CMMC Level 2Implementation GuideJuly 3, 2026· 10 min read
How to Implement CMMC Level 2 Media Protection (MP) Requirements
Media Protection is one of the larger CMMC domains with nine practices, and it covers something most people handle informally at best: what happens to CUI on USB drives, laptops, printouts, backup tapes, and any other medium that data touches on its way in and out of your systems. This guide breaks down each practice, the controls that satisfy it, and the evidence an assessor will ask for.
Why MP Gets Underestimated
People spend months hardening their network and then hand a contractor a USB drive with CUI on it. The MP domain exists because of exactly that moment.
The Media Protection domain covers the full lifecycle of media that contains CUI: how it is created, stored, transported, used, and ultimately destroyed. Nine practices sounds like a lot, but most of the controls are things a reasonably well-run IT environment should already be doing. The gap is usually documentation and enforcement, not the underlying technology.
What makes MP assessments uncomfortable is that the gaps tend to be visible and specific. An assessor who finds a box of old hard drives with no sanitization records, or discovers that USB drives are not blocked on workstations, has a clear finding that is hard to argue around. The domain rewards organizations that take media handling seriously with straightforward evidence to produce. It punishes those who have been winging it.
Scope reminder: MP applies to both digital and physical media. Paper documents containing CUI are system media under NIST SP 800-171. If your policy covers USB drives but says nothing about printed CUI, your policy is incomplete.
Practice-by-Practice Breakdown
3.8.1 + 3.8.2
Protect CUI media and limit access to authorized users
3.8.1 requires protecting system media containing CUI, both paper and digital. 3.8.2 requires limiting access to that media to authorized users only. Together these establish the baseline: CUI media must be stored securely and only accessible to people who are authorized to see the CUI it contains.
How to implement:
Physical CUI documents must be stored in locked storage when not in active use. Desk drawers with locks, locked filing cabinets, or a locked room are all acceptable. The key word is locked, not just closed
Digital media containing CUI (external drives, USB sticks, backup tapes) must be stored in locked cabinets or secure server rooms with access limited to authorized personnel
Access controls on file shares and cloud storage where CUI resides satisfy 3.8.2 for digital media at rest on network storage. This overlaps with AC domain controls
Maintain an inventory of removable media that contains CUI so you know what exists and where it is
Clean desk policy: workstations should not have CUI documents visible or accessible when the user is away
Common mistake: Assuming digital access controls satisfy 3.8.1 for physical media. If backup tapes or external drives containing CUI are sitting in an unlocked storage closet that anyone can enter, that is a finding regardless of the encryption on the drives.
3.8.3
Sanitize or destroy media before disposal or reuse
Somewhere in your organization there is a pile of old hard drives that nobody wants to deal with. 3.8.3 is the practice that forces the conversation.
Before any media is disposed of or repurposed, the CUI on it must be unrecoverable. The specific method depends on the media type.
Hard disk drives (HDD): NIST SP 800-88 compliant overwrite (multiple-pass write) or physical destruction (degaussing + shredding)
Solid state drives (SSD) and flash media: Cryptographic erase is the recommended method since overwriting is unreliable due to wear leveling. If the drive was encrypted, deleting the encryption key satisfies the requirement. Physical destruction is always acceptable
Optical media (CDs/DVDs): Physical destruction only. Reformatting does not sanitize optical media
Paper: Cross-cut shredding (DIN 66399 P-4 or higher, which produces particles no larger than 2mm x 15mm) or a certified destruction service
Document everything: Maintain sanitization records showing the date, the media identifier, the method used, and who performed the sanitization. These records are your primary evidence for 3.8.3
Common mistake: Using the "quick format" option and considering the drive clean. A quick format removes the file system index but leaves the data intact and trivially recoverable. It does not satisfy 3.8.3 for CUI media.
3.8.4
Mark media with CUI markings and distribution limitations
Physical media containing CUI must be marked to indicate its contents and handling requirements. This applies to both printed documents and physical digital media like external drives.
Printed CUI documents should include the CUI banner (header and footer) on every page. The standard marking is "CUI" in the header and footer, with any applicable category designation (e.g., "CUI // SP-CTI" for controlled technical information)
Physical media (USB drives, external drives, backup tapes) should be labeled with a CUI sticker or marking indicating the device may contain CUI
Email and electronic documents follow separate marking guidance, but any printouts of those documents inherit the marking requirement
If you are not sure what CUI marking applies to your specific contract data, your Contracting Officer Representative (COR) can clarify. The CUI Registry at archives.gov lists all approved categories and markings
Common mistake: Only marking documents created by the security team. CUI can appear in contracts, technical drawings, specifications, cost data, and correspondence. If it qualifies as CUI under your contract, the marking requirement applies regardless of who created it or which department owns it.
3.8.5 + 3.8.6
Control and protect CUI media during transport
3.8.5 requires controlling access to CUI media during transport and maintaining accountability. 3.8.6 requires cryptographic protection for CUI transported electronically unless protected by alternative physical safeguards.
