Deretti Cyber Labs CMMC Desk · Domains · Media Protection

Media protection.

What happens to CUI once it leaves the screen.

Media Protection is 9 of Level 2’s 110 requirements — the family for CUI that has stopped being an abstraction on a network and become a physical or portable thing: a drawing on paper, a backup tape, a USB drive, a hard disk pulled from a retired laptop. MP governs how that thing is marked, stored, moved, and eventually destroyed, from the moment it’s created to the moment it’s gone for good.

This page explains the family. It does not replace the requirement text or assessment objectives.

01What this family protects

Media Protection protects CUI at the points where it’s easiest to walk away with — a printed drawing left on a desk, a backup drive in a bag, a decommissioned laptop’s hard disk headed for the dumpster. Network controls don’t reach any of these; MP is what does.

02The rule says

All 9 requirements, condensed to their operative sentence. NIST SP 800-171 Rev. 2 §3.8 has the full text and discussion for each; Source Library covers when to open it.

The 9 Media Protection requirements of NIST SP 800-171 Revision 2
§Requirement
3.8.1Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
3.8.2Limit access to CUI on system media to authorized users.
3.8.3Sanitize or destroy system media containing CUI before disposal or release for reuse.
3.8.4Mark media with necessary CUI markings and distribution limitations.
3.8.5Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
3.8.6Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
3.8.7Control the use of removable media on system components.
3.8.8Prohibit the use of portable storage devices when such devices have no identifiable owner.
3.8.9Protect the confidentiality of backup CUI at storage locations.

03In practice

Physical control and access (3.8.1–3.8.2). Media containing CUI — paper or digital — gets physically secured (a locked drawer, cabinet, or media library) and access limited to people who are actually authorized, with some form of accountability for what’s checked out and returned.

Disposal and marking (3.8.3–3.8.4). Before media is thrown away or handed off for reuse, it’s sanitized or destroyed so the information can’t be recovered — deleting a file isn’t sanitization. Media that holds CUI also gets marked, so a drive or folder doesn’t look identical to one that doesn’t.

Transport and encryption (3.8.5–3.8.6). Media moving outside a controlled area — a courier run, a drive mailed to a client — has both accountability (who has it, where it’s going) and, for digital media, encryption unless an equivalent physical safeguard is in place instead.

Removable media and backups (3.8.7–3.8.9). Organizations decide what portable devices are allowed to touch systems at all — a flash drive with no identifiable owner isn’t allowed to touch anything (3.8.8) — and backups containing CUI get the same confidentiality protection at rest as the live data they were copied from.

04Where it fails

The gap here is usually sanitization (3.8.3): a retired laptop or failed drive goes to e-waste or gets handed to a new employee with the old data still recoverable, because deleting the files felt like enough. It isn’t — deletion and sanitization are different operations, and the requirement’s own discussion is explicit that clearing, purging, or destruction is what actually removes the information.

A close second is unmanaged removable media (3.8.7–3.8.8): USB ports left open on every workstation, with no policy or technical control on what plugs in, because restricting them feels like it would slow people down.

05What evidence may look like

A media inventory or check-out log for physical CUI storage; a sanitization record for disposed or reused media, ideally naming the method used; markings visible on media that holds CUI; encryption configuration or a documented physical-safeguard alternative for media in transport; and a device policy or technical control showing what removable media is permitted and what isn’t.

06At the shop

At the shop

Blanchard Tool & Machining is the desk’s fictional composite (any resemblance to an actual company is coincidental). Blanchard’s engineering drawings live mostly on the CAD server, but printed shop-floor copies get filed in a locked cabinet at day’s end rather than left at workstations overnight. When the old file server’s backup drives were retired last year, the MSP ran them through a degaussing service before disposal and kept the certificate of destruction in the same folder as the SSP. USB ports on shop-floor terminals are disabled by policy — only the front-office machines have them enabled, and only for a short list of company-owned drives.

07Commonly confused with

System & Communications Protection (SC). MP’s encryption requirement (3.8.6) covers CUI on media during transport; SC’s encryption requirement (3.13.11) covers CUI more broadly, including in transit over networks and — per its own POA&M exception — at rest. The two overlap in intent but apply to different situations. See System & Communications Protection.

09Sources

Primary sources for the Media Protection family
DocumentWhat it’s for
NIST SP 800-171 Rev. 2, §3.8Full requirement text and discussion for all 9 MP requirements.
NIST SP 800-171AAssessment objectives — how an assessor determines MET for each MP requirement.
NIST SP 800-88Guidance on media sanitization methods, cited in the rule’s own discussion of 3.8.3.
32 CFR 170.4Defines “CMMC Level 2 security requirement” and ties the 800-171 R2 families to the CMMC Program.