This post explains how to meet Control MP.L2-3.8.2 in NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 by configuring encryption, access control lists (ACLs), and data loss prevention (DLP) so that only authorized users can access Controlled Unclassified Information (CUI) on media (both removable and non-removable) with clear, actionable steps and small-business examples.
\n\nMP.L2-3.8.2 requires that CUI stored on any media is accessible only by authorized parties. Practically this means: (1) inventory and label CUI sources; (2) encrypt CUI at rest and in transit with approved algorithms (e.g., AES-256, FIPS-validated modules where required); (3) apply least-privilege ACLs on file systems, shares, and object stores; and (4) deploy DLP to detect, block, or quarantine unauthorized transfer or copying of CUI. The goal for a Compliance Framework program is demonstrable controls, documented procedures, and logs proving only authorized access.
\n\nStart with data discovery and classification: scan endpoints, file servers, cloud buckets, and removable media for CUI patterns (DFARS clauses, project numbers, SSNs, PII patterns). Tag and label files using your classification tool (Microsoft Purview/AIP, Google Workspace labels, or an endpoint agent). Once files are classified, apply layered protections: full-disk encryption for endpoints, file/volume/container encryption for data stores, object-level encryption for cloud buckets, and TLS for data in transit.
\n\nEncryption examples and key management: For Windows endpoints, enable BitLocker with XTS-AES 256 and store keys in an enterprise KMS (Azure AD + Intune or AD + MBAM/Configuration Manager). Example PowerShell to enable BitLocker on C: using AES-256:
\nEnable-BitLocker -MountPoint \"C:\" -EncryptionMethod XtsAes256 -UsedSpaceOnly:$false -TpmProtector\n# Backup recovery key to AD or Azure AD\nBackup-BitLockerKeyProtector -MountPoint \"C:\" -KeyProtectorId (Get-BitLockerVolume -MountPoint \"C:\").KeyProtector | Out-Null\nOn Linux, use LUKS for full-disk encryption and GnuPG or a hardware HSM for key wrapping. For portable containers, tools like VeraCrypt, BitLocker To Go, or encrypted zip with AES-256 are acceptable when paired with enterprise key management and policy enforcement. In cloud storage, enable server-side encryption with customer-managed keys (SSE-KMS for AWS S3, CMEK for GCP/Azure) and restrict key usage via IAM policies and HSM/KMS rotation policies.
\n\nACLs: enforce least privilege using group-based permissions rather than user-based ACLs. On Windows shares, use Active Directory groups and apply NTFS permissions; example CLI for tightening a folder:
\nicacls \"D:\\CUI\" /inheritance:r\nicacls \"D:\\CUI\" /grant \"CORP\\CUI_Viewers:(OI)(CI)R\" /grant \"CORP\\CUI_Admins:(OI)(CI)M\"\nOn Linux ext4/SMB/NFS, use POSIX ACLs with setfacl to assign group read-only or read-write access, and disable broad write permissions:
\nsetfacl -m g:cui_viewers:rx /srv/cui\nsetfacl -m g:cui_admins:rwx /srv/cui\nFor cloud object storage, lock down buckets with least privilege IAM policies and deny public access. Example S3 bucket encryption + policy snippets: enable SSE-KMS and limit PutObject/GetObject to a role or IAM group that is used by approved application/service principals.
\n\nDeploy DLP in three tiers: endpoint DLP, cloud DLP/CASB, and network DLP. Endpoint DLP controls block copy/paste, restrict file save-to-USB, and prevent screen capture for labeled CUI. Cloud DLP inspects uploads to SaaS (SharePoint, OneDrive, Gmail) and blocks or encrypts based on labels. CASB enforces access to cloud resources only from managed devices and can block unmanaged device uploads. Configure DLP rules to act in enforcement modes: Monitor -> Notify -> Block, with incident workflows for false positives.
\n\nConcrete DLP configuration tips: create rules that match your CUI label + regex patterns for project IDs, SSNs, or classified phrases; apply actions: encrypt in transit (e.g., AIP protect), block upload, quarantine file, or require justification with an approval workflow. Integrate DLP alerts with your SIEM or ticketing system so each blocked action generates an auditable incident record and remediation steps.
\n\nScenario A — A 25-person engineering firm: implement BitLocker on all Windows laptops via Intune, apply Azure Information Protection labels to CAD files marked as CUI, and enforce SharePoint/OneDrive conditional access so only users with compliant devices can access CUI. Use Defender for Endpoint + Endpoint DLP to block copying labeled CUI to USB drives and forward DLP alerts to the IT manager's mailbox and SIEM.
