MP-5: Media Transport

MP-5 sits in the NIST SP 800-53 Media Protection family and targets a common failure mode: removable media and other forms of system media get lost, stolen, or mishandled during movement between sites, offices, data centers, labs, employee homes, third parties, and destruction vendors. The control is narrow but operationally heavy because it spans IT, security operations, facilities, shipping/receiving, and third parties.

For a Compliance Officer, CCO, or GRC lead, the fastest path to operationalizing MP-5 is to define three things clearly: (1) what counts as “media” in your environment, (2) what you consider a “controlled area,” and (3) which transport protections are mandatory based on media type and data sensitivity. Once those definitions exist, MP-5 becomes a workflow problem: approve, package, encrypt when required, track custody, confirm receipt, and handle exceptions.

Assessors typically look for consistency: the same rules applied across teams, documented approvals, and logs that match reality. Your biggest risk is not a missing paragraph in a policy; it’s ad hoc movement (especially by staff or third parties) with no record, no tamper protection, and no accountability.

What MP-5 requires (plain-English interpretation)

MP-5 requires you to protect and control system media during transport outside controlled areas using organization-defined safeguards. The regulatory excerpt is explicit about the trigger condition (transport outside controlled areas) and the expectation (protect and control using defined methods). ¹

In practice, “protect and control” means:

• Protection: reduce the chance the media is accessed, copied, altered, substituted, or destroyed while in transit (examples: encryption, locked containers, tamper-evident seals).
• Control: maintain accountability and traceability (examples: authorization, inventory logging, chain-of-custody, receipt confirmation).

You do not have to use one universal method for every situation. You do need a defined, repeatable set of transport protections that matches your risk and is consistently followed.

Regulatory text

“Protect and control [organization-defined system media] during transport outside of controlled areas using [organization-defined controls].” ¹

Operator translation (what you must do):

1. Decide what media types are in scope (your “organization-defined system media”).
2. Define what locations are “controlled areas.”
3. Specify the approved transport safeguards for each media type and scenario.
4. Execute transport only through approved methods with documented authorization and tracking.
5. Keep records that show the process ran as designed.

Who it applies to (entity and operational context)

Entities:

• Federal information systems and contractor systems handling federal data commonly implement NIST SP 800-53 controls as part of their security program. ²

Operational contexts where MP-5 becomes real work:

• Backup tapes or removable drives moved to offsite storage.
• Evidence media for incident response moved to a lab or external forensic partner (third party).
• Hardware shipments that contain storage (laptops, servers, network appliances with persistent memory).
• Media sent to repair, RMA, or disposal providers (third parties).
• Staff carrying removable media between buildings, campuses, or home and office.
• Cloud ops can still implicate MP-5 if you use physical media for migration or backups (for example, encrypted drives shipped via courier).

What you actually need to do (step-by-step)

Step 1: Define “media” and “controlled areas”

Create a short scoping statement that your teams can apply without debate:

• Media in scope: removable media (USB, external SSD/HDD), backup tapes, optical media, mobile devices with storage, and any device being shipped that contains persistent storage.
• Controlled areas: spaces where you enforce physical access controls and monitoring (badge access, visitor logs, cages, locked rooms). Document examples and non-examples.

Deliverable: a one-page MP-5 scope addendum referenced by your media handling standard.

Step 2: Set transport requirements by scenario (a simple decision matrix)

Build a matrix that ties media type + data classification + destination to required safeguards. Keep it implementable. Example structure:

Scenario	Minimum safeguards	Who can approve	Tracking requirement
Media leaves controlled area for internal site transfer	Tamper-evident packaging; locked container if feasible	Data owner or IT manager	Chain-of-custody log + receipt
Media goes to a third party	Tamper-evident packaging; approved courier; encryption where required by policy	Security + procurement (or TPRM)	Chain-of-custody + courier tracking + third-party receipt
Media sent for disposal/destruction	Locked container; approved destruction vendor	Security	Pickup log + certificate of destruction + reconciliation

Your matrix is where you “fill in” the organization-defined protections referenced by MP-5. ¹

Step 3: Implement a transport workflow (authorization → packaging → handoff → receipt)

Operationalize with a ticket-based or form-based process:

1. Request: transporter submits request with media ID(s), data classification, origin/destination, reason, and proposed method.
2. Approve: required approver signs off based on the matrix.
3. Prepare: inventory record updated; encryption status verified (if required); tamper-evident seal number recorded.
4. Handoff: custody changes documented (date/time, from/to, signatures or authenticated system log entry).
5. Track: courier tracking number recorded; exceptions handled if delays or route changes occur.
6. Receive and reconcile: recipient confirms seal intact, logs receipt, and reconciles against inventory.

Tip for speed: If you already have ITSM, implement MP-5 as a request type with mandatory fields and an approval chain.

Step 4: Control third-party transports explicitly

Where a third party touches media (courier, offsite storage, destruction provider, repair depot), your due diligence should confirm:

• Their chain-of-custody practices.
• Packaging and tamper protections.
• Incident notification for loss or suspected compromise.
• Proof artifacts (receipts, tracking, destruction certificates).

This is a common seam between third-party risk management and media protection. If your contracts are silent, MP-5 becomes hard to evidence.

Step 5: Train the humans who actually move media

Keep training role-based and short:

• Shipping/receiving: packaging, seal logging, prohibited methods.
• IT operations: encryption verification, inventory updates.
• Facilities/security: escort or handoff rules.
• Staff: explicit prohibition on informal transport.

