Media Transport

The media transport requirement (NIST SP 800-53 Rev. 5 MP-5) means you must protect and control system media you define (for example, backup drives or devices holding logs) whenever it is transported outside controlled areas. Operationally, you need a written standard, approved transport methods, chain-of-custody controls, and evidence that every offsite movement is authorized, trackable, and protected. ¹

Key takeaways:

• Define what counts as “system media” in your environment and when it is “outside a controlled area.” ¹
• Implement transport controls you choose (encryption, tamper-evident packaging, custody logs, approved couriers) and apply them consistently. ¹
• Keep audit-ready proof: approvals, chain-of-custody records, inventory updates, and exception handling for every transport event. ¹

MP-5 is easy to describe and surprisingly easy to fail in practice: media leaves a controlled area during real operations (hardware returns, forensic work, backups, migrations, data center moves), and the “one-off” shipment becomes the gap that auditors focus on. MP-5 does not mandate a single shipping method. It requires that you define the media types in scope and the controls you will use, then prove you applied those controls whenever media transits outside controlled areas. ¹

For FedRAMP Moderate operators, the win condition is repeatability. You want a process that works the same way whether the request comes from IT Ops, Security, Legal, or a third party repair depot. That means: (1) clear scoping (what media, what locations, what “transport” includes), (2) pre-approved control options mapped to risk, and (3) records that show authorization, protection, custody, and closure. ¹

If you manage cloud infrastructure, don’t assume this is “a data center problem.” MP-5 often applies to removable media used for backups, key material handling, break-glass incident response, secure destruction workflows, and any time a third party handles your media offsite. ¹

Regulatory text

Requirement (MP-5): “Protect and control organization-defined types of system media during transport outside of controlled areas using organization-defined controls.” ¹

What the operator must do

You must:

1. Define which “types of system media” are in scope for transport controls in your environment. ¹
2. Define what qualifies as “transport outside of controlled areas” for your facilities, people, and third parties. ¹
3. Implement controls you choose (technical, physical, and procedural) that protect and control the media during transport. ¹
4. Demonstrate consistent execution through records and oversight. ¹

Plain-English interpretation (what MP-5 is really asking)

If media can walk out the door, it can be lost, stolen, swapped, or copied. MP-5 requires you to treat transport as a controlled activity, not an informal errand.

“Protect” typically means preventing unauthorized disclosure or tampering (for example, encrypting data on the media and using tamper-evident packaging). “Control” typically means knowing where it is, who has it, and whether it arrived intact (for example, chain-of-custody records and approved couriers). The requirement is intentionally flexible: you pick the controls, but auditors will test whether your choices are reasonable and consistently followed. ¹

Who it applies to (entity and operational context)

Applies to: Cloud Service Providers and Federal Agencies operating systems aligned to the FedRAMP Moderate baseline. ¹

Operationally relevant when:

• Removable storage (USB, external SSD/HDD) is used for backups, data staging, exports, or investigations.
• Hardware containing storage is shipped (RMA returns, warranty repair, decommissioning).
• Media is transferred between sites, data centers, secure labs, or to a third party (courier, colocation provider, eDiscovery provider, forensics firm).
• Paper outputs containing sensitive system information (configuration baselines, credentials, key material, sensitive logs) are moved outside controlled areas.

Controlled area is your definition. In practice, it is any space with enforced access controls you trust (badging, guards, locked cages, monitored rooms). MP-5 triggers when media crosses that boundary. ¹

What you actually need to do (step-by-step)

Step 1: Define “system media” and classify transport risk

Create a short scoping statement in your standard:

• Media types in scope: removable digital media, mobile devices used as storage, backup tapes/drives, laptops temporarily acting as carriers, paper printouts that contain sensitive system data.
• Data sensitivity levels: align to your data classification (for example: public, internal, controlled unclassified information, regulated).
• Transport scenarios: between offices, to employee homes (if allowed), to third parties, to offsite storage, to disposal/destruction.

