This post explains how to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control MP.L2-3.8.2 by training staff and enforcing least privilege for media access so Controlled Unclassified Information (CUI) remains accessible only to authorized users and processes.
What MP.L2-3.8.2 requires (short)
Control MP.L2-3.8.2 requires organizations to ensure that access to media containing CUI is limited to authorized users and processes — and to take steps (training + technical enforcement) so those limits are understood and applied in day-to-day operations. The objective is to prevent unauthorized reading, copying, removal, or exfiltration of CUI carried on physical or electronic media.
Practical implementation steps for small businesses
Start with inventory and classification: identify all media types (file shares, laptops, removable drives, CDs, backups, cloud buckets) and mark which contain CUI. Assign data owners for each dataset who approve who may access the media. Map data flows so you know where CUI can be written to media (endpoints, printers, backup locations, cloud sync). For many small businesses, this can be a spreadsheet tied to a simple CMDB or your ticketing system.
Technical enforcement controls (actionable)
Implement least privilege using a combination of identity and endpoint controls. Examples: - Use Active Directory groups or cloud IAM roles to give read/write privileges only to named roles; avoid granting access to "Everyone" or broad groups. - Enforce disk and removable-media encryption (BitLocker, FileVault, LUKS) and require corporate-managed keys. For removable drives, use BitLocker To Go or hardware-encrypted USBs with company key escrow. - Block or restrict USB storage at the OS/policy level: Group Policy -> Computer Configuration -> Administrative Templates -> System -> Removable Storage Access (deny read/write); for macOS use MDM (Jamf/Intune) to restrict external storage. On Linux set udev rules to ignore mass-storage devices or use USBGuard. - Deploy Data Loss Prevention (DLP) to prevent CUI from leaving managed endpoints via email, web upload, or external drives (cloud DLP for O365/Google Workspace and endpoint DLP agents). - Use access control lists and share permissions (NTFS + Share permissions) and S3 bucket policies with least privilege principles. For cloud, use IAM policies that follow least privilege and use resource tagging to limit access via policy conditions. - Implement logging and alerting: enable Windows event logs, Sysmon, endpoint agent logs and forward to a SIEM (or cloud logging) to detect unauthorized copy actions, and monitor removable-media mount events and large file transfers.
Training and process controls (actionable)
Design role-based training that covers: what is CUI, how to identify labeled media, approved media handling procedures, removable media usage rules, encryption requirements, approval workflows, incident reporting steps, and consequences for noncompliance. Use scenario-based exercises: e.g., "You need to share a CUI file with a subcontractor for 48 hours — what do you do?" Require acknowledgement of policy during onboarding and annual recertification. Maintain training records and evidence (attendance logs, signed SOPs) for audits.
Approval workflows and temporary access
Implement an explicit approval workflow for granting access to media containing CUI. Small firms can use a ticketing system (Jira, ServiceNow, or even a controlled Google Form) that records approver identity, justification, duration, and a TTL (time-to-live) for access. Use Just-In-Time (JIT) access tools or manually enforce automatic expiration by scripting group membership removal after the approved window. Keep approval artifacts for compliance review.
Real-world small-business scenario
Example: A 25-person defense subcontractor uses Azure AD, Intune, and Office 365. Implementation steps: 1) Inventory: Team catalogs where CUI resides (SharePoint, local laptops, project backups). 2) Policy: Data owner for each project approves access lists. 3) Technical: Intune policies disable unauthorized USB storage, require BitLocker and enforce endpoint DLP rules that block sharing of labeled CUI outside corporate domains. 4) Training: Project staff receive a 30-minute role-based course demonstrating secure file transfer (SFTP, pre-signed S3 links, or secure SharePoint sharing), and must sign an attestation. 5) Enforcement: Quarterly access reviews remove former contractors from AD groups; SIEM alerts triggered by a disabled DLP rule produce immediate ticketing and review. This approach uses low-cost built-in tools but provides auditable enforcement and evidence for MP.L2-3.8.2.
Risks of not implementing least-privilege media controls
Failure to train and enforce least privilege exposes you to data loss and unauthorized disclosure: lost laptops or unencrypted USB drives with CUI, negligent sharing to personal cloud storage, or insiders copying data to home devices. Consequences include contract loss, regulatory penalties, reputational damage, and potential propagation of CUI to uncontrolled supply chain partners — all material risks for organizations handling DoD-related CUI.
Compliance tips and best practices
Keep it simple and auditable: document policies, maintain an access approval log, automate revocation, and retain training records. Use multi-factor authentication for access to file shares and cloud consoles. Adopt the Zero Trust mindset: verify every access request, minimize standing privileges, and require defense-in-depth (encryption + DLP + logging). Schedule quarterly access recertification and annual training. Consider a small PAM tool or AD delegation model for administrative tasks to reduce broad privileges. Finally, maintain sanitization procedures (NIST SP 800-88 guidance) for media disposal and document chain of custody for physical media transfers.
Summary: To satisfy MP.L2-3.8.2, combine policy, training, and technical enforcement: inventory and classify CUI media, provide role-based training and approval workflows, apply least-privilege controls via IAM, OS policies, encryption, and DLP, and keep logs and training records for audits. For small businesses, built-in OS controls, MDM, and cloud IAM combined with clear process and periodic reviews deliver strong, cost-effective compliance and materially reduce the risk of CUI exposure.
