MP-1: Policy and Procedures

To meet the mp-1: policy and procedures requirement, you must create a formally approved media protection policy and supporting procedures, then distribute them to the right audiences and keep them current. Operationally, that means defining scope, roles, media handling rules, and review cadence, then proving adoption with training, acknowledgments, and execution records. ¹

Key takeaways:

• MP-1 is a documentation-and-dissemination control: auditors look for approved documents plus proof people received and follow them.
• Your “procedures” must be runnable: step-by-step instructions tied to owners, systems, and records.
• Evidence matters as much as content: retention of approvals, distribution logs, and operational artifacts prevents “paper-only” findings.

MP-1 sits at the front of the NIST SP 800-53 Media Protection (MP) control family and sets the foundation for the rest of your media handling controls. If you cannot show a current policy and working procedures, assessors usually treat every downstream MP control as higher risk because the organization lacks governance for removable media, portable storage, printed outputs, backups on physical media, and media disposal.

For a CCO or GRC lead, the fastest path is to treat MP-1 as a packaging and accountability requirement: you are translating technical and operational expectations into two enforceable artifacts (policy + procedures), getting formal approval, pushing them to the right people, and proving the program actually runs. Your goal is not elegant prose. Your goal is an assessor-ready, operations-ready media protection playbook, with named owners, clear triggers, and records that show repeatable execution. The practical win: fewer surprises during audits, fewer ad hoc media decisions by staff, and less risk of controlled information leaving your environment through unmanaged channels. ¹

Regulatory text

Control excerpt (MP-1): “Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:” ²

What the operator must do:
MP-1 requires you to (1) create written media protection policy and procedures, (2) formally document them in controlled artifacts, and (3) distribute them to defined audiences (the parameter in your system security plan or governance set defines exactly who must receive them). In practice, assessors expect a policy that sets direction and a procedure set that tells staff exactly how to execute media handling tasks, plus proof those materials were approved, communicated, and are being followed. ¹

Plain-English interpretation (what MP-1 really demands)

MP-1 is the “no excuses” control for media governance. You need:

• A policy that states rules and accountability for media protection (what is allowed, what is prohibited, and who approves exceptions).
• Procedures that convert the policy into checklists and workflows (how teams request, encrypt, store, transport, label, sanitize, destroy, and verify media handling).
• Dissemination evidence that the right groups received the policy/procedures and understand they must follow them.

A common assessment failure mode: a good policy exists, but procedures are generic, not mapped to your tools or teams, and there is no distribution record. MP-1 is designed to catch that.

Who it applies to

Entities:

• Federal information systems and the organizations that operate them. ¹
• Contractor systems handling federal data, where NIST 800-53 is required by contract, authorization boundary, or inherited control design. ¹

Operational contexts that trigger real scrutiny:

• Environments handling controlled government data (for example, data subject to agency handling rules).
• Organizations that still rely on removable media (USB, external drives), printed reports, mailed storage, or physical backups.
• Hybrid operations where IT, Security, and Facilities share responsibilities for storage, chain-of-custody, and destruction.

What you actually need to do (step-by-step)

Step 1: Set scope and definitions (make the rest enforceable)

1. Define “media” for your environment: removable storage, portable devices, printed output, imaging media, and physical backup media.
2. Define “covered information”: map to your data classification scheme (even if simple: Public/Internal/Restricted).
3. Define in-scope locations: corporate offices, data centers, remote work, and third-party facilities.

Output: MP-1 scope statement embedded in the policy and referenced in procedures.

Step 2: Draft the Media Protection Policy (the “what” and “who”)

Include these minimum sections:

• Purpose & scope
• Roles and responsibilities (Control owner, IT/SecOps, Asset Management, Facilities, Legal/Privacy if applicable)
• Allowed / prohibited media (examples: restrictions on removable media, printing, personal devices)
• Protection requirements (encryption expectations, labeling, physical security, storage requirements)
• Exception management (who can approve, required compensating controls, retention of approvals)
• Review/update requirement (tie to change triggers: new systems, incidents, audit findings)

Keep the policy short and enforceable. Put details in procedures.

Step 3: Write procedures that engineers and operations can run

Build procedures as discrete runbooks. Typical set:

• Media request & issuance (who can obtain encrypted drives, how they are tracked)
• Media handling & transport (chain-of-custody, locked storage, sign-out logs)
• Media encryption & configuration (approved encryption methods, key management ownership, configuration baselines)
• Media sanitization and destruction (what triggers sanitization, verification steps, destruction certificates handling)
• Media inventory & audits (periodic reconciliation, lost media escalation path)
• Incident response tie-in (what to do if media is lost, stolen, or suspected compromised)

Write each procedure with: trigger, prerequisites, step list, required records, and escalation.

Step 4: Assign owners and map recurring evidence (avoid “paper control” findings)

Create a one-page control map:

• Control owner (primary accountable role)
• Operators (teams executing steps)
• Systems/tools used (ticketing, asset inventory, encryption management, shredding vendor portal)
• Evidence produced (logs, tickets, forms)
• Where evidence is stored (GRC repository, ticketing system, shared drive with access controls)

This directly aligns to a recommended best practice: map MP-1 to control owner, implementation procedure, and recurring evidence artifacts. ²

Step 5: Approvals and document control

• Route policy and procedures through your formal governance path (security steering committee, CISO approval, or equivalent).
• Apply versioning, effective date, and next review date.
• Ensure documents are accessible but controlled (read-only for most staff; edit rights limited).

