MP-5(3): Custodians

MP-5(3) requires you to assign a named, accountable custodian whenever system media leaves a controlled area, and to run transport as a supervised chain-of-custody activity rather than an informal handoff. Operationalize it by defining what “media” and “controlled areas” mean for you, assigning custodians by role, and retaining transport logs and exception records. ¹

Key takeaways:

• A “custodian” is a specific, identified person (or formally designated role) responsible for media during transport outside controlled areas. ¹
• Your control passes or fails on evidence: documented assignments, chain-of-custody records, and exception handling. ¹
• Scope expands quickly: backups, decommissioned drives, laptops with local data, and third-party courier runs can all trigger the requirement.

The mp-5(3): custodians requirement is simple to state and easy to fail in practice: if system media goes outside a controlled area, an identified custodian must be employed during transport. ¹ Auditors tend to focus less on your policy language and more on whether you can prove who had the media, when they had it, and what safeguards were followed from pickup through delivery.

This requirement shows up in the real world in “normal” operations: shipping encrypted backup drives to an offsite vault, sending failed disks back to a manufacturer, moving evidence media to legal, relocating servers between sites, or handing media to a third party for destruction. Many programs have encryption and secure packaging but still miss MP-5(3) because nobody is explicitly assigned as custodian, chain-of-custody is inconsistent, or courier handoffs are treated as “someone in IT shipped it.”

This page gives requirement-level implementation guidance you can apply immediately: scope decisions, a workable operating procedure, evidence to retain, and the exam questions that usually expose gaps. References are to NIST SP 800-53 Rev. 5. ²

Regulatory text

Requirement (verbatim): “Employ an identified custodian during transport of system media outside of controlled areas.” ¹

Operator meaning: Anytime system media exits a controlled area, you must (1) designate a custodian and (2) have that custodian actively accountable for the media while it is in transit. “Identified” means you can name the person (or documented on-call role assignment) and show it in records. ¹

Plain-English interpretation

• If media leaves your secure space, it cannot “float” between people, mailrooms, couriers, or third parties without a clearly assigned owner for the trip.
• You need a chain-of-custody mindset: documented handoffs, tamper-evident packaging where applicable, and an exception process when something goes wrong.
• This is a transport control, not just an encryption control. Encryption helps, but MP-5(3) specifically requires a custodian during transport. ¹

Who it applies to

Entity scope:

• Federal information systems and organizations implementing NIST SP 800-53 controls. ²
• Contractors and other organizations handling federal data and aligning to NIST SP 800-53 in contracts, assessments, or authorization packages. ²

Operational scope (what triggers it):

• System media: removable drives, backup tapes, portable SSD/HDD, USB media, DVDs, diagnostic media, and any physical storage that can hold system data. Treat laptops and mobile endpoints as “system media” for this purpose when they contain local sensitive data and are physically transported outside controlled areas (common assessor interpretation in practice; document your scope decision).
• Outside of controlled areas: leaving facilities or rooms with access controls you rely on for system/media protection (badge-controlled offices, data centers, secure cages, evidence lockers). Define this explicitly in your policy so staff can act consistently.

What you actually need to do (step-by-step)

Step 1: Define scope boundaries you can audit

Create short, explicit definitions in your media handling standard:

• What counts as “system media” in your environment.
• What locations qualify as “controlled areas.”
• Which transports are in-scope (between buildings, to offsite storage, to third-party repair, to destruction vendor, to legal hold, to disaster recovery site).

Deliverable: Media Transport & Custodian Standard mapped to MP-5(3). ¹

Step 2: Designate custodian roles and assignment rules

You need two layers:

1. Standing ownership: a team or role accountable for the process (for example, IT Asset Management or SecOps).
2. Trip-level custodian: the named person on a specific transport.

Rules that work operationally:

• Assign custodianship to the person who physically carries the media, or to a responsible employee who accompanies it and documents all handoffs.
• If a third-party courier is involved, your custodian remains accountable for initiation, packaging, documented handoff, tracking, and receipt confirmation (and for escalating exceptions). Do not treat the courier as the custodian unless your program explicitly designates that arrangement and you can evidence it.

Deliverable: RACI for media transport (Requester, Approver, Custodian, Receiver, Security oversight).

Step 3: Implement chain-of-custody procedures

Use a repeatable checklist. Minimum process elements to document:

• Request/ticket created with media identifier(s) and reason for transport.
• Approval step (risk-based; at minimum for sensitive media).
• Custodian assignment captured before departure.
• Packaging method (tamper-evident seals if used; container ID).
• Handoff record (from whom, to whom, time, location).
• Shipment tracking number (if shipped).
• Receipt confirmation by the receiving party, including seal verification when applicable.
• Post-transport closeout (custodian confirms completion; exceptions logged).

Deliverable: Chain-of-custody form or workflow (paper or electronic) that produces immutable records.

Step 4: Handle exceptions like an incident, not a delay

Define what triggers escalation:

• Lost package, broken seal, tracking anomaly, missed delivery window, wrong recipient, or undocumented handoff.

Your exception SOP should specify:

• Who to notify (Security, Privacy, Contracting as needed).
• How to preserve evidence (photos of packaging/seals, carrier logs, ticket history).
• When to open an incident record and perform impact analysis.

Deliverable: Media Transport Exception Procedure aligned to your incident response process.

Step 5: Train the people who actually ship things

Targeted training beats broad awareness:

• IT operations staff who move gear.
• Data center technicians.
• Asset disposal coordinators.
• Anyone who ships returns (RMA) to manufacturers.
• Mailroom/logistics staff if they touch outbound packages.

