This post provides a practical, checklist-style guide to implementing technical and administrative safeguards for Controlled Unclassified Information (CUI) media access—mapped to NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 (MP.L2-3.8.2)—with hands-on steps, small-business examples, and clear risks and best practices to help you achieve and maintain compliance.
What this requirement means in practice
MP.L2-3.8.2 expects organizations to restrict access to CUI stored on physical and digital media through both technical controls (encryption, access controls, logging) and administrative measures (policies, labeling, training, sanitization procedures). For a small business this means you must be able to show who can read, copy, transport, and dispose of CUI media; how access is enforced; and how media is securely handled end-to-end.
Technical safeguards — implementation checklist
1) Encrypt CUI at rest and in transit: Use AES-256 or equivalent FIPS-validated crypto for at-rest encryption (e.g., BitLocker for Windows, FileVault for macOS, or disk/cloud provider-managed encryption with FIPS 140-2 validation). Ensure TLS 1.2+ (preferably TLS 1.3) for data in transit and use vendor-provided or VM-level encryption for cloud storage.
2) Implement least-privilege, role-based access controls: Configure RBAC so only designated roles can access CUI media. Enforce strong authentication (MFA) and limit administrative privileges. Map roles to job functions and document access approvals. Use group policy, IAM roles in cloud providers (e.g., AWS IAM policies scoped per bucket/object), or on-prem AD groups to enforce access.
3) Control removable media and endpoints: Disable unused USB ports through Group Policy or endpoint security solutions, require organization-issued hardware-encrypted USB tokens (FIPS-validated) if removable media is necessary, and manage mobile devices with MDM (e.g., Microsoft Intune) to enforce encryption, password complexity, and remote wipe.
4) Logging, monitoring, and retention: Enable detailed access logging for file systems, NAS, cloud object storage access (S3 access logs, CloudTrail), and endpoints. Forward logs to a SIEM or centralized log collector with retention aligned to contractual requirements (commonly 12 months or more) and configure alerts for unusual media access, mass downloads, or egress attempts.
Small-business example: 20-person defense subcontractor
Scenario: A 20-person subcontractor stores CUI on employee laptops and in an Azure tenant. Practical steps: enroll all devices in Intune, enforce BitLocker and device-compliance policies, configure Azure Information Protection (Microsoft Purview) for file labeling and encryption, restrict SharePoint/OneDrive external sharing, enable conditional access requiring MFA and compliant devices, and use Azure Monitor/Log Analytics to collect audit logs for one year. Keep a media inventory spreadsheet (or simple CMDB) that lists devices storing CUI, assigned users, and sanitization status.
Administrative safeguards — policies, procedures, and training
Document written policies for media handling: labeling and marking CUI, authorized use of removable media, chain-of-custody forms for movement of physical media, approved sanitization and destruction methods (follow NIST SP 800-88 guidance: clear, purge, destroy), and procedures for when media is lost or compromised. Maintain signed acknowledgements from employees and contractors that they understand media handling rules.
Establish recurring training and role-based briefings that cover CUI handling, how to report incidents, and exceptions handling. For contractors and guests, use formal Non-Disclosure Agreements (NDAs) and access attestations that specify permitted CUI actions and sanctions for violations.
Real-world scenario: cloud-stored CUI accessed by contract engineers
When contract engineers need limited-time access to cloud-hosted CUI, treat them as temporary roles: create time-bound IAM roles or guest user accounts, require device posture checks (compliant device, up-to-date patching), log and review all access, and automatically revoke credentials at contract end. Use pre-signed URLs with short TTLs only when absolutely necessary and record the issuance in your media access register.
Compliance tips, metrics, and best practices
Keep a media inventory and access register, perform quarterly access reviews, and retain proof of sanitization/destruction (photographs, certificates from shredding vendors, or documented secure wipe outputs). Track metrics like number of unauthorized access attempts, time-to-revoke access after role change (< 24–72 hours target), and percentage of devices compliant with encryption policies. Automate enforcement where possible to reduce human error.
Risks of not implementing these safeguards
Failure to implement MP.L2-3.8.2 controls exposes you to data exfiltration, contract termination, loss of future DoD work, regulatory fines, and reputational harm. A single lost laptop or improperly disposed backup drive containing CUI can trigger a reportable incident, costly forensics, and potential loss of security clearance for the organization. Technically, unsecured media are common attack vectors (ransomware exfiltration, insider theft, unintentional leakage via cloud misconfiguration).
Summary: By combining technical measures (encryption, RBAC, endpoint controls, logging) with administrative controls (policies, training, inventory, sanitization) and small-business-friendly implementations (MDM, cloud-native protections, simple CMDB), you can meet MP.L2-3.8.2 requirements and significantly reduce the risk associated with CUI media. Start with a concise policy, deploy automated enforcement for the highest-risk items, and document your controls and evidence to support audits and CMMC assessments.