Outcome: a simple matrix that maps media type + data sensitivity + destination to required controls.

Step 2: Define the “organization-defined controls” you will use

Pick a small menu of approved transport patterns. Examples you can operationalize quickly:

• Encryption-at-rest requirement for digital media before transport (with key handling owned by your org, not the courier).
• Tamper-evident packaging plus unique seal identifiers recorded at handoff and receipt.
• Chain-of-custody log with required fields (requestor, approver, asset ID/serial, seal ID, courier tracking, handoff signatures, dates/times, receipt validation).
• Approved couriers only (explicitly disallow consumer shipping drop boxes for sensitive media).
• Two-person integrity for highest sensitivity media (handoff requires two authorized staff).
• Prohibit transport for certain media types (for example, “no plaintext backups may leave controlled areas”).

Keep it tight. Auditors prefer a small set of enforceable rules over a long list of optional controls.

Step 3: Build a transport authorization workflow

Require documented authorization before media leaves a controlled area:

• Request includes business purpose, destination, sensitivity, and return/disposition plan.
• Approval by data owner or security (define who approves which scenarios).
• Automatic checks: media must be inventoried; encryption status must be attested; destination must be approved.

If you use Daydream for GRC workflow, implement a “Media Transport” request intake that auto-creates required tasks (encryption verification, packaging, custody log, inventory update) and stores artifacts in one control record.

Step 4: Execute with chain-of-custody discipline

Minimum execution pattern that holds up in audits:

1. Prepare media (sanitize if needed, write-protect if applicable, encrypt, label asset tag).
2. Package (tamper-evident bag/box, record seal ID, include no sensitive labels on the exterior).
3. Handoff to courier/authorized transporter with identity verification and tracking number recorded.
4. Receipt at destination includes seal inspection, serial verification, and a receipt signature.
5. Closeout updates inventory and records final status (stored, returned, destroyed, or transferred).

Step 5: Manage third parties explicitly

If a third party touches the media (shipping provider, repair depot, offsite storage, destruction vendor):

• Put transport and custody expectations in the contract or SOW (who can handle, how tracked, breach notification expectations, and return/destruction requirements).
• Ensure the third party’s role is clear: they may transport; they may not access content unless explicitly approved and controlled.

Step 6: Handle exceptions and incidents

Define:

• Exception criteria (what can be approved, by whom, and for how long).
• Lost-in-transit process (incident escalation, tracking inquiry, risk assessment, customer/government notification triggers if applicable to your program).
• Tamper event process (quarantine, forensics, rekey/credential rotation if secrets could be exposed).

Required evidence and artifacts to retain

Auditors will ask for proof of definition, execution, and oversight. Retain:

• Media Transport Standard/Procedure defining scope, controlled areas, and required controls. ¹
• Approved control matrix (media type/sensitivity → required transport controls).
• Media inventory records (asset IDs, serial numbers, assigned owners, status).
• Transport authorization tickets/approvals (including exception approvals).
• Chain-of-custody logs for each transport event (handoff, tracking, receipt, seal IDs).
• Encryption attestations or configuration evidence showing encryption was enabled before transport.
• Third party contracts/SOW clauses covering media handling (as applicable).
• Incident records for lost/tampered shipments, including post-incident actions.

Common exam/audit questions and hangups

Expect these lines of questioning:

• “What media types are in scope, and how did you decide?” ¹
• “Define ‘controlled area’ for your program. Show where media leaves it.” ¹
• “Show me the last few transport events end-to-end: approval → custody → receipt → inventory update.”
• “How do you know media was encrypted before shipment?”
• “How do you handle RMAs and damaged drives?”
• “What do you do if a package is delayed, lost, or arrives with a broken seal?”

Hangup to plan for: teams treat shipping tracking numbers as “custody.” Tracking proves location progress, not who had physical access. Your custody record must identify authorized handlers and integrity checks at receipt.

