Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MP.L2-3.8.2 – Limit access to “Controlled Unclassified Information” (CUI) on system media to authorized users.
Understanding the Requirement
This control requires that only authorized people can access CUI stored on any physical or electronic system media. Practically, that means knowing what media holds CUI, physically protecting that media (locked cabinets, controlled rooms), controlling who can remove or use it, and recording access through sign-in/out or audit logs. The objective is to reduce accidental or deliberate exposure by combining administrative rules, physical controls, and tracking of access events.
Technical Implementation
- Inventory and labeling: Create and maintain a simple inventory of all media that may contain CUI (external drives, CDs, removable SSDs, backup tapes). Label each item with an identifier, CUI marking, and owner or custodian so you can track where CUI exists and who is responsible.
- Physical storage and access controls: Store CUI media in locked containers—metal file cabinets, lockable drawers, or a small secure room with key, badge access, or a coded lock. Limit physical keys/cards to authorized personnel and keep a list of who holds access privileges.
- Signed check-in/check-out process: Implement a mandatory sign-in/sign-out log (physical or digital) when media leaves or returns to storage. Require the person to record name, date/time, purpose, and expected return. Assign a custodian to review logs weekly and follow up on overdue items.
- Technical protections on media: Whenever practical, encrypt CUI stored on removable media with approved full-disk or file-level encryption and require strong authentication to decrypt. If encryption is used, keep encryption keys protected (not stored with the media) and limit key access to authorized staff.
- Handling, retention, and secure disposal: Publish short, clear procedures that define permitted uses, retention periods, and approved disposal methods (e.g., physical shredding, degaussing, secure erase). Train staff and enforce the rule that media with CUI must never be left unattended in public areas or disposed of in regular trash.
- Periodic review and auditing: Schedule regular reviews of the media inventory and access logs (monthly or quarterly depending on volume). Reconcile inventory, investigate anomalies, and update authorization lists when roles change. Keep audit records long enough to support incident investigation.
Example in a Small or Medium Business
A 45-person engineering firm receives CUI from a DoD client on several USB drives and one CD. The IT manager creates a numbered inventory and labels each item as CUI, recording the date received, source, and a designated custodian. All CUI media are placed in a locked metal cabinet in the IT office; only three employees (the IT manager, the program manager for that contract, and a designated backup) have keys. Before a developer can use a USB drive, they must sign it out on a printed log showing name, start time, and purpose; the developer returns the media at the end of the day and signs it back in. The firm also encrypts files copied to any portable drive and stores encryption keys on a centrally managed key store accessible only to authorized staff. The IT manager reviews the sign-out log weekly, immediately follows up on any overdue items, and updates the inventory after each use. When the project ends, the firm securely erases and physically destroys the media per its disposal procedure and documents the destruction in the inventory file.
Summary
Limiting access to CUI on system media combines straightforward administrative steps (inventory, authorization lists, sign-in/out), physical controls (locked storage, limited keyholders), and technical measures (encryption, secure disposal). For SMBs, implementing these practical controls—backed by routine audits and clear handling procedures—reduces the risk of accidental disclosure and provides documented evidence that access to CUI is controlled and accountable.