Step 6: Build monitoring and exception handling

Define what triggers an incident or exception:

• Missing receipt confirmation.
• Broken or mismatched tamper seal.
• Courier delivery exceptions.
• Inventory discrepancies.

Then define what happens next (security review, incident ticket, notification, containment steps).

Required evidence and artifacts to retain

Assessors will expect you to show both design and operation. Keep artifacts that map to the workflow:

Design artifacts

• Media handling/transport standard referencing MP-5 and defining media + controlled areas. ²
• Transport decision matrix (approved methods by scenario).
• Third-party contract clauses or addenda covering custody, incident notice, and destruction evidence (where applicable).

Operational artifacts

• Media inventory with unique identifiers and current custody/location.
• Transport requests and approvals (tickets/forms).
• Chain-of-custody logs (handoff records).
• Courier tracking numbers linked to transport records.
• Receipt confirmations (destination sign-off) and reconciliation notes.
• Exception/incident tickets related to transport issues.
• Certificates of destruction for disposed media (where applicable).

Practical tip: Evidence is easiest when each transport has a single record ID tying request, approval, seal number, tracking, and receipt together.

Common exam/audit questions and hangups

Expect these lines of inquiry:

• “Define ‘controlled area’ for your organization. How is that enforced?” ¹
• “What media types are covered? Does this include laptops being shipped for repair?”
• “Show me three recent media transports outside controlled areas and the custody trail for each.”
• “How do you ensure third parties follow equivalent controls?”
• “What happens when a shipment is delayed or a seal is broken?”
• “How do you reconcile media inventory with transport logs?”

Hangup pattern: teams have a policy, but cannot produce transport records that match it.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: No clear definition of ‘media’
   Fix: publish a scoped list and include “devices shipped with persistent storage.”

2. Mistake: Controlled areas are implied, not documented
   Fix: document them and tie to physical access controls (badges, locks, visitor procedures).

3. Mistake: Chain-of-custody exists only for some teams
   Fix: make chain-of-custody mandatory for all out-of-area movement; automate with ITSM.

4. Mistake: Third-party movement is treated as “their problem”
   Fix: contract for custody controls and require proof (receipts, tracking, destruction certificates).

5. Mistake: Evidence scattered across email threads
   Fix: single system of record (ticket + attachments) and a naming convention for media IDs.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for MP-5, so you should treat this as an assessment and assurance control rather than one tied to a specific published penalty in the provided materials.

Operationally, the risk is straightforward: lost or stolen media can create confidentiality breaches, integrity concerns (tampered evidence or corrupted backups), and availability impacts (missing recovery media). MP-5 reduces the chance of loss and increases your ability to prove what happened.

A practical 30/60/90-day execution plan

The goal is fast operationalization without overengineering.

First 30 days (stand up the minimum viable process)

• Assign a control owner and backup owner for MP-5.
• Publish definitions: in-scope media and controlled areas.
• Implement a basic transport request form/ticket with required fields (media ID, origin/destination, approver, method).
• Start a chain-of-custody log template and require it for any out-of-area movement.
• Identify third parties involved in media transport, storage, repair, or destruction; inventory contracts.

By 60 days (standardize and close third-party gaps)

• Release a transport decision matrix with approved methods by scenario.
• Add tamper-evident seal logging and receipt confirmation as required fields.
• Update third-party contract language or add operational addenda for custody tracking and incident notification.
• Train shipping/receiving and IT operations on the workflow.
• Run a tabletop exercise for a “lost media in transit” scenario and capture lessons learned.

By 90 days (evidence readiness and monitoring)

• Perform a sample-based internal review: pick recent transports and verify end-to-end evidence (approval → handoff → receipt).
• Add exception triggers (missing receipt, delayed shipment, broken seal) and route them to security operations.
• Create a recurring evidence package for assessors (policy, matrix, sample tickets, sample custody logs, third-party proofs).
• If you use Daydream for GRC workflow, map MP-5 to an owner, a documented procedure, and recurring evidence tasks so the evidence packet builds itself over time. ¹

Frequently Asked Questions

Does MP-5 apply to laptops and mobile devices being shipped?

It applies if the device contains system media or persistent storage and the shipment leaves controlled areas. Treat “hardware with storage” as in-scope media and require authorization, tracking, and receipt confirmation.

What counts as “transport outside controlled areas”?

Any movement where physical access controls and monitoring are no longer enforced by your organization. Document your controlled areas and treat everything else as “outside” to avoid arguments during audits. ¹

Do we need encryption to meet MP-5?

MP-5 requires you to use organization-defined safeguards; encryption is a common safeguard but not the only one. Decide when encryption is mandatory based on data classification and record that requirement in your transport matrix. ¹

How do we handle third-party couriers and offsite storage providers?

Put custody expectations in contracts or operational addenda and require evidence such as tracking numbers, signed receipts, and documented handoffs. Your assessor will still expect you to show you controlled the process, even if a third party performs steps.

What evidence is most likely to fail an audit for MP-5?

Missing chain-of-custody and missing receipt confirmation are the fastest ways to fail. If you cannot tie a transport to an approval and a verified handoff/receipt, you will struggle to demonstrate control operation.

Can we manage MP-5 with spreadsheets, or do we need a tool?

Spreadsheets can work for low volume, but they often break on approvals, version control, and evidence collection. A ticketing workflow or GRC workflow is easier to audit because each transport has a single record with attachments and timestamps.

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5