NIST 800-171 • LEVEL 2 • MEDIA PROTECTION
3.8.1 — Media Storage
System media include digital and non-digital media. Digital media include diskettes, flash drives, magnetic tapes, external or removable solid state or magnetic drives, compact discs, and digital versatile discs. Non-digital media include paper and microfilm. Physically controlling stored media includes conducting inventories, establishing procedures to allow individuals to check out and return media to libraries, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. Controlled areas provide physical and procedural controls to meet the requirements established for protecting information and systems. Sanitization techniques (e.g., destroying, cryptographically erasing, clearing, and purging) prevent the disclosure of CUI to unauthorized individuals. The sanitization process removes CUI from media such that the information cannot be retrieved or reconstructed.
CMMC Practice Mapping
Assessment Objectives
- system media that contain CUI are physically controlled.
- system media that contain CUI are securely stored.
Practitioner Notes
This is about where you keep media that contains CUI — USB drives, backup tapes, external hard drives, printed documents. If it has CUI on it, it needs to be stored securely with controlled access.
Example 1: Store removable media containing CUI (USB drives, external SSDs, backup tapes) in a locked safe or locking cabinet within a controlled-access room. Maintain a check-out/check-in log so you know who has what media at all times — a simple sign-out sheet next to the cabinet works.
Example 2: For digital media stored on network shares, restrict access using NTFS permissions and Active Directory security groups. Only members of a specific "CUI Media Handlers" group should have read/write access to the share where CUI backups or archives are stored.