generic “Information Security Policy” alone unless it contains all required elements specifically for media protection, and is paired with procedures people can follow.

Plain-English interpretation (what MP-1 is really asking)

Write down how your organization controls and protects “media” across its lifecycle, and make sure the right people can find and follow the instructions.

“Media” includes more than USB drives. Treat it as any mechanism that can store or move data outside normal system processing, for example:

• Removable media (USB, external drives)
• Portable devices used as storage (phones used for file transfer)
• Virtual media and mounted images (ISO files, snapshots where applicable)
• Paper records and printouts that contain system data
• Backup media, including those handled by third parties

Your policy sets the rules (what is allowed, prohibited, and approved). Your procedures describe the steps (how approvals work, how media is labeled, how it’s encrypted, how it’s sanitized, how it’s transported, and how exceptions are handled).

Who it applies to (entity and operational context)

Applies to:

• Cloud Service Providers pursuing or maintaining FedRAMP Moderate authorization
• Federal Agencies operating systems under the FedRAMP Moderate baseline ¹

Operationally, it applies wherever your FedRAMP system boundary touches media, including:

• Data center and cloud operations teams handling backups or restores
• Endpoint management teams controlling removable media ports and device policies
• Security teams responsible for incident response involving lost devices or media
• Facilities teams managing secure storage, shredding, or destruction vendors
• Third parties that store, transport, sanitize, or dispose of media on your behalf

What you actually need to do (step-by-step)

1) Define your “media” scope for the FedRAMP boundary

• List media types that can contain system data (digital and non-digital).
• Identify where media enters/exits the environment (backup workflows, exports, printing, RMAs, contractor laptops).
• Decide what is in-scope for MP procedures versus covered elsewhere (for example, encryption requirements may live in a cryptography standard, but your MP procedures should point to it).

Output: “Media types and lifecycle map” for your system boundary.

2) Draft the Media Protection Policy (governance document)

Minimum sections to include (mirror the requirement language):

• Purpose: Protect confidentiality and integrity of system data on all media.
• Scope: FedRAMP system boundary, in-scope workforce, in-scope third parties, in-scope media types.
• Roles & responsibilities: System Owner, ISSO/ISSM, IT Ops, Endpoint Admins, Facilities, Procurement/Vendor Management, Workforce members.
• Management commitment: Executive sponsor approval; requirement to enforce; consequences for noncompliance.
• Coordination: How teams coordinate approvals, investigations, and exceptions; who is consulted for third-party services.
• Compliance: Monitoring approach, auditability expectations, how exceptions are approved, and how violations are handled.

Practical drafting tip: Write explicit policy statements assessors can test, such as “Removable media use requires documented approval” or “Media containing system data must be sanitized before disposal.” Keep them measurable.

3) Draft the Media Protection Procedures (runbooks people can follow)

Build procedures around lifecycle actions. Common procedure modules:

• Request and approval process for removable media or data export (who approves, what’s recorded, how long records are kept).
• Media issuance and inventory (tagging/labeling, assignment to a custodian, check-in/check-out if applicable).
• Protection requirements (encryption expectations; secure storage; physical protection; access restrictions).
• Transport and shipment (secure packaging, chain-of-custody documentation, approved carriers, loss reporting).
• Sanitization and disposal (authorized methods, verification steps, third-party destruction certificates).
• Incident handling for lost/stolen media (who to notify, response steps, evidence to preserve).
• Exception handling (how to request, approve, time-box, and review exceptions).

Make the procedures testable: include inputs, steps, decision points, and required records for each workflow.

4) Map roles to actions (RACI-style) and align with reality

Assessors often find “roles” sections that don’t match actual team structures. Validate:

• Who actually approves removable media requests?
• Who owns endpoint controls blocking USB?
• Who contracts with destruction/shredding providers?
• Who reviews compliance evidence?

If the policy assigns actions to a team that does not exist, fix the document or fix the operating model.

5) Disseminate with version control and access control

“Disseminate” means more than emailing a PDF.

• Publish policy/procedures in your controlled document repository.
• Restrict editing to document owners; provide read access to relevant staff.
• Announce the documents to impacted groups (ops, security, facilities, helpdesk).
• Train or brief teams that execute the procedures (especially helpdesk and endpoint admins).

Evidence matters: keep proof of publication, communication, and acknowledgement where your program requires it.

6) Build a compliance loop

Define how you will prove the documents are followed:

• Periodic checks (sample recent media requests, disposal events, shipment records).
• Review exceptions and ensure they are time-bounded and approved.
• Tie violations to corrective actions (ticketing, retraining, access changes).

If you use Daydream to manage control ownership, evidence requests, and audit prep, set MP-1 as a control with assigned owners, required artifacts, and a standing evidence collection cadence. That reduces last-minute scrambling during FedRAMP assessments.

