Skip to main content
NetStable
💾 8 Practices NIST 3.8.1 - 3.8.9

Media Protection Policy

Media Protection Domain (MP)

Overview Why It Matters Requirements Roles Implementation CMMC Mapping Evidence Common Gaps Template Guide

📖 What This Policy Covers

Media Protection controls how CUI exists on portable and removable media -- the physical things that can walk out the door. This policy covers media encryption and physical security, access restrictions and tracking, CUI marking and labeling, secure storage (locked cabinets, off-site backups), transport controls (chain of custody, encrypted transfer), media sanitization and destruction (DoD 5220.22-M wipe, physical shredding), media accountability and inventory, and restrictions on personally-owned removable media.

Purpose

This policy ensures CUI on removable and portable media is encrypted and physically secured, media access is restricted and tracked, CUI media is properly marked and inventoried, media is sanitized before disposal or reuse, and transport of CUI media follows chain-of-custody procedures.

Scope

Applies to all physical and digital media containing CUI: USB drives, external hard drives, backup tapes, printed documents, CDs/DVDs, mobile devices, and cloud storage. Covers the full media lifecycle from creation through disposal.

🎯 Why It Matters

Lost or stolen media is a common cause of CUI exposure. A single unencrypted USB drive left in a parking lot can compromise classified defense information. Physical media is often overlooked in favor of network security, but assessors specifically check for CUI labeling, media inventories, and destruction certificates. Proper media controls are also required by DFARS for handling defense-related information.

🔐 Key Requirements

1. Media Protection & Encryption

MP.L1-3.8.1

All media containing CUI must be encrypted and physically secured.

  • Digital media encrypted (BitLocker, FileVault, VeraCrypt)
  • Physical media stored in locked cabinets or safes
  • Company-issued encrypted USB drives only

2. Media Access

MP.L2-3.8.2

Access to CUI media restricted and tracked.

  • Access restricted to authorized personnel only
  • Sign-in/sign-out sheet for physical media library
  • Manager approval required for media access

3. Media Marking

MP.L2-3.8.4

CUI media clearly labeled for identification.

  • Physical labels: 'CONTROLLED UNCLASSIFIED INFORMATION'
  • Digital labels in filenames/metadata
  • Red labels for consistent visual identification

4. Media Storage

MP.L2-3.8.7

Secure storage for CUI media on-site and off-site.

  • Locked cabinet in access-controlled room
  • Off-site backups encrypted (Iron Mountain, AWS S3 Glacier)
  • Monthly media inventory

5. Media Transport

MP.L2-3.8.5

Secure transport procedures for CUI media.

  • Encryption required before transport
  • Approved methods: company vehicle (locked), bonded courier (FedEx/UPS with signature), encrypted file transfer (SFTP, HTTPS)
  • Chain of custody form with tracking numbers
  • Prohibited: personal vehicles (without approval), unencrypted email, public cloud storage

6. Media Sanitization & Destruction

MP.L1-3.8.3

Proper sanitization before disposal, reuse, or release.

  • Hard drives/SSDs: 3-pass overwrite (DoD 5220.22-M) or physical destruction (shred, degauss)
  • USB drives: overwrite + physical destruction
  • Mobile devices: factory reset + encryption key destruction
  • Paper: cross-cut shred (minimum P-4 security level)
  • CDs/DVDs: physically destroy (shred or incinerate)
  • Certificate of destruction from contracted destruction services

7. Media Accountability

MP.L2-3.8.6

Track all removable media containing CUI.

  • Media inventory database: media ID, type, CUI classification, custodian, location, date issued/returned
  • Quarterly physical inventory verification

8. Media Use Restrictions

MP.L2-3.8.8 MP.L2-3.8.9

Prohibit personal media for CUI; company-issued only.

  • Personally-owned removable media prohibited for CUI
  • Company-issued media only: encrypted and tracked in inventory
  • Exception: written justification + CISO approval + issued encrypted device

👥 Roles & Responsibilities

CISO

  • Approve media protection exceptions
  • Approve media destruction procedures
  • Review media inventory quarterly

IT Department

  • Procure and issue encrypted media
  • Maintain media inventory database
  • Perform media sanitization
  • Configure USB port restrictions

Facilities / Physical Security

  • Maintain locked storage for CUI media
  • Manage media destruction vendor relationships
  • Coordinate media transport logistics

All Users

  • Never use personal USB drives for CUI
  • Return CUI media when no longer needed
  • Report lost or stolen media immediately
  • Follow CUI marking requirements

