NIST 800-53 REV 5 • MEDIA PROTECTION

MP-4(2)Automated Restricted Access

Restrict access to media storage areas and log access attempts and access granted using {{ insert: param, mp-4.2_prm_1 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Automated mechanisms include keypads, biometric readers, or card readers on the external entries to media storage areas.

Practitioner Notes

This enhancement requires automated access controls for media storage areas, combined with access logging. You need to know who accessed the media storage and when, automatically.

Example 1: Install a badge reader with audit logging on your media storage room door. Configure the system to log every access attempt (successful and failed) and forward those logs to your SIEM. Review access logs weekly and investigate any unauthorized access attempts.

Example 2: For digital media, configure file share auditing in Windows. Enable the Audit Object Access policy through GPO and set SACLs on folders containing sensitive media. Forward audit events (Event IDs 4663, 4656) to your SIEM for monitoring and alerting.

More Media Protection Controls

MP-1 Policy and Procedures MP-2 Media Access MP-2(1) Automated Restricted Access MP-2(2) Cryptographic Protection