Required evidence and artifacts to retain

Maintain artifacts that show development, documentation, and dissemination, plus operational traceability:

Core documents

• Media Protection Policy (approved, versioned)
• Media Protection Procedures/runbooks (versioned)
• Document control record (owner, approver, effective date, revision history)

Dissemination evidence

• Repository publication record (screenshot or system export)
• Communication/announcement record (email, intranet post, ticket)
• Training/briefing record if you brief operators (agenda, attendance, LMS completion where applicable)

Operational proof points (samples)

• Media approval tickets or forms (requests, approvals, justification)
• Media inventory logs (assignment, custody changes, returns)
• Disposal/sanitization records (work orders, certificates of destruction if a third party performs destruction)
• Exception register entries and approvals
• Incident tickets related to lost/stolen media and response actions

Common exam/audit questions and hangups

Assessors typically press on these areas:

• Show me where the policy addresses each required element (purpose, scope, roles, responsibilities, management commitment, coordination, compliance).
• Who is responsible for removable media approvals and how do they do it? Provide a recent example.
• How do you know staff can access the latest version? Demonstrate repository controls and versioning.
• Where are exceptions recorded and who approves them? Show an exception and its expiration/review.
• How do your procedures cover third parties handling media? Show contract language or vendor controls if applicable.

Hangup: teams provide a strong policy but no procedures, or procedures that are generic and not connected to the system boundary.

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails in assessment	Fix
Policy is generic and doesn’t mention media lifecycle activities	MP-1 requires media protection specifics 1	Add lifecycle policy statements and define covered media types
Procedures exist but are not owned by operators	No one follows them; evidence is missing	Assign procedure owners in ops/security; validate in tabletop
“Dissemination” is informal (a one-time email)	Hard to prove ongoing access to current version	Use controlled repository, versioning, and publication logs
Roles list doesn’t match org reality	Accountability is not credible	Align roles to current teams; name functions, not people
No coordination model	Cross-team handoffs fail (facilities, IT, security, third parties)	Add explicit handoffs and required records at each step

Risk implications (why auditors care)

Media is a common pathway for data to leave controlled environments: backups, exports, printouts, devices, and third-party destruction. If MP-1 is weak, you lose the “source of truth” for how media is handled. That leads to inconsistent practices, gaps in chain-of-custody, and poor incident response when something goes missing. MP-1 also sets expectations for compliance monitoring; without it, you cannot show a repeatable control environment.

Practical 30/60/90-day execution plan

First 30 days (establish the baseline)

• Identify in-scope media types and workflows for the FedRAMP boundary.
• Draft Media Protection Policy with all required elements ¹.
• Assign control owner and procedure owners; set document repository location and approval workflow.

Days 31–60 (publish procedures and make them executable)

• Write procedures for approvals, inventory, transport, sanitization/disposal, incident handling, and exceptions.
• Run a short operational walkthrough with the teams who will execute the steps; adjust to match reality.
• Publish policy and procedures with version control and controlled access; send targeted communications to impacted teams.

Days 61–90 (prove it works and collect evidence)

• Collect sample artifacts from real operations (tickets, inventories, destruction records).
• Stand up an exception register and verify approvals and expirations are documented.
• Perform an internal check: pick a recent media event (backup restore, disposal, shipment) and trace it end-to-end against your procedure steps.

Frequently Asked Questions

Do I need a standalone “Media Protection Policy,” or can it be part of a larger security policy?

Either works if the combined document explicitly covers purpose, scope, roles, responsibilities, management commitment, coordination, and compliance for media protection ¹. Many teams prefer a standalone policy because it is easier to assess and maintain.

What does “disseminate” mean in practice for MP-1?

Publish the current approved version in a controlled repository and make it accessible to the people who must follow it. Keep evidence of publication and communication so you can prove dissemination during assessment.

How detailed do the procedures need to be?

Detailed enough that an operator can execute the workflow without guessing and can produce the required records (approvals, inventory entries, disposal proofs). If your procedure cannot be tested against a real ticket or log entry, it is usually too vague.

How should we handle third parties who transport or destroy media?

Your policy and procedures should state that third parties must follow defined handling, chain-of-custody, and disposal requirements, and your process should retain evidence such as destruction certificates or shipping records. Align the operational handoffs (who orders the service, who verifies completion, who stores the proof).

We don’t allow removable media. Do we still need MP-1?

Yes. You still need a media protection policy and procedures that reflect your stance (for example, “prohibited except by exception”) and cover other media pathways like paper records, backups, or third-party disposal ¹.

What’s the fastest way to get audit-ready evidence for MP-1?

Pick a small set of real workflows (a disposal event, an approval request, an inventory update) and ensure each produces a clean evidence trail. Track MP-1 artifacts and recurring evidence requests in a system like Daydream so ownership and collection are not ad hoc.

Footnotes

1. NIST Special Publication 800-53 Revision 5