MP-4: Media Storage

The mp-4: media storage requirement looks simple until an assessor asks, “Show me where media lives, who can touch it, and how you know.” MP-4 sits in the NIST SP 800-53 Media Protection (MP) family and focuses on preventing loss, theft, tampering, or unauthorized disclosure by controlling where media is stored and how it is physically protected. (NIST SP 800-53 Rev. 5)

For most organizations, the operational challenge is scope: “media” includes more than backup tapes. It can include removable drives, laptops awaiting disposal, printed reports, shipping packages containing drives, evidence collected for investigations, and third-party-held media associated with your systems. If you handle federal data as a contractor or operate a federal information system, MP-4 is a control you must be able to explain and prove with artifacts, not intentions. (NIST SP 800-53 Rev. 5 OSCAL JSON)

This page translates the requirement into concrete actions: what to store where, how to lock it down, what logs and approvals to keep, and what auditors typically flag. The goal is fast execution with durable evidence.

What MP-4 requires (plain-English interpretation)

MP-4 requires you to physically control and securely store system media in defined, controlled areas. In practice, that means you decide which spaces and containers are approved for storage (rooms, safes, locked cabinets, cages, offsite vaults), restrict access to authorized personnel, and can demonstrate the controls operate consistently. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Think of MP-4 as answering three operational questions:

1. What media exists? (types, sensitivity, owners)
2. Where is it allowed to be stored? (approved locations and containers)
3. Who can access it, and how do you know? (authorization and traceability)

Regulatory text

NIST’s control statement for MP-4 is:

“Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }}; and” (NIST SP 800-53 Rev. 5 OSCAL JSON)

Operator translation:

• Treat {{ mp-4_prm_1 }} as “system media containing organizational information.” You must define the media types that matter for your system boundary (for example, backups, removable storage, printed exports, evidence media).
• Treat {{ mp-4_prm_2 }} as “controlled areas.” You must define which rooms/containers qualify and what “controlled” means (locks, badge access, visitor controls, cameras, custody logs).
• The control is assessed on design and operation. A policy without storage maps, access lists, and logs usually fails.

Who it applies to (entity + operational context)

Entity types

• Federal information systems implementing NIST SP 800-53 controls. (NIST SP 800-53 Rev. 5)
• Contractor systems handling federal data (including many regulated service providers and SaaS operators supporting federal workloads). (NIST SP 800-53 Rev. 5 OSCAL JSON)

Operational contexts where MP-4 becomes urgent

• You create or store offline backups (tapes, external drives, cold storage exports).
• You have printed output that contains sensitive records (reports, screenshots, tickets, case files).
• You perform hardware RMA/repairs or maintain “to be wiped” device staging areas.
• You use third parties for offsite storage, shredding, eDiscovery, incident response, or device disposal. MP-4 still expects you to govern where media is stored and how it is protected, even if storage is outsourced.

What you actually need to do (step-by-step)

Use this as an implementation runbook.

1) Define scope: what counts as “media” for your system

Create a media classification list tied to your system boundary:

• Digital removable media: USB drives, external HDD/SSD, SD cards
• Backup media: tapes, removable backup drives, offline backup appliances
• End-user devices treated as media: laptops or phones staging data pending wipe/disposal
• Paper media: printed reports, contracts, case notes, badges with embedded data
• “Media in transit”: packaged drives shipped to/from data centers or third parties

Deliverable: Media Types Register (owned by IT/Security with Compliance review).

2) Identify where media is stored today (not where it “should” be)

Run a short discovery:

• Walkthroughs of IT closets, print rooms, records rooms, warehouse areas, SOC/IR rooms
• Interviews with teams that generate exports (Finance, HR, Support, Engineering)
• Review third-party contracts for storage/disposal services

Deliverable: Current-State Media Storage Map (locations + what is stored there).

3) Define “controlled areas” and approve storage locations

Document approved storage standards by media type and sensitivity. Examples:

• Backup tapes: stored in locked safe in restricted data center room; access only to Backup Admins
• USB drives (if allowed): stored in locked cabinet; checked out with a custody log
• Printed sensitive reports: stored in locked file cabinets in restricted office area; shred bins for disposal

Deliverables:

• Approved Media Storage Locations List (rooms/containers + control requirements)
• Storage Standard (locks, access method, environmental constraints if relevant, labeling rules)

4) Implement physical access controls and authorization

Operationalize “physically control” with real mechanisms:

• Restrict room access (badge groups, keys, combinations)
• Restrict container access (safe combinations, cabinet keys)
• Establish authorized access roles (least privilege)
• Add visitor controls where media is stored (escort requirements, visitor logs)

Deliverables:

• Access Authorization List (by role/person, with approver)
• Key/Combination Management Procedure (issuance, return, change events)

5) Add traceability: custody and access logging

Assessors commonly ask for evidence that access is controlled in practice. Choose at least one:

• Electronic access logs (badge system reports) for rooms
• Manual sign-out sheets for cabinets/safes
• Chain-of-custody forms for removable media moved between sites/teams
• Ticketing workflow for requesting media retrieval/restoration

Deliverables:

• Media Check-out / Chain-of-Custody Log
• Access Log Review Record (who reviews, how often, what triggers escalation)

6) Align third parties that store or handle your media

If a third party stores backups or handles shredding/disposal:

• Contractually require controlled storage and access controls
• Obtain evidence (SOC reports, facility controls summary, pickup/dropoff logs)
• Define how you validate ongoing performance (periodic review, issue management)

Deliverables:

• Third-Party Media Handling Addendum (contract clauses or security schedule)
• Evidence Intake Procedure (what you request and where you store it)

7) Build recurring evidence so MP-4 stays “on”

MP-4 failures often happen after the initial cleanup, when people revert to convenience. Add operational checks:

• Periodic spot checks of storage areas
• Quarterly access list recertifications for rooms/cabinets
• Exception process: any unapproved storage requires documented approval and compensating controls

Deliverables:

• Inspection Checklist + Results
• Access Recertification Attestations
• Exceptions Register

Required evidence and artifacts to retain

Keep artifacts in an audit-ready folder mapped to MP-4 so you can produce them quickly.

