Limit access to CUI on system media to authorized users
π What This Means
This practice means ensuring only approved personnel can access physical or digital media (like hard drives, USBs, or cloud storage) containing Controlled Unclassified Information (CUI). It's like giving a key to a locked file cabinetβonly those who need the documents for their job should have access. For example, an engineer working on a DoD contract should have access to project files on a server, but the accounting team shouldn't unless it's necessary for their work. Another example: USB drives with CUI should be stored in a locked safe and only checked out to authorized users with a documented need.
π― Why It Matters
Unauthorized access to CUI media can lead to data breaches, espionage, or accidental leaks. In 2020, a defense contractor lost a USB drive containing sensitive missile data at a parking lot, exposing vulnerabilities in media access controls (DoD OIG report). The average cost of a data breach in defense is $4.2M (IBM Security). CMMC requires this control because the DoD needs assurance that CUI isn't exposed to unauthorized individuals, whether through careless handling or malicious intent. Without strict access limits, even trusted employees might inadvertently share or lose critical data.
β How to Implement
- 1. Use IAM roles in AWS/Azure/GCP to grant 'least privilege' access to CUI storage (e.g., S3 buckets, Blob Storage). Example: 's3:GetObject' permission only for cleared users.
- 2. Enable encryption-at-rest (e.g., AWS KMS, Azure Storage Service Encryption) and require MFA for access.
- 3. Implement resource tags (e.g., 'CUI=true') and automate access reviews using tools like AWS Config or Azure Policy.
- 4. Restrict sharing links (e.g., OneDrive/Google Drive) to internal users only with expiration dates.
- 5. Log all access attempts to cloud storage via services like AWS CloudTrail or Azure Monitor.
π Evidence Examples
Access Control Policy
Screenshot of IAM permissions
Media Access Log
BitLocker Recovery Keys
Access Review Report
π SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For MP.L2-3.8.2 ("Limit access to CUI on system media to authorized users"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how CUI on media is protected throughout its lifecycle, including encryption, access controls, marking, transport procedures, sanitization methods, and accountability tracking. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"MP.L2-3.8.2 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to limit access to cui on system media to authorized users. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"MP.L2-3.8.2 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to limit access to cui on system media to authorized users. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"MP.L2-3.8.2 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- β’ Identify all removable media types within the CUI boundary
- β’ Document media storage locations (on-site, off-site)
- β’ Specify media sanitization and destruction methods
- β’ Ensure this control covers all systems within your defined CUI boundary where limit access to cui on system media to authorized users applies
- β’ Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- π Media Protection Policy
- π Media inventory database
- π Certificates of destruction
- π Transport chain-of-custody records
- π Evidence artifacts specific to MP.L2-3.8.2
- π POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will check for CUI markings on media, verify encryption is enabled, review the media inventory for completeness, and examine destruction certificates.
π¬ Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Do you maintain an up-to-date list of users authorized to access CUI media?
Question 2: Are all CUI storage locations (physical/digital) access-controlled?
Question 3: Is there logging of access attempts to CUI media?
Question 4: Are unauthorized access attempts reviewed?
Question 5: Is access revoked within 24 hours when users leave the project?
β οΈ Common Mistakes (What Auditors Flag)
1. Shared accounts used to access CUI media
2. USB drives with CUI left unencrypted
3. Over-permissioned cloud buckets (e.g., public read access)
4. No process to revoke ex-employee access
5. Access logs not retained for 90+ days
π Parent Policy
This practice is governed by the Media Protection Policy