Motion Picture Association (MPA)

MPA overview

The Motion Picture Association (MPA) provides content protection best practices and control frameworks to help major studio partners and vendors design infrastructure and solutions to ensure the security of digital film assets.

The Trusted Partner Network (TPN) is a new, global, industry-wide film and television content production initiative. It was launched in 2018 by the MPA and the Content Delivery & Security Association (CDSA), the worldwide leaders in third-party entertainment industry assessments. The TPN program helps companies prevent leaks, breaches, and hacks of movies and television shows prior to their intended release. The TPN is owned and managed by the MPA. The TPN has been developed to help the industry improve content security, simplify assessments, and enable content owners to gauge their level of conformance to the MPA content security best practices.

Note

Since launching the TPN, MPA has ceased their individual security assessment programs to focus on managing and developing the TPN program and TPN annual assessments. Past audits or assessments will remain valid for the period originally indicated but won't be renewable within their individual programs. The primary focus for the MPA is to provide a unified assessment program through the TPN.

The MPA continues to maintain and update their content security best practices. The TPN assessment doesn't provide a “pass/fail” grade, certification, or rating. It provides an assessment of a facility’s security preparedness for conformance with the MPA content security best practices.

Azure and MPA

In February 2016, Microsoft Azure became the first hyper-scale, multi-tenant cloud services platform to successfully complete a formal assessment by independent MPA auditors, and comply with all three of the MPA content security best practices frameworks: Common, Application, and Cloud Security Guidelines.

The MPA assessment covers 48 security topics in the Common Guidelines and an additional six in the Application and Cloud Security Guidelines. These topics are built on industry-accepted security standards such as ISO/IEC 27001 and NIST SP 800-53, and are aligned to industry best practices, such as the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM).

The formal assessment of Azure compliance means that companies who do business with major studios can use Azure to help reduce the IT costs that are normally associated with the secure creation, management, storage, and distribution of content while complying with MPA requirements. Azure Media Services, Storage, Virtual Network, and more than 30 other services provide a content workflow engine in the cloud that you can use to build secure and scalable production processes while protecting media assets downstream.

Azure has released guidance documentation to help you implement your solutions that meet MPA security best practices.

Guidance documents

You can download the following guidance documents from the Service Trust Portal (STP) Data Protection Resources - Compliance Guides section:

You must sign in to compliance reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.

Additional guidance documents are available:

Frequently asked questions

Why are the MPA best practices important?
Content security is critical for feature film development as there are multiple points along the workflow where digital assets could be compromised or stolen. Dailies, rough cuts, and visual effects are just some of the materials exposed during a normal production cycle, and the box office impact of a security breach on a blockbuster project can reach tens of millions of dollars.

MPA guidelines provide major studio vendors and partners with a set of best practices for creating, processing, storing, and distributing digital assets. Cloud service platforms such as Azure can provide an extra layer of assurance that content uploaded to the cloud will be managed in accordance with established industry requirements for encryption, authentication, access control, resiliency, and others.

Does my organization still need to undergo a TPN assessment, or can we rely on Azure MPA assessments?
Production facilities, visual effects houses, and other service partners should work with their executive producers and directors to understand the new security requirements, including the annual TPN assessment. You can hire a qualified TPN assessor and then manage your assessment process using the secure online platform. The TPN assessment doesn't provide a “pass/fail” grade, certification, or rating. It provides an assessment of a facility’s security preparedness for conformance with the MPA content security best practices. If an assessment indicates non-conformance with a security best practices control, you can validate remediation via a follow-up assessment or furnish your own evidence of remediation to the TPN.

Compliance with MPA content protection best practices is voluntary – MPA doesn't provide an accreditation program. Best practices outline security expectations and provide a framework for assessing facility's ability to protect content. Microsoft elected to carry out an independent MPA assessment so that you can be confident in the content security and protection capabilities of Azure. However, Microsoft doesn't inspect, approve, or manage your applications deployed on Azure. You're wholly responsible for ensuring your own compliance with all applicable laws and regulations.

Resources