Media protection is simpler than you think. You’re securing two types of media: paper and digital. An assessor walks into your office and they should never see a confidential document sitting on a desk or a USB drive left plugged in. That’s the baseline.
MP.L2-3.8.1 At a Glance
- Control physical access to all media containing CUI
- Protect digital media with encryption or physical safeguards
- Inventory and track media by classification and location
- Store media in locked containers when not in use
- Establish clear handoff procedures for media transport
What the assessor is actually evaluating
The assessor is checking four things. First, do you know where your CUI is? Can you point to a list of systems, storage locations, and devices that contain CUI? Second, is that media physically protected? Are confidential documents in a locked drawer or a locked file room? Third, who has access? Is it restricted to people who actually need it? Fourth, are there consequences if someone fails? Do you have incident reports or audit logs showing you caught unauthorized access attempts?
Cloud-heavy organizations usually have an easier time here. Your data is encrypted at rest by AWS or Azure or Google. You control access through IAM policies. But you still need to address physical media. That laptop with a corporate drive? That still needs encryption. That printer that holds a queue of confidential print jobs? That still needs to be in a secure area. Media protection ties to PE.L2-3.10.5 (controlling output devices) and SC.L2-3.13.1 (CUI boundary controls), and connects to broader access control frameworks in AC.L2-3.1.1 and AC.L2-3.1.2.
Small contractors sometimes feel invisible here. You might not have a dedicated file room. But the assessor is not looking for Fortune 500 infrastructure. They’re looking for evidence that you thought about the problem and did something reasonable. A locked filing cabinet is reasonable. A password-protected folder on a shared drive is reasonable. Leaving printed contracts visible on a receptionist desk is not.
What a realistic SSP definition looks like
Example SSP Language
"Organization protects CUI media through the following controls:
Physical Media: All paper documents containing CUI are stored in locked filing cabinets in the administrative office. Access is restricted to authorized personnel with a business need. Confidential documents are not left on desks at end of day. Old documents are collected in a locked shred bin for quarterly destruction. Printed materials are marked with CUI indicators per MP.L2-3.8.4.
Digital Media: All laptops and workstations containing CUI have full disk encryption enabled via BitLocker (Windows) or FileVault (Mac). External hard drives used for backups are encrypted with AES-256. USB devices are prohibited except through endpoint management policy. Mobile devices are managed through Intune or equivalent MDM, with requirement to wipe if lost.
Access Control: File permissions on shared drives are reviewed quarterly. Only team members with documented need to know have access to CUI folders. Contractors and vendors sign NDAs before receiving access. Access is logged and anomalies are reviewed monthly."
How to present your evidence
Evidence Checklist for MP.L2-3.8.1
- Media Inventory: List of all systems and storage devices containing CUI (workstations, servers, external drives, archives)
- Physical Security Photos: Locked file cabinets, locked office doors, badge access logs showing who entered secure areas
- Encryption Status: Report showing all laptops/desktops have full disk encryption enabled
- Access Policies: Documentation of which roles/people can access which media
- Destruction Logs: Records of shredding services or hard drive wiping (see MP.L2-3.8.3)
- Incident Reports: Any unauthorized access attempts and how they were caught
- Training Records: Staff trained on media handling and confidentiality
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
What You'll Hear in the Assessment Room
Assessor: "Walk me through your media containing CUI. Where does it live?"
What works: "We have three places: our file servers in the data center, encrypted laptops in the field, and a locked filing cabinet in the back office. Here's the inventory." [Pull up spreadsheet]
Assessor: "I see you have laptops out there. How are they protected?"
What works: "Full disk encryption is enforced by policy. If someone loses a laptop, we wipe it remotely through MDM." [Pull up BitLocker/FileVault compliance report]
Assessor: "What about paper? I see a printer by the reception desk. Do confidential documents print there?"
What works: "No. Anything marked CUI prints to the secure printer in the administrative office. That room is badge-accessed and the printer is cleared daily." [Pull up printer logs and badge access records]
Assessor: "Show me your file room."
What works: [Walk them through the secured area. Show locked filing cabinets. Point to access log on the door. Show the shred bin.]
Common failures
Why Companies Fail MP.L2-3.8.1
- No one inventoried where CUI actually exists. The company doesn't know if there are copies of contracts on old laptops or in backup drives.
- Printed documents are not treated as CUI. Contracts sit on desks, get left in meeting rooms, or go into regular recycling bins instead of secure shredding.
- Laptops don't have encryption enabled. Spot check: assessor asks an employee to show them their device settings. Device is unencrypted.
- "We use cloud storage so we don't have physical media." Still fails because cloud storage is accessed on physical devices that need protection.
- File permissions are not restricted. Any employee can access any folder on the shared drive labeled CUI.
- Old backup drives are sitting in a closet. No one knows what's on them or when they'll be destroyed.
How to Pass MP.L2-3.8.1
- Create a simple inventory: system name, what CUI it contains, how it's protected, who owns it.
- Lock it down: encrypted drives for digital, locked cabinets for paper.
- Control access: only people who need to do their job can access it.
- Destroy it safely: shred old papers, wipe old drives. Get a certificate.
- Train staff: one quick session on "don't leave documents on your desk" goes a long way.
- Audit occasionally: walk around your office. Are there confidential documents in view? Are there USB drives lying around?
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
If you use an MSP/MSSP
Media Protection with Managed Service Providers
If your MSP manages your servers or cloud environment, confirm in writing who is responsible for media protection. Ask: How is data encrypted at rest? How is it encrypted in transit? Can you show me their data center security? If they manage endpoint encryption, get monthly compliance reports showing which devices are encrypted. If they handle backups, ask about their destruction procedures. You own the assessment, so you need to independently verify their controls through documentation and testing. Get their SOC 2 report or security questionnaire and attach it to your evidence.
Disclaimer: This guide is for educational purposes. CMMC Level 2 assessments are conducted by Authorized C3PAO partners. Consult the official NIST SP 800-171 standard and your assessor for definitive requirements.