\n\nScenario B — A small contract manufacturer using AWS S3: classify files uploaded by engineers, enforce SSE-KMS with a customer-managed KMS key, attach an IAM policy restricting GetObject/PutObject to an IAM role assumed by approved CI/CD servers and a small list of user groups. Use S3 bucket policies to deny requests outside the company VPC and enable object-level logging in CloudTrail to show who accessed objects and from where for audit evidence.
\n\nDocument procedures: inventory, classification rules, encryption standards (FIPS-validated modules, AES-256), KMS policies, group membership rules, DLP rule definitions, and incident handling workflows. Test controls quarterly: attempt authorized and unauthorized access to media (simulate exfiltration), verify BitLocker recovery escrow, simulate DLP rules firing, and review logs. Keep evidence of testing and remediation for assessors: screenshots, SIEM logs, policy exports, and change control records.
\n\nFailure to implement these controls risks unauthorized disclosure, exfiltration, or tampering with CUI. Consequences include contract loss, regulatory penalties, reputational damage, incident response costs, and failing a CMMC/NIST audit. Technically, inadequate encryption or permissive ACLs enable lateral movement and data harvesting; lack of DLP means silent exfiltration via cloud uploads or removable media without detection.
\n\nIn summary, achieving MP.L2-3.8.2 compliance requires a layered approach: inventory and label CUI, apply FIPS-validated encryption at rest and in transit, enforce least-privilege ACLs across on-prem and cloud storage, and deploy DLP to detect and block unauthorized use or exfiltration. For small businesses, combine enterprise-managed encryption (BitLocker/FileVault/SSE-KMS), group-based ACLs, endpoint DLP, and documented testing to produce a defensible compliance posture and audit evidence.
", "plain_text": "This post explains how to meet Control MP.L2-3.8.2 in NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 by configuring encryption, access control lists (ACLs), and data loss prevention (DLP) so that only authorized users can access Controlled Unclassified Information (CUI) on media (both removable and non-removable) with clear, actionable steps and small-business examples.\n\nOverview and required outcomes\nMP.L2-3.8.2 requires that CUI stored on any media is accessible only by authorized parties. Practically this means: (1) inventory and label CUI sources; (2) encrypt CUI at rest and in transit with approved algorithms (e.g., AES-256, FIPS-validated modules where required); (3) apply least-privilege ACLs on file systems, shares, and object stores; and (4) deploy DLP to detect, block, or quarantine unauthorized transfer or copying of CUI. The goal for a Compliance Framework program is demonstrable controls, documented procedures, and logs proving only authorized access.\n\nImplementation steps — encryption, ACLs, and DLP\nStart with data discovery and classification: scan endpoints, file servers, cloud buckets, and removable media for CUI patterns (DFARS clauses, project numbers, SSNs, PII patterns). Tag and label files using your classification tool (Microsoft Purview/AIP, Google Workspace labels, or an endpoint agent). Once files are classified, apply layered protections: full-disk encryption for endpoints, file/volume/container encryption for data stores, object-level encryption for cloud buckets, and TLS for data in transit.\n\nEncryption examples and key management: For Windows endpoints, enable BitLocker with XTS-AES 256 and store keys in an enterprise KMS (Azure AD + Intune or AD + MBAM/Configuration Manager). Example PowerShell to enable BitLocker on C: using AES-256:\nEnable-BitLocker -MountPoint \"C:\" -EncryptionMethod XtsAes256 -UsedSpaceOnly:$false -TpmProtector\n# Backup recovery key to AD or Azure AD\nBackup-BitLockerKeyProtector -MountPoint \"C:\" -KeyProtectorId (Get-BitLockerVolume -MountPoint \"C:\").KeyProtector | Out-Null\n\nOn Linux, use LUKS for full-disk encryption and GnuPG or a hardware HSM for key wrapping. For portable containers, tools like VeraCrypt, BitLocker To Go, or encrypted zip with AES-256 are acceptable when paired with enterprise key management and policy enforcement. In cloud storage, enable server-side encryption with customer-managed keys (SSE-KMS for AWS S3, CMEK for GCP/Azure) and restrict key usage via IAM policies and HSM/KMS rotation policies.