How do I get "MPAA certified"?
The MPAA Content Security Program is not a certification or accreditation program. The program is an “assessment” or “inspection” of the facility. Content Security Reports are viewed as a basis for individual discussions between an MPAA Member and its vendors about security at their facility.
How do I get a facility assessed?
A facility may make a request for an assessment directly to MPAA. The cost of the assessment is the responsibility of the vendor. A separate agreement is signed for this option and pre-payment is required. Inquiries for this process are explained here.
Is the report valid for a specific time?
The Content Security Report is a snapshot of security as of the specific date of the assessment. As such, it is not valid over a period of time.
Who gets a copy of the report?
The Content Security Report is distributed only to the MPAA and to authorized individuals at each of its Members and their subsidiaries and affiliates. The vendor receives a copy of the final Content Security Report for their records.
What types of facilities are inspected? Are there limitations on who can be assessed?
Facilities that currently handle or will handle content on behalf of MPAA Members are candidates to participate. Generally, facilities should be operational and not in pre-production or planning because the assessment is designed to validate controls in place. Facilities assessed to date include visual effects houses, digital cinema, replication/distribution, video-on-demand, various post-production specialists, and application and cloud providers.
What is the typical timeline for this process?
It may take up to two months to complete the process. Typically, the greatest delays happen during the initial pre-site coordination and scheduling. Once the on-site visit occurs, there is a one-month performance standard to disseminate the final Content Security Report to the MPAA and its Members.
Is my facility required to implement all of the best practices presented?
Compliance with best practices is strictly voluntary. They are suggested guidelines to consider when planning, implementing and modifying security procedures.
If my facility offers multiple services (e.g., film lab and post-production), what set of supplemental best practices should I apply?
Facilities should always apply the more restrictive set of best practices unless the work processes are separated from each other, in which case, you should reference Appendix C of the Best Practices Common Guidelines for the security controls applicable for each facility type.
Is my facility required to apply all items included in the "Implementation Guidance" section of the best practices?
No. Information contained in this section of the guidelines is intended to assist you in determining the best way to structure a particular security control. If your facility has a site assessment conducted by the MPAA, our assessment will only compare your facility's practices against the respective best practice section of the guidelines at a given point in time.
What if my current system does not allow for the implementation of best practices?
Please contact the respective systems vendor in order to identify possible solutions to enable systems to follow best practices. Solutions can include patching, updating the version or even changing to a more secure system. Alternative security measures can also be used if technical limitations prevent the implementation of best practices; however, these are normally not considered to cover the associated risks. Exceptions to the implementation of security guidelines due to system limitations should be formally documented and approved by your clients.
When applying best practices in this guideline, will my facility still need to comply with security requirements set individually by an MPAA Member?
The implementation of best practices is a guideline and does not supersede specific contractual provisions with an individual MPAA Member. Decisions regarding the use of vendor(s) by any particular Member are made by each Member solely on a unilateral basis. The MPAA encourages you to use the best practices as a guideline for future discussions around security with your clients.