Media Protection.

Controlling access to CUI media, sanitising before disposal, marking with handling caveats, and limiting where it goes.

3.8.1 Lock Up CUI. MP.L2-3.8.1 · Media Protection Physically control and securely store all system media containing CUI — paper documents, USB drives, backup tapes, and digital devices. 1 pts 3.8.2 Need-to-Know for Media. MP.L2-3.8.2 · Media Access Only people with a documented need can access CUI media — physical or digital. Review access periodically. 1 pts 3.8.3 Destroy It Properly. MP.L1-3.8.3 · Media Disposal Sanitize or destroy CUI media before disposal or reuse — per NIST SP 800-88. Document everything. 3 pts
L1 3.8.4 Mark Your CUI. MP.L2-3.8.4 · Media Markings Label all CUI media with correct CUI markings and distribution limitations per NARA guidance. 1 pts

Tracking media in transit, encrypting CUI on portable storage, and controlling removable-media use.

3.8.5 Track Media in Transit. MP.L2-3.8.5 · Media Accountability Control access and maintain chain of custody for CUI media during transport outside controlled areas. 1 pts 3.8.6 Encrypt Media in Transit. MP.L2-3.8.6 · Portable Storage Encryption Encrypt CUI on digital media before transport using FIPS-validated cryptography — or provide alternative physical safeguards. 1 pts 3.8.7 Control Removable Media. MP.L2-3.8.7 · Removable Media Restrict USB drives and external media on CUI systems — block by default, allow only approved encrypted devices. 3 pts

Prohibiting unowned portable storage on systems and protecting CUI backup confidentiality.

3.8.8 No Mystery USB Drives. MP.L2-3.8.8 · Shared Media Prohibit portable storage devices with no identifiable owner. Training plus technical controls. 1 pts 3.8.9 Protect Your Backups. MP.L2-3.8.9 · Protect Backups Protect the confidentiality of backup CUI — encrypted, access-restricted, and stored with the same controls as production. 1 pts