Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MP.L2-3.8.1 – Protect (i.e., physically control and securely store) system media containing Controlled Unclassified Information, both paper and digital.
Understanding the Requirement
This control requires that an organization physically control and securely store all media that contain Controlled Unclassified Information (CUI), whether paper or digital, so unauthorized people cannot access it. It focuses on inventorying media, restricting physical access, and using locked storage or equivalent measures so paper records, removable drives, CDs, and devices remain protected. This guidance is part of NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 and is designed to reduce the risk of physical loss or theft of CUI in small and medium businesses.
Technical Implementation
-
Establish a media inventory and checkout process.
Create a simple inventory (spreadsheet or lightweight asset-management tool) listing every item of media that may contain CUI (paper bundles, USB drives, external HDDs, CDs, laptops). For each item record an ID, description, storage location, custodian, and disposition. Require a signed checkout/check-in entry that records who took the media, purpose, date/time, and expected return date. Reconcile inventory monthly.
-
Use controlled locked storage.
Store CUI media in lockable cabinets or safes when not in use. For paper, use fire-resistant file cabinets with keyed locks; for digital media, use locked drawers, tamper-evident bags, or a dedicated safe. Limit keys/cards to authorized personnel and maintain a key custody log. For small teams, one central locked cabinet with documented access controls is sufficient and easier to manage than many scattered locations.
-
Encrypt digital media and devices.
Apply full-disk encryption on laptops and mobile devices (e.g., BitLocker, FileVault). For removable media (USB drives, external disks), require hardware-encrypted devices or container encryption (VeraCrypt, encrypted archives) with strong passwords and two-person handling for highly sensitive items. Encryption reduces impact if media are misplaced or stolen.
-
Label and mark media clearly.
Label containers and media with a standardized CUI marking and inventory ID (do not place CUI content on exterior labels). Use discreet labeling to indicate "CUI — Authorized Access Only" on locked cabinets and clearly mark inventory IDs inside. Labels help staff identify which items require special handling.
-
Define handling and transfer procedures.
Create short procedures for transporting media (e.g., two-person escort, locked transport case, tamper-evident seals). Require supervisor approval for removing media from the facility and record purpose/destination. If media must be sent off-site, use tracked courier services and encrypt the contents before transit.
-
Sanitize and dispose securely.
Define and implement media sanitization: cross-cut shredding for paper, NIST-approved wiping or physical destruction for electronic media, and documented certificates of destruction if using a vendor. Maintain disposal logs tied back to the inventory.
Example in a Small or Medium Business
An engineering firm with 25 employees maintains design documents that include CUI. They create a simple inventory spreadsheet listing each binder of printed drawings, three external hard drives, and a set of company USB sticks. All physical media are stored in a single locked cabinet in the office manager’s room; the cabinet is labeled "CUI — Authorized Access Only" and keys are held by two designated custodians. When an engineer needs a drawing set, they sign the checkout log with name, date/time, purpose, and expected return. Digital files on removable drives are stored encrypted; before a drive leaves the cabinet a manager approves the checkout and the engineer signs a temporary access form noting the transport method. The firm runs quarterly reconciliations comparing the inventory to the cabinet contents and immediately reports any discrepancies. When a drive reaches end-of-life it is sent to a certified vendor for physical destruction and the vendor's destruction certificate is filed with the inventory record.
Summary
Combining a clear media inventory, physical controls (locked storage and labeled containers), enforced checkout procedures, encryption for digital media, and documented sanitization/disposal creates practical, repeatable protections that meet MP.L2-3.8.1. For SMBs these measures are straightforward to implement with low-cost controls—locked cabinets, simple logs, and standard encryption tools—while delivering meaningful protection for CUI and making custody and accountability auditable during reviews or assessments.
