Protecting Controlled Unclassified Information (CUI) on both paper and digital system media is a foundational CMMC 2.0 / NIST SP 800-171 Rev.2 requirement — MP.L2-3.8.1 — and requires a documented, practical media protection plan that covers inventory, labeling, handling, storage, transport, sanitization, and incident response for media assets. This post gives a step-by-step implementation plan targeted at small businesses working to achieve Compliance Framework objectives, with specific technical controls, real-world examples, and best practices you can implement quickly.
Key objectives
Your media protection plan should clearly establish: (1) which media contain or may contain CUI; (2) rules for labeling, handling, and storing that media; (3) technical controls (encryption, access controls, device management); (4) approved sanitization and disposal processes aligned with NIST SP 800-88; (5) chain-of-custody and transport procedures; and (6) verification, training, and audit processes to demonstrate and sustain compliance. Frame the plan to support contract requirements, CMMC assessment, and internal risk management.
Step-by-step implementation plan
1) Scope, inventory, and classification
Start by scoping: identify systems, devices, physical locations, and paper stores that can hold CUI. Maintain a media inventory (spreadsheet or CMDB) that records asset type (USB, laptop drive, network share, printed reports), owner, CUI category, location, encryption status, and retention period. Example: a small engineering subcontractor lists 48 endpoints, 12 NAS volumes, and a locked filing cabinet in the project office that stores drawing prints. Tag each inventory item with a unique ID (barcode or asset tag) to enable chain-of-custody tracking for check-out/check-in workflows.
2) Write policy and assign roles
Create a concise Media Protection Plan document that defines scope, acceptable media use, labeling conventions (e.g., header/footer "CUI"), roles (Media Custodian, IT Admin, Facility Manager, Authorizing Official), and exceptions process. Include standardized forms: media checkout/transfer, destruction certificates, and sanitization attestations. For a small business, the IT lead can be Media Custodian and the COO or Contract Manager can be Authorizing Official — document the delegation. Publish policies to your internal portal and include retention and disposition schedules tied to contract clauses.
3) Labeling, handling, and physical controls for paper
For paper CUI, enforce mandatory labeling, locked storage (GSA-style or equivalent lockable cabinets), and shredding or contracted secure destruction. Use cross-cut shredders that meet industry standards or a bonded shredding vendor providing a Certificate of Destruction. Example: an attorney's office uses color-coded folders labeled "CUI" and a monthly locked-bin pick-up by a bonded service; employees must log documents placed in the bin. Train staff not to leave CUI on printers or desks and to use secure transmission (locked courier) when sending physical media offsite.
4) Technical controls for digital media (encryption, access control, endpoint management)
Require full-disk or file-level encryption for all devices that can store CUI: BitLocker with TPM or Azure AD integration for Windows (AES-256), FileVault2 for macOS, and LUKS2 for Linux. For removable drives, use hardware-encrypted USBs or centrally-managed encrypted containers (VeraCrypt, Microsoft RMS-protected containers, or Microsoft Purview sensitivity labels). Implement endpoint controls: block unauthorized USB mass storage via Group Policy or an EDR/MDM solution, apply DLP rules to detect and prevent CUI exfiltration (SFTP only, prevent upload to personal cloud), and centrally manage keys (HSM or cloud KMS with FIPS 140-2-compliant modules). Log all media mounts and transfers to a SIEM for audit trails.
5) Transport and chain-of-custody
Define approved transport methods. For digital media sent offsite, require encrypted containers and pre-approved couriers; for highly sensitive transfers, use two-person custody and tamper-evident seals. Maintain a transfer form capturing sender, recipient, media ID, contents summary, time, and signatures (electronic signatures accepted). Example: a small defense contractor shipping design files places data on an encrypted SED drive, records the transaction in the media log, seals the drive in a tamper-evident bag, and uses a bonded overnight courier with signature required.
6) Sanitization, decommissioning, and disposal
Follow NIST SP 800-88 Rev.1 guidelines: categorize sanitization into Clear (logical techniques), Purge (more robust, e.g., crypto-erase or degaussing for magnetic media), and Destroy (physical destruction). For SSDs and SEDs prefer crypto-erase or built-in secure erase commands; for HDDs use one of the approved purge methods or physical shredding when appropriate. Maintain sanitization certificates for disposals and update the media inventory to reflect status. For paper, document shredder serial numbers, certificates of destruction, and responsible staff names.
7) Training, verification, and audit
Train all personnel annually on media handling rules and run quarterly spot audits: check labeling, review logs, validate encryption status via automated inventory, and test sanitization reports. Integrate media events into incident response: lost media triggers immediate revocation of credentials, key rotation if crypto-erase is impractical, and notification to stakeholders based on breach thresholds. For CMMC readiness, keep audit trails and evidence packages (policies, inventories, training records, sanitization certificates) organized to present to assessors.
Risk of non-implementation and compliance tips
Failing to implement MP.L2-3.8.1 exposes organizations to data breaches, contract noncompliance, loss of CMMC certification, financial penalties, and damage to reputation. Small businesses are especially vulnerable because a single lost laptop or unshredded contract can expose CUI. Compliance tips: apply least privilege to media access, automate inventory and encryption checks with your MDM/endpoint management, use tamper-evident physical controls for paper, require documented chain-of-custody for all offsite transfers, and align sanitization with NIST SP 800-88. Keep a small set of vendor contracts (bonded shredders, encrypted drive suppliers) pre-vetted for faster operational response.
Summary: Implementing a media protection plan for CUI under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 is practical and achievable for small businesses when broken into clear steps: scope and inventory, policy and roles, technical and physical controls, approved transport and sanitization procedures, and continuous training and auditing. Build simple artifacts — inventory, labeling convention, media checkout forms, sanitization certificates — integrate encryption and endpoint controls, and run regular audits to create a defensible compliance posture that mitigates risk and supports successful CMMC assessment.