Frequent implementation mistakes (and how to avoid them)

1. Scope that ignores real-world media. Many programs only address backup tapes and forget laptops used for ad hoc exports. Fix: define system media broadly, then prohibit risky scenarios rather than ignoring them. ¹
2. Controls defined but not operationalized. A policy that says “encrypt media” fails if no one checks. Fix: add an encryption verification step to the transport workflow.
3. No definition of controlled areas. Auditors need a boundary. Fix: document controlled areas by site type (office, data center cage, secure room) and the access controls used.
4. Weak third party handling. Shipping to a repair depot without contractual handling terms creates a gap. Fix: bake requirements into procurement and intake checklists.
5. Missing closure. Teams log shipment but never document receipt verification and inventory updates. Fix: make “receipt + closure” a required task, not optional.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so treat risk through an examiner lens rather than case law.

Risk outcomes MP-5 is designed to prevent:

• Confidentiality loss from lost/stolen media in transit.
• Integrity compromise from media swapping or tampering.
• Operational disruption when you cannot prove where sensitive media went.

For FedRAMP programs, inability to demonstrate consistent execution typically becomes an audit finding because MP-5 is testable with sampling. If you can’t produce chain-of-custody and approvals for sampled shipments, auditors will treat the control as not implemented.

Practical execution plan (30/60/90-day)

Use phases to move fast without guessing dates or durations.

First 30 days (Immediate)

• Assign an owner (Security/GRC with IT Ops support) for the Media Transport Standard.
• Define controlled areas and in-scope media types for your boundary. ¹
• Stand up a basic transport request workflow (ticket form is fine) with required fields and approvers.
• Create a custody log template and require it for any transport starting now.

By 60 days (Near-term)

• Implement the control matrix (what controls apply to what media/sensitivity).
• Formalize packaging and courier requirements; publish “approved transport methods.”
• Integrate inventory updates into the workflow (no shipment without an asset record).
• Review third parties that handle media; add contract language or compensating controls where needed.

By 90 days (Operational maturity)

• Run an internal audit-style sample: pick recent transport events and validate evidence completeness.
• Train staff who ship/receive media; document training completion for involved roles.
• Add exception governance and incident playbooks (lost shipment, broken seal, delayed transit).
• Centralize evidence in your GRC system. Daydream can act as the control hub that ties approvals, custody logs, third party records, and audit samples to the MP-5 requirement in one place.

Frequently Asked Questions

What counts as “system media” under the media transport requirement?

MP-5 lets you define the media types, but auditors will expect you to cover any physical media that can store or expose system data, including removable drives and hardware being shipped for repair. Write the list explicitly and tie it to your data classification. ¹

Does MP-5 apply if the media is encrypted?

Yes. Encryption is usually a key “protect” control, but you still need “control” through authorization, tracking, and custody records during transport outside controlled areas. ¹

Is a courier tracking number enough evidence of chain-of-custody?

Usually not. Tracking shows shipment progress; it does not prove authorized handoffs, seal integrity, or receipt verification. Keep a custody log that records who released and who received the media, plus integrity checks.

How do we handle RMAs where the manufacturer wants the drive back?

Treat it as a transport event with explicit approval, documented encryption/sanitization decisions, tamper-evident packaging, and a record of the manufacturer as a third party handler. If you cannot meet your defined controls, document an exception and compensating controls.

What if a remote employee needs to transport media from home to the office?

Decide whether “home” is ever an approved destination/source for in-scope media. If you allow it, define required controls (encryption, sealed packaging, approved courier pickup, no personal transport) and document approvals the same way as office shipments. ¹

What evidence will auditors ask for first?

They typically ask for the written procedure and a sample of recent shipments showing approval, custody records, and receipt verification, plus proof that the media was protected per your defined controls. ¹

Footnotes

1. NIST Special Publication 800-53 Revision 5