🛠️ Implementation Roadmap (6 Weeks)

1

Media Procurement & Labeling

Weeks 1-2
  • Procure encrypted USB drives (IronKey, Apricorn)
  • Label all CUI media with approved markings
  • Create media inventory spreadsheet/database
  • Configure USB port restrictions via GPO/Intune (block unauthorized devices)
2

Processes & Procedures

Weeks 3-4
  • Implement media check-out/check-in process
  • Deploy sanitization tools (DBAN, Blancco)
  • Establish media destruction vendor contract
  • Create chain-of-custody forms for media transport
3

Training & Audit

Weeks 5-6
  • Train users on media handling procedures
  • Conduct initial media inventory audit
  • Test sanitization procedures on sample drives
  • Document all procedures and create quick-reference guides

Recommended Tools

IronKey / Apricorn encrypted USB drivesBitLocker / FileVault / VeraCrypt (encryption)DBAN / Blancco (sanitization)Iron Mountain (off-site storage and destruction)Intune / GPO (USB port control)

📊 CMMC Practice Mapping

Practice ID Requirement Policy Section
MP.L1-3.8.1 Protect media containing CUI 1
MP.L2-3.8.2 Limit access to CUI media 2
MP.L1-3.8.3 Sanitize/destroy CUI media 6
MP.L2-3.8.4 Mark media with CUI indicators 3
MP.L2-3.8.5 Control CUI media during transport 5
MP.L2-3.8.6 Implement accountability for CUI media 7
MP.L2-3.8.7 Control use of removable media 4, 8
MP.L2-3.8.8 Prohibit portable storage without owner 8

📋 Evidence Requirements

These are the artifacts a C3PAO assessor will ask for. Start collecting early.

Media Inventory

Format: Excel
Frequency: Quarterly audit
Contents: All removable media with CUI: ID, type, custodian, location, status
Tip: Include both active and disposed media. Mark disposed items with destruction date and certificate reference.

Certificates of Destruction

Format: PDF
Frequency: Per destruction event
Contents: Vendor-issued certificates for destroyed media from last 12 months
Tip: Keep certificates indefinitely. Include serial numbers of destroyed drives.

Media Sanitization Log

Format: Excel
Frequency: Per event
Contents: Devices sanitized: serial number, method, date, technician name
Tip: Document the specific sanitization method (DoD 5220.22-M 3-pass, physical destruction, etc.).

Transport Logs / Chain of Custody

Format: PDF
Frequency: Per transport event
Contents: Chain of custody forms with signatures for last 12 months
Tip: Include tracking numbers from courier services. Show continuous chain of custody.

Photos of Labeled Media

Format: PNG
Frequency: Annual
Contents: Photos showing CUI markings on USB drives, cabinets, and storage areas
Tip: Take photos during inventory audits. Show both the CUI label and the storage location security.

⚠️ Common Gaps (What Assessors Flag)

1. No CUI markings on media

Why this happens: Nobody thought to label USB drives or file folders as CUI.
How to close the gap: Purchase CUI label stickers. Apply to all CUI media during your inventory audit. Add CUI prefixes to digital filenames.

2. Personal USB drives used for CUI

Why this happens: Employees use personal drives for convenience. No USB port restrictions in place.
How to close the gap: Block unauthorized USB devices via GPO/Intune. Issue company encrypted drives. Train users on the prohibition.

3. No media destruction certificates

Why this happens: IT staff wipes drives themselves but doesn't document it, or throws drives in the trash.
How to close the gap: Contract with a certified destruction vendor (Iron Mountain, Shred-it). For in-house sanitization, create a log template and document every wipe.

4. No media inventory

Why this happens: Nobody tracks which USB drives or external drives contain CUI.
How to close the gap: Start a spreadsheet. During your next team meeting, have everyone report CUI media they possess. Assign asset tags to each item.

📝 Template Customization Guide

When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:

[COMPANY NAME]

Your organization's legal name

Example: Acme Defense Systems, LLC

[CISO Name]

Name of your CISO

Example: Jane Smith

Customization Tips

  • 💡 Specify your exact approved USB drive models (IronKey D300, Apricorn Aegis, etc.)
  • 💡 Include your media destruction vendor name and contract details
  • 💡 If your organization is fully cloud-based, note which physical media requirements are N/A and why
  • 💡 Document your specific CUI label format (text, color, size)

📚 Related Policies

Access Control Policy Physical Protection Policy Incident Response Policy System and Communications Protection Policy
Previous
MA Policy
All Policies
Next
PE Policy