NIST 800-171 • LEVEL 2 • MEDIA PROTECTION
3.8.2 — Media Access
System media include digital and non-digital media. Access to CUI on system media can be restricted by physically controlling such media. This includes conducting inventories, ensuring that procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for stored media. For digital media, access to CUI can be restricted by using cryptographic means. Encrypting data in storage or at rest is addressed in [](#/cprt/framework/version/SP_800_171_3_0_0/home?element=03.13.08) 03.13.08.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- access to CUI on system media is restricted to authorized personnel or roles.
Practitioner Notes
This practice focuses on limiting who can access media containing CUI. Think of it as the access control layer on top of the secure storage from 3.8.1.
Example 1: Use a Group Policy Object to restrict removable storage device access. Under Computer Configuration > Administrative Templates > System > Removable Storage Access, set "All Removable Storage classes: Deny all access" for standard users, and only allow access for accounts in a specific security group that handle CUI media.
Example 2: For physical (non-digital) media like printed CUI documents, keep them in a locked file cabinet inside a room with badge-reader access control. Limit badge access to personnel whose roles require handling CUI documents, and review the access list at least quarterly.