\n\nACLs: enforce least privilege using group-based permissions rather than user-based ACLs. On Windows shares, use Active Directory groups and apply NTFS permissions; example CLI for tightening a folder:\nicacls \"D:\\CUI\" /inheritance:r\nicacls \"D:\\CUI\" /grant \"CORP\\CUI_Viewers:(OI)(CI)R\" /grant \"CORP\\CUI_Admins:(OI)(CI)M\"\n\nOn Linux ext4/SMB/NFS, use POSIX ACLs with setfacl to assign group read-only or read-write access, and disable broad write permissions:\nsetfacl -m g:cui_viewers:rx /srv/cui\nsetfacl -m g:cui_admins:rwx /srv/cui\n\nFor cloud object storage, lock down buckets with least privilege IAM policies and deny public access. Example S3 bucket encryption + policy snippets: enable SSE-KMS and limit PutObject/GetObject to a role or IAM group that is used by approved application/service principals.\n\nDeploying DLP to prevent unauthorized access and exfiltration\nDeploy DLP in three tiers: endpoint DLP, cloud DLP/CASB, and network DLP. Endpoint DLP controls block copy/paste, restrict file save-to-USB, and prevent screen capture for labeled CUI. Cloud DLP inspects uploads to SaaS (SharePoint, OneDrive, Gmail) and blocks or encrypts based on labels. CASB enforces access to cloud resources only from managed devices and can block unmanaged device uploads. Configure DLP rules to act in enforcement modes: Monitor -> Notify -> Block, with incident workflows for false positives.\n\nConcrete DLP configuration tips: create rules that match your CUI label + regex patterns for project IDs, SSNs, or classified phrases; apply actions: encrypt in transit (e.g., AIP protect), block upload, quarantine file, or require justification with an approval workflow. Integrate DLP alerts with your SIEM or ticketing system so each blocked action generates an auditable incident record and remediation steps.\n\nSmall-business scenarios and real-world examples\nScenario A — A 25-person engineering firm: implement BitLocker on all Windows laptops via Intune, apply Azure Information Protection labels to CAD files marked as CUI, and enforce SharePoint/OneDrive conditional access so only users with compliant devices can access CUI. Use Defender for Endpoint + Endpoint DLP to block copying labeled CUI to USB drives and forward DLP alerts to the IT manager's mailbox and SIEM.\n\nScenario B — A small contract manufacturer using AWS S3: classify files uploaded by engineers, enforce SSE-KMS with a customer-managed KMS key, attach an IAM policy restricting GetObject/PutObject to an IAM role assumed by approved CI/CD servers and a small list of user groups. Use S3 bucket policies to deny requests outside the company VPC and enable object-level logging in CloudTrail to show who accessed objects and from where for audit evidence.\n\nCompliance tips, testing, and documentation\nDocument procedures: inventory, classification rules, encryption standards (FIPS-validated modules, AES-256), KMS policies, group membership rules, DLP rule definitions, and incident handling workflows. Test controls quarterly: attempt authorized and unauthorized access to media (simulate exfiltration), verify BitLocker recovery escrow, simulate DLP rules firing, and review logs. Keep evidence of testing and remediation for assessors: screenshots, SIEM logs, policy exports, and change control records.\n\nRisks of not implementing MP.L2-3.8.2\nFailure to implement these controls risks unauthorized disclosure, exfiltration, or tampering with CUI. Consequences include contract loss, regulatory penalties, reputational damage, incident response costs, and failing a CMMC/NIST audit. Technically, inadequate encryption or permissive ACLs enable lateral movement and data harvesting; lack of DLP means silent exfiltration via cloud uploads or removable media without detection.\n\nIn summary, achieving MP.L2-3.8.2 compliance requires a layered approach: inventory and label CUI, apply FIPS-validated encryption at rest and in transit, enforce least-privilege ACLs across on-prem and cloud storage, and deploy DLP to detect and block unauthorized use or exfiltration. For small businesses, combine enterprise-managed encryption (BitLocker/FileVault/SSE-KMS), group-based ACLs, endpoint DLP, and documented testing to produce a defensible compliance posture and audit evidence." }, "metadata": { "description": "Practical steps to configure encryption, access controls, and DLP so only authorized users can access CUI on physical and electronic media to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requirements.", "permalink": "/how-to-configure-encryption-acls-and-dlp-to-ensure-only-authorized-users-access-cui-on-media-nist-sp-800-171-rev2-cmmc-20-level-2-control-mpl2-382.json", "categories": [], "tags": [] } }