Training completion is evidence, but assessors will still ask for transaction records that show behavior matches training.

Step 6: Operational monitoring and periodic testing

Add light oversight:

• Sample recent transports and confirm every record has a custodian identified.
• Reconcile shipping receipts with chain-of-custody logs.
• Review exceptions and confirm closure actions.

Daydream note (earned mention): If you struggle to keep mappings, owners, procedures, and recurring evidence organized, Daydream can track MP-5(3) to a control owner and evidence requests so you can produce a clean audit packet on demand. ¹

Required evidence and artifacts to retain

Auditors typically accept a mix of policy, procedure, and transaction evidence. Build an “MP-5(3) packet” with:

Governance artifacts

• Media Transport & Custodian Standard (with definitions and scope).
• Chain-of-custody procedure/checklist.
• RACI and role assignments for custodianship.
• Training materials and completion records for in-scope staff.

Operational artifacts (the pass/fail layer)

• Chain-of-custody logs for a sample of transports (tickets/forms).
• Shipping receipts, carrier tracking screenshots, or delivery confirmations tied to the log.
• Tamper-evident seal records (seal IDs) and receipt-side verification notes, if used.
• Exception records (lost/delayed shipments) with investigation and closure notes.

Retention: align to your organization’s evidence retention standard and any contract requirements; consistency matters more than the specific duration if your program is otherwise silent.

Common exam/audit questions and hangups

Expect these questions from assessors testing mp-5(3): custodians requirement:

1. “Show me how you ensure an identified custodian for media leaving controlled areas.”
   They want records that name the custodian, not a generic team.

2. “What is your controlled area definition, and how do staff know when MP-5(3) applies?”
   If you cannot define the boundary, staff cannot comply consistently.

3. “How do you handle media shipped by third parties?”
   Auditors probe courier workflows because handoffs often lack documentation.

4. “Give examples from the last few transports.”
   If you cannot produce recent chain-of-custody examples quickly, the control will be scored as not implemented or not operating effectively.

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails MP-5(3)	Fix
Relying on encryption alone	MP-5(3) requires an identified custodian during transport. 1	Keep encryption, add custodian assignment + chain-of-custody logs.
“IT” listed as custodian	Not “identified” at person/role-assignment level	Record a named custodian or documented on-call assignment per trip.
No defined controlled areas	Scope becomes arbitrary	Publish a controlled area list (rooms/sites) and decision rules.
Courier handoffs without documentation	Breaks chain-of-custody	Require handoff signoff + tracking + receipt confirmation tied to the transport record.
Destruction vendor is treated as end-to-end owner	You lose accountability at the riskiest point	Keep internal custodian accountable through pickup and receipt at destination.

Risk implications (why operators treat this as more than paperwork)

Uncustodied transport creates predictable failure modes: loss, substitution, unauthorized access, and inability to prove integrity of media. Even with strong encryption, you still face operational and legal exposure: inability to show control effectiveness, incident response delays, and contractual noncompliance when federal data handling clauses reference NIST controls. The practical risk factor called out for this control is missing implementation evidence. ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Publish controlled area and system media definitions for your environment.
• Assign a control owner and draft the custodian/transport SOP.
• Stand up a chain-of-custody template (ticket workflow or form) and require it for all new transports outside controlled areas.
• Identify all transport pathways (offsite storage, RMA, disposal, interoffice moves) and force them through the same record system.

Days 31–60 (operate and collect evidence)

• Train the specific teams that ship or carry media.
• Run the SOP in production and collect completed chain-of-custody records.
• Implement exception logging with clear escalation triggers and ownership.
• Perform a small internal review of recent transports for missing custodian fields or missing receipts.

Days 61–90 (prove repeatability)

• Expand sampling and reconcile logs to shipping/receiving data.
• Tune the workflow so “custodian identified” is mandatory before shipment can proceed.
• Package your evidence: policy, procedure, role assignments, and representative transport records.
• Add a recurring control check (monthly/quarterly) based on transport volume and risk.

Frequently Asked Questions

Does MP-5(3) require the custodian to physically accompany the media?

The text requires an identified custodian “during transport” outside controlled areas. ¹ Many programs meet this by assigning a custodian accountable for the trip who documents all handoffs, even when a carrier performs the physical movement.

If media is encrypted, can we skip the custodian requirement?

No. MP-5(3) is explicit about employing an identified custodian during transport outside controlled areas. ¹ Encryption can reduce impact, but it does not replace custodianship and chain-of-custody records.

What counts as “system media” for MP-5(3)?

NIST’s control language is broad, so you must define “system media” in your standard and apply it consistently. ¹ Include removable storage and backup media at minimum, and document your decision for endpoints that store sensitive data locally.

Can a third-party courier be the custodian?

You can involve couriers, but you still need an identified custodian accountable for transport outside controlled areas. ¹ If you designate couriers in any custodial capacity, document the arrangement and keep auditable handoff and receipt evidence.

What evidence do auditors usually ask for first?

They usually ask for recent transport examples that show the custodian’s name, dates/times, handoffs, and receipt confirmation. The policy helps, but transaction records determine whether the control operates. ¹

How do we operationalize this without slowing down IT operations?

Put custodianship into the existing ticketing/shipping workflow with required fields (media ID, custodian, destination, receipt). Make “no custodian, no shipment” the operational rule, and keep the form short enough that teams will complete it correctly.

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5