For physical media transport (e.g., mailing a backup tape or hand-carrying a hard drive): use tamper-evident packaging, maintain a chain-of-custody log, and use trackable shipping methods with signature confirmation
For electronic transmission: encrypt CUI before transmission. Acceptable methods include: encrypted email (S/MIME or PGP), SFTP or HTTPS for file transfers, encrypted file containers (VeraCrypt, BitLocker-protected archives), or an approved secure file sharing platform
Unencrypted email is not an acceptable transport method for CUI. This includes forwarding CUI attachments through standard email without encryption
Document your approved transport methods in policy so the help desk and users know what is and is not acceptable
Common mistake: Emailing CUI documents unencrypted on the assumption that "it's internal." Internal email still traverses infrastructure and is not encrypted by default in most environments. If the CUI is going outside your organization, encryption is required. If it is staying internal, your AC and SC controls handle the protection requirement, but documenting that distinction matters.
3.8.7 + 3.8.8
Control removable media use and prohibit unidentified portable storage
3.8.7 requires controlling removable media on system components. 3.8.8 prohibits the use of portable storage devices without identifiable ownership.
The most common technical control for 3.8.7 is blocking USB storage via Group Policy (Windows) or MDM policy (Intune, Jamf). Block all storage-class USB devices by default, then allow exceptions for specific approved devices as needed
If complete blocking is not feasible, implement device control software (Endpoint Protector, Microsoft Defender Device Control, Ivanti Device Control) that restricts USB storage to approved, registered devices only
3.8.8 means you cannot allow employees to plug in personal USB drives, borrowed drives, or drives with no identifiable owner. Every approved removable media device should be tracked: who owns it, what it is used for, when it was issued
When removable media is approved for use, it should be encrypted (BitLocker To Go is a free Windows option) and the encryption requirement should be in your policy
Document exceptions. If a specific use case requires removable media, document the business justification, the approved device, and the controls in place
Common mistake: Blocking USB drives in policy but not technically. A policy that says "employees must not use personal USB drives" without any technical enforcement is not a control; it is a hope. Assessors will ask how this is enforced, and "we tell people not to" is a gap.
3.8.9
Protect the confidentiality of backup CUI at storage locations
Backups containing CUI must be protected at rest at the backup storage location, whether that is on-premises, offsite, or in the cloud.
Encrypt backup data at rest. Veeam, Azure Backup, Acronis, and most enterprise backup solutions support encryption of backup files and repositories. Enable it if you have not
Physical backup media (tapes, external drives) stored offsite must be stored in a secured location with access limited to authorized personnel
Cloud backup repositories must be encrypted at rest. Verify this in your cloud provider's settings, not just the backup software configuration
Access to backup repositories should follow least privilege. The backup service account should have only the permissions needed to write backups; restore permissions should be a separate, more restricted role
Document your backup encryption method and the location of backup storage in your policy. This is the evidence an assessor will look for
Common mistake: Encrypting production CUI data but not backup data. Encrypted backups of encrypted data are not automatically encrypted at the backup level. The backup repository itself must use encryption. Check your backup platform settings specifically, not just the source data encryption status.
Evidence Assessors Will Request
The MP domain tends to produce very concrete evidence requests. Plan for:
Practice
Evidence Expected
3.8.1 / 3.8.2
Media protection policy, physical storage inspection or photos, access logs for restricted storage areas, media inventory
3.8.3
Media sanitization records with date, device, method, and technician; vendor destruction certificates if using a service
3.8.4
Sample CUI documents showing header/footer markings; photos of labeled physical media
3.8.5 / 3.8.6
Transport procedure documentation; examples of encrypted file transfers; shipping records with chain of custody
3.8.7 / 3.8.8
Group Policy or MDM screenshots showing USB block; approved device inventory; exception documentation
Free tool worth using: NIST SP 800-88 "Guidelines for Media Sanitization" is a free publication that defines acceptable sanitization methods for every media type. If an assessor challenges your sanitization method, citing 800-88 compliance is the right response. Download it at csrc.nist.gov.
Need the Policy Document?
Our CMMC Level 2 Media Protection Policy template covers all 9 MP practices in formal policy language. Includes removable media controls, sanitization procedures, transport requirements, backup protection, and CUI marking requirements. Editable .docx, ready to customize in under an hour.
Yes. NIST SP 800-171 explicitly covers both digital and paper media containing CUI. Practice 3.8.1 requires protecting system media containing CUI, which includes printed documents and handwritten notes. Paper CUI must be stored securely, marked appropriately under 3.8.4, and disposed of through cross-cut shredding or a certified destruction service under 3.8.3.
Practice 3.8.7 requires controlling the use of removable media on system components. Most organizations implement this via Group Policy or endpoint management to block USB storage devices. Practice 3.8.8 prohibits the use of portable storage devices without an identifiable owner, meaning untracked personal USB drives on work systems are a violation. For CUI transport on removable media, 3.8.6 requires encryption.
Practice 3.8.3 requires sanitizing or destroying media before disposal or reuse. For HDDs, use NIST SP 800-88 compliant overwrite or physical destruction. For SSDs, cryptographic erase (if encrypted) or physical destruction. For paper, cross-cut shredding at DIN 66399 P-4 or higher. Document every sanitization event with date, device, method, and technician.
Practice 3.8.4 applies to any physical or portable digital medium containing CUI: printed documents, USB drives, external hard drives, CDs/DVDs, backup tapes, and removable SSDs. The marking should identify the content as CUI with any applicable handling caveats. Printed documents should include the CUI banner in the header and footer on every page.
Cloud storage is primarily addressed under System and Communications Protection (SC) and Access Control (AC). However, backup CUI in cloud environments is covered under 3.8.9, which requires protecting the confidentiality of backup CUI at storage locations. Cloud backups containing CUI must use encryption at rest, and the cloud service must be authorized within your system boundary.