MP-2: Media Access

MP-2 sits in the NIST SP 800-53 “Media Protection” family and focuses on a narrow but high-risk problem: uncontrolled access to media that contains sensitive information. “Media” is broader than USB drives. In most environments it includes backup tapes, portable drives, laptops slated for disposal, printed records, and sometimes virtual media mounted to systems for administration. MP-2 expects you to decide what media is in scope, then restrict access to that media so only approved people can handle it.

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat MP-2 as an access control problem with two enforcement layers: (1) administrative authorization (who is allowed to access media, for what purpose, and under what conditions) and (2) operational controls (locks, controlled rooms, checkout procedures, secure cabinets, system permissions, and monitoring where feasible). Auditors commonly struggle to test MP-2 if you lack a clean inventory and a repeatable access approval workflow. MP-2 is “medium” severity in many control programs because media loss or misuse often bypasses network defenses and shows up later as an incident with limited forensic visibility.

This page gives requirement-level guidance you can implement quickly and defend during assessment against NIST SP 800-53 Rev. 5 expectations. ¹

Regulatory text

Requirement (excerpt): “Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}.” ²

Operator interpretation: The placeholders indicate the organization must define:

1. What media/access scope is being protected (the “{{ mp-2_prm_1 }}” part), and
2. Who is allowed to access it (the “{{ mp-2_prm_2 }}” part). ²

What you must do to satisfy the text:

• Identify the media types and storage/handling locations that are in scope for your system(s).
• Define authorized roles or named individuals allowed to access each media category.
• Implement restrictions that actually prevent non-authorized access (physical and/or logical).
• Maintain evidence that access is controlled and reviewed. ²

Plain-English interpretation (what MP-2 is really asking)

MP-2 requires you to prevent “anyone who can get their hands on it” access to information-bearing media. If the media holds federal data, regulated data, credentials, production backups, or sensitive configurations, you need a controlled path for access (approval, purpose, tracking) and barriers that make casual or unauthorized access difficult.

Think of MP-2 as answering three audit questions:

1. What media exists and where is it?
2. Who can access it and why?
3. How do you prove access stayed within those boundaries over time?

Who it applies to (entity and operational context)

MP-2 commonly applies to:

• Federal information systems and the organizations operating them.
• Contractor systems handling federal data, including cloud and managed service environments where your team or a third party stores, transports, or disposes of media tied to the system boundary. ²

Operational contexts where MP-2 becomes urgent:

• Data centers, server rooms, and network closets with backup media or decommissioned hardware.
• IT asset disposal and return-to-lessor workflows.
• End-user environments where removable media is permitted for legitimate work.
• Third-party storage, offsite backup handling, or device repair processes (chain of custody and authorization).

What you actually need to do (step-by-step)

1) Set the scope: define “media” for your system boundary

Create a scoped list of media categories you will control, such as:

• Removable digital: USB drives, external HDD/SSD, SD cards.
• Backup media: tapes, removable backup drives, portable NAS devices.
• Physical records: printed reports, forms, labels with sensitive data.
• “Media awaiting disposition”: laptops, drives, servers pending wipe/destruction.
• Virtual media (if applicable): ISO images or mounted virtual disks used for admin tasks.

Deliverable: MP-2 Media Scope Statement mapped to your system boundary and data classification.

2) Define who is authorized (roles, not just names)

Build a role-based authorization matrix. Example roles:

• Backup Operators (access to backup media vault only)
• IT Asset Management (access to devices pending disposal)
• Security (access for investigations)
• Facilities (no access unless escorted)

Deliverable: Media Access Authorization Matrix (media type × location × authorized roles × conditions).

3) Implement physical access controls for stored media

Pick controls appropriate to your environment:

• Secure cabinets/safes for removable media and printed sensitive records.
• Restricted rooms for backup storage and staging.
• Badge access lists aligned to the authorization matrix.
• Visitor escort requirements where media is present.

Auditor-friendly tip: ensure your physical access list can be exported or evidenced and ties to the same roles you defined in the matrix.

4) Implement logical controls for systems that manage media

Where media is created/managed through systems, restrict who can:

• Write backups, restore backups, or export backup sets.
• Mount virtual media in hypervisors or management consoles.
• Access file shares that store “media images” or backup repositories.

Deliverable: screenshots/config exports showing role assignments and permissions for backup systems or repositories.

5) Add a controlled “checkout / handling” process

If media moves (offsite storage, courier, repair, disposal), define:

• Request + approval requirements (who approves and on what basis).
• Chain-of-custody tracking (who had it, when, and purpose).
• Secure transport expectations (tamper-evident packaging where used, approved couriers where required by your policy).
• Return confirmation and reconciliation against inventory.

Deliverable: Media Handling Procedure and Media Checkout Log template (digital or ticket-based).

6) Review access periodically and reconcile to inventory

MP-2 becomes hard to defend when access lists drift. Set a recurring review cadence that matches your governance process (for example, align to quarterly access reviews or system authorization cycles). Keep it consistent and provable.

Deliverable: Access Review Records showing:

• who reviewed,
• what was reviewed (access lists, badge groups, vault access),
• exceptions and remediation actions.