Step 6: Dissemination (prove you pushed it to the right audiences)

MP-1 explicitly calls out dissemination; assessors will ask “to whom?” and “how do you know they received it?” ²

Practical dissemination approaches:

• Publish in your policy portal with access logging.
• Send targeted communications to defined groups (IT admins, engineering, facilities, records management).
• Require annual policy acknowledgment for relevant roles, or acknowledgment at onboarding for sensitive roles.

Step 7: Operationalize with lightweight governance

• Add MP-1 to your control testing plan (document review + sampling of executed procedures).
• Define change triggers: new endpoints, new office, new third party handling media, incident involving lost device/media.
• Track exceptions and close them with compensating controls.

Where Daydream fits naturally: Daydream helps you keep MP-1 from becoming “policy shelfware” by tying the control to an owner, runnable procedures, and a recurring evidence checklist so you can answer assessor questions quickly without chasing screenshots and emails.

Required evidence and artifacts to retain

Use this as your audit-ready evidence checklist:

Policy & governance

• Approved Media Protection Policy (versioned, dated, approval record)
• Approved procedure documents/runbooks (versioned, dated)
• Document control history (change log)

Dissemination

• Distribution list definition aligned to your parameterized audience (who must receive)
• Proof of publication (policy portal record) and/or distribution emails
• Acknowledgment records (HR/LMS exports or attestation logs)

Operational records (sampleable)

• Media inventory records (asset IDs, assignment, status)
• Tickets/requests for media issuance, transport approvals, or exception approvals
• Sanitization/destruction records and certificates (if a third party performs destruction, retain their certificate package and chain-of-custody artifacts)
• Incident tickets involving lost or mishandled media and post-incident corrective actions

Common exam/audit questions and hangups

1. “Show me your media protection policy and procedures.” Auditors want both; a policy without procedures triggers a maturity gap. ¹
2. “Who received these documents?” If you can’t name audiences and show distribution evidence, dissemination is unproven. ²
3. “How do you know procedures are followed?” Expect sampling: media issuance tickets, inventory reconciliation, destruction certificates.
4. “How do you handle exceptions?” If exceptions live in email, you will struggle to prove approvals and compensating controls.
5. “What changed since the last review?” Stale policies are a recurring finding; tie review to change triggers and show the change log.

Frequent implementation mistakes (and how to avoid them)

• Mistake: Writing a policy that reads like a textbook.
  Fix: Put enforceable statements in the policy; put operational detail in procedures.
• Mistake: No explicit audience definition for dissemination.
  Fix: Define roles/groups (by function) and keep the list current with HR/IT role mapping.
• Mistake: Procedures don’t match how work happens.
  Fix: Build procedures around your ticketing system and asset inventory. If it isn’t ticketed or logged, you will not have evidence.
• Mistake: Third parties are ignored.
  Fix: Add procedure steps for third-party media handling (shipping drives, offsite storage, destruction vendors) and retain their records.
• Mistake: Evidence is scattered.
  Fix: Centralize an MP-1 evidence folder and a recurring evidence calendar (what gets collected, by whom, where stored).

Enforcement context and risk implications

No public enforcement cases were provided for MP-1 in the supplied source catalog, so this page does not cite enforcement outcomes. Practically, MP-1 failures still create two common risk outcomes: (1) audit findings that cascade across the MP control family because governance is missing, and (2) higher likelihood of mishandled physical media, which is hard to detect and often discovered late through incidents or inventory gaps. ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize and publish)

• Confirm scope, media types, and covered information categories.
• Draft the policy and the minimum viable procedures (issuance, handling, sanitization/destruction).
• Assign owners and create the MP-1 control-to-evidence map.
• Obtain approvals and publish in a controlled repository.

By 60 days (prove dissemination and start generating evidence)

• Define the dissemination audience list and execute distribution.
• Collect acknowledgments for key roles (start with IT admins and security staff).
• Stand up the evidence pipeline: tickets required for issuance/transport, inventory updates, destruction certificate intake.

By 90 days (test and harden)

• Run an internal control check: sample recent media events and verify records match procedures.
• Fix gaps found in sampling (missing tickets, incomplete inventory fields, unclear exception path).
• Add MP-1 to your ongoing control testing cadence and update documents based on real operating feedback.

Frequently Asked Questions

Who exactly must receive the MP-1 policy and procedures?

MP-1 requires dissemination to the audiences defined by your organization’s parameterization for the control (the “mp-1_prm_1” placeholder). Practically, define functional groups who handle media or approve exceptions, then retain proof of distribution. ²

Can we satisfy MP-1 with a single combined policy/procedure document?

You can combine them if the document clearly separates policy statements (governance and requirements) from step-by-step procedures (how work is performed). Auditors still expect both elements and evidence of dissemination. ¹

What evidence is most persuasive in an assessment?

Signed approvals and version history prove governance; tickets, inventory records, and destruction certificates prove operation. If dissemination is in scope, keep distribution logs or acknowledgments tied to the defined audience. ²

How do we handle third parties that destroy or store media?

Treat the third party as in-scope for your procedures: document handoff steps, chain-of-custody records, and required certificates of destruction or storage logs. Keep the artifacts with your MP-1 evidence so you can produce them on request.

Our teams “never use USB.” Do we still need MP-1?

Yes, because MP-1 sets policy and procedures for media protection broadly, including printed output and any physical media that could appear during incidents, migrations, or special projects. If USB is prohibited, state the prohibition and document how you enforce and handle exceptions.

How do we keep MP-1 from becoming stale?

Tie reviews to operational triggers (new systems, office moves, tool changes, incidents) and require a documented review/approval workflow. Maintain a change log so you can show what changed and why during an audit.

Footnotes

1. NIST SP 800-53 Rev. 5

2. NIST SP 800-53 Rev. 5 OSCAL JSON