This practice is less complicated than assessors make it sound. You need two things: a list of who should access what, and proof that your file permissions match that list. That’s it. Media access controls complement MP.L2-3.8.1 (overall media protection) and link to AC.L2-3.1.1 and AC.L2-3.1.2 for access control across the organization.
MP.L2-3.8.2 At a Glance
- Document which roles need access to which CUI media
- Implement role-based access controls on file shares
- Restrict physical access to media to authorized users
- Review access permissions quarterly
- Remove access immediately when someone changes roles or leaves
What the assessor is actually evaluating
The assessor wants to see a clear connection between your organizational roles and access rights. A junior accountant should not be able to read executive strategy documents. A developer should not have access to HR records. This is common sense, but you need to prove you’ve thought about it and implemented controls.
Here’s the approach. First, you list your roles: Sales, Engineering, Finance, Operations, etc. Second, you list what CUI each role needs to do their job. Third, you set file permissions to match. Finally, you review those permissions periodically to make sure they still make sense.
Cloud storage complicates this slightly because permissions live in multiple places. You have Active Directory groups, you have folder-level permissions on your file share, you have access controls in Google Drive or OneDrive or Sharepoint. The assessor will ask you to show all three and prove they’re aligned. Don’t guess. Pull up the actual settings.
Small contractors can keep this simple. You might have three roles: Admin, Sales, and Operations. Admin sees everything. Sales sees proposals and contacts. Operations sees delivery schedules. Document it in a one-page matrix. That’s your evidence.
What a realistic SSP definition looks like
Example SSP Language
"Organization implements role-based access controls to limit access to CUI media as follows:
Role Definition: Employees are assigned one of five roles based on job function: Executive, Finance, Sales, Engineering, Operations.
Access Matrix: Each role has documented need-to-know for specific CUI categories (contracts, financial reports, source code, client lists). Executive accesses all CUI. Finance accesses financial reports and contracts only. Sales accesses proposals, contracts, and client lists. Engineering accesses source code and technical specifications. Operations accesses delivery schedules and client contact lists.
Implementation: Active Directory security groups correspond to these roles. File shares use folder-level permissions restricting access to appropriate groups. OneDrive for Business restricts sharing to within the organization. Cloud-based documents use sharing links that expire after 30 days.
Review Process: In Q1 and Q3, each department manager reviews their team's access permissions and certifies it remains appropriate. Any changes due to new hires, role changes, or departures are implemented within 2 business days. Audit logs show all access grants and revocations."
How to present your evidence
Evidence Checklist for MP.L2-3.8.2
- Role-Based Access Matrix: Simple spreadsheet showing roles and what CUI categories they access
- Active Directory Groups: List of security groups and their members
- File Share Permissions: Screenshots showing which groups have access to which folders (not individual users, groups)
- Cloud Storage Sharing Settings: Documentation of OneDrive/Sharepoint/Google Drive sharing restrictions
- Access Review Records: Signed-off quarterly reviews confirming access is still appropriate
- Change Log: Log of access grants and revocations, with business justification
- Incident Records: Documentation of any unauthorized access attempts and remediation
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
What You'll Hear in the Assessment Room
Assessor: "Show me your role-based access controls for CUI."
What works: "We have five roles with documented access. Here's the matrix showing which roles access which CUI." [Pull up spreadsheet]
Assessor: "Let's verify. Can a junior accountant read contracts?"
What works: "No. Contracts are in an AD group called Finance_Contracts. The junior accountant is in Finance_Reports only." [Show group memberships]
Assessor: "I want to see the actual permissions on your file server."
What works: [Connect to server, open file properties, show NTFS permissions] "The folder is restricted to the Finance_Contracts group. Only those members can open it."
Assessor: "How often do you review these permissions?"
What works: "Twice a year. Here's our Q1 and Q3 access reviews, signed by managers confirming the access is still needed." [Pull up dated review documents]
Assessor: "What happens when someone leaves?"
What works: "We have a checklist. When an employee leaves, we remove them from all AD groups within 24 hours and delete their user account." [Pull up offboarding checklist]
Common failures
Why Companies Fail MP.L2-3.8.2
- No role-based access matrix. Everyone asks the same question: "I need access to the shared drive," and the answer is "sure, here you go."
- Permissions are set on individual users, not groups. When someone leaves, you forget to remove them from three different shares.
- "Everyone needs to see everything." Sales argues they need contracts, so they get access to all contracts, which includes HR agreements and employee salaries.
- No evidence of reviews. You say you review access quarterly, but there are no signed documents showing it actually happened.
- Physical access is not restricted. The file room is locked, but everyone has the key or the door code.
- Cloud storage has overly broad sharing. All employees can add anyone to shared drives, and shared drives are set to "view access for all authenticated users."
How to Pass MP.L2-3.8.2
- Create a simple access matrix. Five columns: Role, Financial CUI, Customer CUI, Technical CUI, Internal Strategy. Check boxes for what each role needs.
- Use groups, not individual permissions. Security groups in Active Directory make this automatic and scalable.
- Document business need. When someone needs access, write it down. "Sales needs contracts for quote generation." Done.
- Review twice a year. Pick two dates. Send a form to managers asking "is this access still needed?" They sign it. You're done.
- Log changes. Keep a changelog. When you add or remove someone, date it and note why.
- Test it. Pull a random employee file. Verify they can access only what their role needs. Verify they cannot access other departments' CUI.
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
If you use an MSP/MSSP
Media Access with Managed Service Providers
If your MSP manages Active Directory or file shares, you need to own the access decisions. The MSP implements what you tell them, but you document the business need. Request quarterly reports showing current group memberships and file permissions. Confirm they have change control procedures: no one adds themselves to a group without approval. Ask how they handle offboarding. Get a signed agreement that covers access restriction requirements and incident response if someone accesses something they shouldn't. You remain responsible even if they manage the infrastructure.
Disclaimer: This guide is for educational purposes. CMMC Level 2 assessments are conducted by Authorized C3PAO partners. Consult the official NIST SP 800-171 standard and your assessor for definitive requirements.