7) Map MP-2 to an owner, procedure, and recurring evidence

Make MP-2 operational by assigning:

• Control owner (often IT Operations or Security Operations)
• Supporting owners (Facilities, Asset Management, Backup team)
• Evidence sources and frequency

A simple way to stay assessment-ready is to keep a “control card” that points to the exact systems, locations, and logs that prove restriction. Daydream can help by turning this into a living control record with assigned owners, tasking, and evidence collection workflows so MP-2 doesn’t degrade into a one-time policy document. ²

Required evidence and artifacts to retain

Keep artifacts that prove both design (rules exist) and operation (rules are followed):

Governance / design

• Media scope statement (in-scope media types and locations)
• Media Access Authorization Matrix (roles and conditions)
• Media Handling Procedure (checkout, transport, storage, return)
• Exceptions process (how you approve deviations and for how long)

Operational evidence

• Media inventory (unique IDs for backup media where applicable; asset tags for devices pending disposal)
• Physical access lists / badge group membership exports for restricted areas
• Ticket samples for media access requests and approvals
• Checkout/chain-of-custody logs for moved media
• Access review evidence (sign-offs and remediation follow-up)
• Training acknowledgments for staff authorized to handle sensitive media (if your program requires training for the role)

Common exam/audit questions and hangups

Auditors and assessors often probe these points:

• “What is ‘media’ in your environment?” If you can’t answer crisply, scope creep or under-scope findings follow.
• “Show me who can access backup media and how that is enforced.” They will expect alignment between your matrix and actual badge groups or system roles.
• “How do you know access hasn’t drifted?” They will look for periodic reviews and evidence of removals.
• “How do you control media during disposal?” Decommissioned devices commonly fall between IT and Facilities unless ownership is explicit.
• “How do third parties fit?” If a third party stores or transports media, your process must still restrict access and maintain accountability within your governance model.

Frequent implementation mistakes (and how to avoid them)

1. Policy-only compliance. A policy that says “restricted” without enforcement artifacts fails quickly. Pair every rule with a control point (cabinet, room, role, ticketing step) and evidence source.

2. No inventory, no proof. If you can’t enumerate media categories and storage locations, you can’t prove restriction is meaningful. Start with “where media lives” and refine.

3. Over-broad authorization. Granting “IT Admins” blanket media access is easy, but it breaks least privilege and complicates accountability. Define narrower roles (backup operator vs. endpoint support).

4. Ignoring media in transition. Most losses happen during movement: offsite rotation, repair shipments, or office moves. Add chain-of-custody steps for any transfer.

5. Third-party handling is undocumented. If a third party touches backup tapes or device returns, document authorization, custody, and the handoff evidence you receive back.

Risk implications (why operators care)

Media access failures create high-impact exposure because media often contains concentrated data (full backups, full disk images, exported reports). When media is mishandled, investigation and containment are harder because access may not be logged the way network events are. MP-2 also supports system authorization narratives: you can show assessors that sensitive information is protected even outside normal system boundaries.

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and ownership)

• Assign an MP-2 control owner and supporting owners (Facilities, Backup/Infra, Asset Management).
• Produce the first version of your media scope statement and media location list.
• Draft the Media Access Authorization Matrix and get operational sign-off.
• Identify the evidence sources you can reliably export (badge groups, backup tool roles, ticket categories).

Days 31–60 (implement enforcement + minimum viable tracking)

• Align badge access groups and room permissions to the authorization matrix.
• Implement a basic checkout workflow in your ticketing system for removable/backup media movement.
• Stand up a media inventory approach that fits reality (asset register entries for devices pending disposal; unique IDs for tracked removable media where required by your policy).
• Collect your first “evidence packet” (matrix, access lists, sample tickets, inventory snapshot).

Days 61–90 (make it durable and audit-ready)

• Run the first formal access review against your matrix; remove unauthorized access and document remediation.
• Test your process with a tabletop: request access, approve, check out media, return, reconcile inventory.
• Add exception handling and escalation criteria so operators don’t bypass controls under time pressure.
• If you use Daydream, configure recurring evidence tasks and ownership routing so MP-2 stays current without manual chasing. ²

Frequently Asked Questions

What counts as “media” for MP-2 in a cloud-first environment?

Treat “media” as anything that stores system data outside normal application access paths, including backup repositories, exported snapshots, and virtual media images you mount in admin consoles. Document your definition and enforce access through admin roles and repository permissions. ²

Do I need logs for every physical access to media?

MP-2 requires restriction, not a specific logging technology in the excerpted text. If you can log (badge access reports, checkout tickets), keep it; if you can’t, strengthen compensating controls like locked storage and documented custody procedures. ²

How do I operationalize MP-2 if multiple teams touch media (IT, Facilities, Security)?

Put one owner accountable for MP-2 and assign supporting responsibilities per media type and location. Use a single authorization matrix so badge access, cabinet keys, and backup-admin roles all trace to the same approved roles. ²

What evidence is most persuasive to an assessor?

A tight set: scoped media definition, authorization matrix, exports of actual access group membership, and a small sample of approvals/checkout records that show the process runs. Add a periodic review record to prove the control doesn’t drift. ²

How should we handle third-party access to backup media or device repair?

Treat the third party as part of your custody chain. Require written authorization, define handling steps, and retain handoff evidence (tickets, receipts, return confirmation) that ties back to your internal approvals. ²

Can we meet MP-2 without allowing any removable media at all?

Yes. If your policy prohibits removable media, MP-2 is satisfied by enforcing that prohibition and restricting any necessary exceptions through a controlled approval and tracking path. Keep evidence of the configuration or administrative controls that enforce the restriction. ²

Footnotes

1. NIST SP 800-53 Rev. 5

2. NIST SP 800-53 Rev. 5 OSCAL JSON