Skip to main content
NetStable
Level 2 MP.L2-3.8.1

Protect system media, both paper and digital

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to safeguard both physical (paper) and digital media that contain Controlled Unclassified Information (CUI). It involves ensuring that media is properly labeled, stored securely, and transported safely. For digital media, this includes encryption and access controls. For paper media, it involves secure storage and disposal methods. The goal is to prevent unauthorized access, loss, or theft of sensitive information. For example, a company might encrypt USB drives containing CUI and store paper documents in locked cabinets accessible only to authorized personnel.

🎯 Why It Matters

Failure to protect system media can lead to data breaches, unauthorized access, and loss of sensitive information. For instance, in 2019, a contractor lost an unencrypted USB drive containing classified DoD data, leading to a significant security incident. Such breaches can result in hefty fines, reputational damage, and loss of contracts. From a DoD/CMMC perspective, this control is critical because it ensures that CUI remains secure throughout its lifecycle, mitigating risks associated with data exposure.

How to Implement

  1. 1. Encrypt all cloud storage volumes containing CUI using AES-256 encryption.
  2. 2. Implement access controls to restrict who can read/write to cloud storage.
  3. 3. Regularly audit cloud storage access logs for unauthorized access.
  4. 4. Use cloud provider tools (e.g., AWS KMS, Azure Key Vault) for managing encryption keys.
  5. 5. Ensure backups are encrypted and stored securely.
  6. 6. Monitor and log all access attempts to cloud storage.
  7. 7. Train staff on cloud security best practices.
⏱️
Estimated Effort
Implementation typically takes 2-3 days for initial setup, with ongoing monitoring and training requiring 1-2 hours per week.

📋 Evidence Examples

Media Handling Policy

Format: PDF
Frequency: Annually or when updated.
Contents: Document detailing procedures for labeling, storing, and transporting media.
Collection: Download from policy repository.

Encryption Configuration Screenshot

Format: PNG
Frequency: Once per setup.
Contents: Screenshot showing encryption settings for a USB drive.
Collection: Take screenshot during configuration.

Access Log Report

Format: CSV
Frequency: Monthly.
Contents: Log of access attempts to cloud storage.
Collection: Export from cloud provider dashboard.

Training Attendance Record

Format: Excel
Frequency: After each training session.
Contents: List of staff who attended media handling training.
Collection: Export from training system.

Sanitization Certificate

Format: PDF
Frequency: After each sanitization.
Contents: Certificate confirming proper sanitization of media.
Collection: Obtain from sanitization provider.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For MP.L2-3.8.1 ("Protect system media, both paper and digital"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how CUI on media is protected throughout its lifecycle, including encryption, access controls, marking, transport procedures, sanitization methods, and accountability tracking. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"MP.L2-3.8.1 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to protect system media, both paper and digital. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"MP.L2-3.8.1 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to protect system media, both paper and digital. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"MP.L2-3.8.1 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all removable media types within the CUI boundary
  • Document media storage locations (on-site, off-site)
  • Specify media sanitization and destruction methods
  • Ensure this control covers all systems within your defined CUI boundary where protect system media, both paper and digital applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Media Protection Policy
  • 📄 Media inventory database
  • 📄 Certificates of destruction
  • 📄 Transport chain-of-custody records
  • 📄 Evidence artifacts specific to MP.L2-3.8.1
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will check for CUI markings on media, verify encryption is enabled, review the media inventory for completeness, and examine destruction certificates.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Are all media containing CUI properly labeled?

✅ YES → Proceed to Q2
❌ NO → GAP: Implement labeling procedures for all media. Timeline: 1 week.
Remediation:
Develop and enforce a media labeling policy.

Question 2: Is digital media encrypted using AES-256 or equivalent?

✅ YES → Proceed to Q3
❌ NO → GAP: Encrypt all digital media. Timeline: 2 weeks.
Remediation:
Use tools like VeraCrypt or BitLocker to encrypt media.

Question 3: Are physical media stored in secure, locked cabinets?

✅ YES → Proceed to Q4
❌ NO → GAP: Secure physical media storage. Timeline: 1 week.
Remediation:
Purchase and install locked cabinets for media storage.

Question 4: Are access logs regularly audited for unauthorized access?

✅ YES → Proceed to Q5
❌ NO → GAP: Implement regular access log audits. Timeline: 1 week.
Remediation:
Set up a schedule for monthly access log reviews.

Question 5: Have all staff received training on media handling procedures?

✅ YES → Compliance confirmed.
❌ NO → GAP: Conduct media handling training. Timeline: 2 weeks.
Remediation:
Schedule and deliver mandatory training sessions.

⚠️ Common Mistakes (What Auditors Flag)

1. Unencrypted digital media

Why this happens: Lack of awareness or urgency.
How to avoid: Enforce encryption policies and provide staff training.

2. Mislabeled media

Why this happens: Inconsistent application of labeling procedures.
How to avoid: Develop clear labeling guidelines and conduct regular audits.

3. Insecure storage of physical media

Why this happens: Cost-cutting or oversight.
How to avoid: Invest in secure storage solutions and enforce usage.

4. Lack of access logs

Why this happens: Insufficient monitoring setup.
How to avoid: Enable logging features and schedule regular reviews.

5. Missing training records

Why this happens: Failure to document attendance.
How to avoid: Use a sign-in sheet or digital attendance tracker.

📚 Parent Policy

This practice is governed by the Media Protection Policy

View MP Policy →

📚 Related Controls

MP.L2-3.8.2 - Media Access Control MP.L2-3.8.3 - Media Storage MP.L2-3.8.4 - Media Transport MP.L2-3.8.5 - Media Sanitization
Previous
MA.L2-3.7.6
Back to MP
Next
MP.L2-3.8.2