CMMC Level 2 Implementation Guide July 3, 2026 · 10 min read

How to Implement CMMC Level 2 Media Protection (MP) Requirements

Media Protection is one of the larger CMMC domains with nine practices, and it covers something most people handle informally at best: what happens to CUI on USB drives, laptops, printouts, backup tapes, and any other medium that data touches on its way in and out of your systems. This guide breaks down each practice, the controls that satisfy it, and the evidence an assessor will ask for.

Why MP Gets Underestimated

People spend months hardening their network and then hand a contractor a USB drive with CUI on it. The MP domain exists because of exactly that moment.

The Media Protection domain covers the full lifecycle of media that contains CUI: how it is created, stored, transported, used, and ultimately destroyed. Nine practices sounds like a lot, but most of the controls are things a reasonably well-run IT environment should already be doing. The gap is usually documentation and enforcement, not the underlying technology.

What makes MP assessments uncomfortable is that the gaps tend to be visible and specific. An assessor who finds a box of old hard drives with no sanitization records, or discovers that USB drives are not blocked on workstations, has a clear finding that is hard to argue around. The domain rewards organizations that take media handling seriously with straightforward evidence to produce. It punishes those who have been winging it.

Scope reminder: MP applies to both digital and physical media. Paper documents containing CUI are system media under NIST SP 800-171. If your policy covers USB drives but says nothing about printed CUI, your policy is incomplete.

Practice-by-Practice Breakdown

3.8.1 + 3.8.2

Protect CUI media and limit access to authorized users

3.8.1 requires protecting system media containing CUI, both paper and digital. 3.8.2 requires limiting access to that media to authorized users only. Together these establish the baseline: CUI media must be stored securely and only accessible to people who are authorized to see the CUI it contains.

How to implement:

Common mistake: Assuming digital access controls satisfy 3.8.1 for physical media. If backup tapes or external drives containing CUI are sitting in an unlocked storage closet that anyone can enter, that is a finding regardless of the encryption on the drives.

3.8.3

Sanitize or destroy media before disposal or reuse

Somewhere in your organization there is a pile of old hard drives that nobody wants to deal with. 3.8.3 is the practice that forces the conversation.

Before any media is disposed of or repurposed, the CUI on it must be unrecoverable. The specific method depends on the media type.

Common mistake: Using the "quick format" option and considering the drive clean. A quick format removes the file system index but leaves the data intact and trivially recoverable. It does not satisfy 3.8.3 for CUI media.

3.8.4

Mark media with CUI markings and distribution limitations

Physical media containing CUI must be marked to indicate its contents and handling requirements. This applies to both printed documents and physical digital media like external drives.

Common mistake: Only marking documents created by the security team. CUI can appear in contracts, technical drawings, specifications, cost data, and correspondence. If it qualifies as CUI under your contract, the marking requirement applies regardless of who created it or which department owns it.

3.8.5 + 3.8.6

Control and protect CUI media during transport

3.8.5 requires controlling access to CUI media during transport and maintaining accountability. 3.8.6 requires cryptographic protection for CUI transported electronically unless protected by alternative physical safeguards.

Common mistake: Emailing CUI documents unencrypted on the assumption that "it's internal." Internal email still traverses infrastructure and is not encrypted by default in most environments. If the CUI is going outside your organization, encryption is required. If it is staying internal, your AC and SC controls handle the protection requirement, but documenting that distinction matters.

3.8.7 + 3.8.8

Control removable media use and prohibit unidentified portable storage

3.8.7 requires controlling removable media on system components. 3.8.8 prohibits the use of portable storage devices without identifiable ownership.

Common mistake: Blocking USB drives in policy but not technically. A policy that says "employees must not use personal USB drives" without any technical enforcement is not a control; it is a hope. Assessors will ask how this is enforced, and "we tell people not to" is a gap.

3.8.9

Protect the confidentiality of backup CUI at storage locations

Backups containing CUI must be protected at rest at the backup storage location, whether that is on-premises, offsite, or in the cloud.

Common mistake: Encrypting production CUI data but not backup data. Encrypted backups of encrypted data are not automatically encrypted at the backup level. The backup repository itself must use encryption. Check your backup platform settings specifically, not just the source data encryption status.

Evidence Assessors Will Request

The MP domain tends to produce very concrete evidence requests. Plan for:

PracticeEvidence Expected
3.8.1 / 3.8.2Media protection policy, physical storage inspection or photos, access logs for restricted storage areas, media inventory
3.8.3Media sanitization records with date, device, method, and technician; vendor destruction certificates if using a service
3.8.4Sample CUI documents showing header/footer markings; photos of labeled physical media
3.8.5 / 3.8.6Transport procedure documentation; examples of encrypted file transfers; shipping records with chain of custody
3.8.7 / 3.8.8Group Policy or MDM screenshots showing USB block; approved device inventory; exception documentation
3.8.9Backup software configuration showing encryption enabled; backup storage location and access controls

Free tool worth using: NIST SP 800-88 "Guidelines for Media Sanitization" is a free publication that defines acceptable sanitization methods for every media type. If an assessor challenges your sanitization method, citing 800-88 compliance is the right response. Download it at csrc.nist.gov.

Need the Policy Document?

Our CMMC Level 2 Media Protection Policy template covers all 9 MP practices in formal policy language. Includes removable media controls, sanitization procedures, transport requirements, backup protection, and CUI marking requirements. Editable .docx, ready to customize in under an hour.

Download the MP Policy Template →

Frequently Asked Questions

Yes. NIST SP 800-171 explicitly covers both digital and paper media containing CUI. Practice 3.8.1 requires protecting system media containing CUI, which includes printed documents and handwritten notes. Paper CUI must be stored securely, marked appropriately under 3.8.4, and disposed of through cross-cut shredding or a certified destruction service under 3.8.3.
Practice 3.8.7 requires controlling the use of removable media on system components. Most organizations implement this via Group Policy or endpoint management to block USB storage devices. Practice 3.8.8 prohibits the use of portable storage devices without an identifiable owner, meaning untracked personal USB drives on work systems are a violation. For CUI transport on removable media, 3.8.6 requires encryption.
Practice 3.8.3 requires sanitizing or destroying media before disposal or reuse. For HDDs, use NIST SP 800-88 compliant overwrite or physical destruction. For SSDs, cryptographic erase (if encrypted) or physical destruction. For paper, cross-cut shredding at DIN 66399 P-4 or higher. Document every sanitization event with date, device, method, and technician.
Practice 3.8.4 applies to any physical or portable digital medium containing CUI: printed documents, USB drives, external hard drives, CDs/DVDs, backup tapes, and removable SSDs. The marking should identify the content as CUI with any applicable handling caveats. Printed documents should include the CUI banner in the header and footer on every page.
Cloud storage is primarily addressed under System and Communications Protection (SC) and Access Control (AC). However, backup CUI in cloud environments is covered under 3.8.9, which requires protecting the confidentiality of backup CUI at storage locations. Cloud backups containing CUI must use encryption at rest, and the cloud service must be authorized within your system boundary.

More CMMC Implementation Guides

🔒Access Controls (AC)Read → 📄Audit & Accountability (AU)Read → 🚨Incident Response (IR)Read → 🔧Maintenance (MA)Read → 👥Personnel Security (PS)Read → 🏠Physical Protection (PE)Read →
📫

Get the Free CMMC Level 2 Practice Checklist

No spam. Practical guidance on CMMC compliance and new resources when we publish them.