Minimum evidence set

• MP-4 procedure (how you store and control media) (NIST SP 800-53 Rev. 5)
• Media Types Register and storage mapping
• Approved storage locations and standards
• Photos or diagrams of storage controls (as allowed by policy)
• Access authorization lists for storage areas
• Access logs or custody logs (samples across time)
• Key/combination issuance records (or equivalent)
• Spot check results and remediation tickets
• Third-party evidence for offsite storage/disposal, where applicable

Daydream tip (earned mention): Many teams miss evidence continuity. Daydream-style control mapping helps you tie MP-4 to an owner, a repeatable procedure, and a recurring evidence bundle so audits do not turn into archaeology. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Common exam/audit questions and hangups

Expect these in NIST-based assessments:

1. “Define media.” Auditors look for coverage of paper, removable media, and backups, not only “tapes.”
2. “Show me the controlled area definition.” If “controlled” is vague, your control is hard to assess.
3. “Who has access?” They will test least privilege and offboarding hygiene.
4. “Prove it operates.” Procedures without logs, inspections, or samples across time create findings.
5. “What about third parties?” If offsite vaulting exists, you must show governance and evidence intake.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	Fix
Treating MP-4 as “backup tape storage only”	Paper and removable media remain unmanaged	Build a media register and include business-generated exports
Listing a locked room but not controlling keys/badges	Anyone can access despite policy	Maintain an access list, approvals, and periodic recertification
No operational evidence	Assessors cannot verify implementation	Keep access log samples, custody logs, and spot check records
Ignoring “media in transit”	Loss occurs during moves/shipments	Add chain-of-custody and packaging/hand-off rules
Outsourcing storage without verification	You inherit the risk	Contract requirements + periodic evidence collection

Enforcement context and risk implications

No public enforcement cases were provided in the source data for MP-4, so this section is limited to operational risk. (NIST SP 800-53 Rev. 5 OSCAL JSON)

MP-4 gaps tend to surface as:

• Data exposure after lost or stolen removable media
• Untracked access to backup media enabling ransomware impact or recovery sabotage
• Inability to prove custody during investigations, litigation holds, or incident response
• Audit findings for “policy-only” controls and missing evidence

Practical 30/60/90-day execution plan

Use staged phases rather than arbitrary deadlines. Tailor to your audit date and system criticality.

First 30 days (Immediate stabilization)

• Assign MP-4 control owner and backups (Security + Facilities/IT Ops).
• Publish a media definition and draft Media Types Register.
• Identify current storage locations and flag obvious high-risk areas (unlocked cabinets, shared keys).
• Designate interim approved storage locations for the most sensitive media.

Days 31–60 (Operationalize and document)

• Finalize approved controlled areas and storage standards by media type.
• Implement access restrictions (badge groups, cabinet keys, safe combinations).
• Stand up logging: custody logs for removable media and access log exports for rooms.
• Add third-party requirements for any offsite storage/disposal providers and start evidence intake.

Days 61–90 (Prove operation and harden)

• Run spot checks and document remediation.
• Perform first access recertification for storage areas.
• Test a “media retrieval” scenario end-to-end (who requests, who approves, who accesses, what gets logged).
• Package the evidence set for assessment: policies, maps, access lists, logs, reviews, and exceptions.

Frequently Asked Questions

What counts as “media” under the mp-4: media storage requirement?

Treat media as any physical or portable form that stores system information, including backups, removable drives, devices awaiting wipe/disposal, and paper records. Define your scope in a Media Types Register and tie each type to an approved storage location. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Do cloud snapshots or object storage count as “media storage” for MP-4?

MP-4 is focused on physical control and secure storage of media, so it maps most directly to tangible media and facilities. If you export data to offline formats (downloads, portable backups) or store physical devices that contain cloud-sourced data, MP-4 applies to those artifacts. (NIST SP 800-53 Rev. 5)

How do we handle shared safes or key cabinets without failing least privilege?

Avoid shared access where possible. If you must share, maintain a named authorized list, require documented check-out/check-in, and rotate combinations or keys on role changes and terminations.

What evidence is usually sufficient to show MP-4 is operating?

Auditors typically accept a combination of approved storage definitions, access authorization lists, and real access/custody logs sampled across time. Add spot check results to show you detect and correct drift.

We use a third party for offsite tape vaulting. What should we ask for?

Get contractual commitments for controlled storage and access controls, plus periodic evidence such as facility control summaries and chain-of-custody records for pickups and returns. Store those artifacts with your MP-4 evidence package.

How do we keep MP-4 from becoming a “one-and-done” cleanup project?

Make it recurring work: schedule access recertifications, run periodic inspections of storage areas, and require an exception process for any nonstandard storage. Keep the outputs in a single evidence folder mapped to MP-4 for audit readiness.