Skip to main content
NetStable
Level 2 MP.L2-3.8.5

Control access to media containing CUI and maintain accountability for media

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

πŸ“– What This Means

This practice means that organizations must ensure only authorized personnel can access media (like USB drives, hard drives, or CDs) that contain Controlled Unclassified Information (CUI). It also requires keeping track of who accesses this media and when. Think of it as locking up sensitive documents in a filing cabinet and keeping a log of who checks them out. For example, if a contractor uses a USB drive to transfer CUI, they must log its use and ensure it’s securely stored afterward. This control helps prevent unauthorized access or loss of sensitive information.

🎯 Why It Matters

Uncontrolled access to CUI media can lead to data breaches, exposing sensitive defense information. For instance, in 2019, a contractor lost a USB drive containing classified plans, costing millions in damages and reputational harm. This control mitigates such risks by ensuring only authorized users handle media and that its use is tracked. From a DoD perspective, this is critical for safeguarding national security information. Non-compliance can result in contract loss, fines, or legal action.

βœ… How to Implement

  1. 1. Use cloud storage solutions with built-in access controls, like AWS S3 bucket policies or Azure Blob Storage.
  2. 2. Enable logging and monitoring for all media-related activities (e.g., AWS CloudTrail or Azure Monitor).
  3. 3. Encrypt all media stored in the cloud using services like AWS KMS or Azure Key Vault.
  4. 4. Restrict access to media via role-based access control (RBAC).
  5. 5. Regularly audit access logs to ensure compliance.
⏱️
Estimated Effort
2-3 days for setup, ongoing monitoring and logging.

πŸ“‹ Evidence Examples

Media Access Logs

Format: CSV/Excel
Frequency: Weekly
Contents: Timestamp, User, Media ID, Action (Checkout/Return)
Collection: Export logs from media tracking system.

Encryption Configuration Screenshots

Format: PNG/JPEG
Frequency: Initial setup, updates
Contents: Proof of encryption enabled on media.
Collection: Capture screenshots of encryption settings.

Media Inventory Report

Format: PDF
Frequency: Monthly
Contents: List of all media containing CUI.
Collection: Generate report from inventory system.

Audit Report

Format: PDF
Frequency: Quarterly
Contents: Summary of media access compliance.
Collection: Run audit tools and compile results.

Training Records

Format: PDF
Frequency: Annually
Contents: List of personnel trained on media handling.
Collection: Export from HR or training system.

πŸ“ SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For MP.L2-3.8.5 ("Control access to media containing CUI and maintain accountability for media"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how CUI on media is protected throughout its lifecycle, including encryption, access controls, marking, transport procedures, sanitization methods, and accountability tracking. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"MP.L2-3.8.5 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to control access to media containing cui and maintain accountability for media. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"MP.L2-3.8.5 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to control access to media containing cui and maintain accountability for media. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"MP.L2-3.8.5 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • β€’ Identify all removable media types within the CUI boundary
  • β€’ Document media storage locations (on-site, off-site)
  • β€’ Specify media sanitization and destruction methods
  • β€’ Ensure this control covers all systems within your defined CUI boundary where control access to media containing cui and maintain accountability for media applies
  • β€’ Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • πŸ“„ Media Protection Policy
  • πŸ“„ Media inventory database
  • πŸ“„ Certificates of destruction
  • πŸ“„ Transport chain-of-custody records
  • πŸ“„ Evidence artifacts specific to MP.L2-3.8.5
  • πŸ“„ POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will check for CUI markings on media, verify encryption is enabled, review the media inventory for completeness, and examine destruction certificates.

πŸ’¬ Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a system to track access to media containing CUI?

βœ… YES β†’ Proceed to Q2.
❌ NO β†’ GAP: Implement a media tracking system like Splunk or a manual logbook.
Remediation:
1 week

Question 2: Is all CUI media encrypted?

βœ… YES β†’ Proceed to Q3.
❌ NO β†’ GAP: Use encryption tools like BitLocker or VeraCrypt.
Remediation:
2 days

Question 3: Are access logs reviewed regularly?

βœ… YES β†’ Proceed to Q4.
❌ NO β†’ GAP: Set up a weekly review process for access logs.
Remediation:
1 week

Question 4: Is media stored securely when not in use?

βœ… YES β†’ Proceed to Q5.
❌ NO β†’ GAP: Implement secure storage solutions like locked cabinets.
Remediation:
3 days

Question 5: Are personnel trained on media handling policies?

βœ… YES β†’ Compliance confirmed.
❌ NO β†’ GAP: Conduct training sessions and document attendance.
Remediation:
1 week

⚠️ Common Mistakes (What Auditors Flag)

1. Missing media access logs.

Why this happens: Manual tracking is overlooked or not enforced.
How to avoid: Automate logging with tools like Splunk or ELK Stack.

2. Unencrypted media.

Why this happens: Encryption tools are not configured or used.
How to avoid: Enable encryption on all media using BitLocker or VeraCrypt.

3. Inconsistent media labeling.

Why this happens: No standardized labeling process.
How to avoid: Create a media labeling policy and train staff.

4. No secure storage for media.

Why this happens: Media is left unattended in unsecured areas.
How to avoid: Use locked cabinets or secure rooms for storage.

5. Untrained personnel.

Why this happens: Training is not prioritized.
How to avoid: Conduct annual training on media handling policies.

πŸ“š Parent Policy

This practice is governed by the Media Protection Policy

View MP Policy β†’

πŸ“š Related Controls

MP.L2-3.8.1 - Protect CUI on system media MP.L2-3.8.2 - Control access to removable media MP.L2-3.8.3 - Label removable media containing CUI
Previous
MP.L2-3.8.4
Back to MP
Next
MP.L2-3.8.6