3.8.1 — Lock Up CUI

What It Says

Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

What It Actually Means

CUI lives on media — paper printouts, USB drives, backup tapes, CDs, external hard drives, and even mobile devices. Every piece of media containing CUI must be physically controlled and securely stored. Four things are assessed independently:

Paper CUI is physically controlled. Printed CUI documents aren’t left on desks, in unlocked trays, or in open filing cabinets. They’re in the possession of an authorized person or in locked storage. A checkout log tracks who has what. Printers that produce CUI output are in controlled areas — not the shared hallway printer.
Digital media is physically controlled. USB drives, backup tapes, and external drives containing CUI aren’t floating around loose. They’re inventoried, tracked, and in the possession of an authorized person or in locked storage. A checkout log tracks custody.
Paper CUI is securely stored. When not in active use, paper CUI goes in a locked filing cabinet, locked desk drawer, or secure room. Keys or combinations are limited to authorized personnel.
Digital media is securely stored. When not in active use, digital CUI media goes in a locked safe, locked cabinet, or secure room. Ideally, the media is also encrypted (see 3.8.6), but physical security is required regardless.

The assessor will walk through your office and look for CUI left in the open — on desks, in unlocked drawers, in printer output trays, on whiteboards. They’ll check where digital media is stored and ask who has access.

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is paper CUI physically controlled?	Checkout log; CUI not left unattended; printers in controlled areas
2	Is digital media physically controlled?	Media inventory; checkout log; custody tracked
3	Is paper CUI securely stored?	Locked cabinet or room; limited key distribution
4	Is digital media securely stored?	Locked safe or cabinet; encrypted; limited access

What to Have Ready on Assessment Day

Documents they’ll review: Media protection policy; storage procedures; media inventory; access control records for storage locations; checkout/custody logs; system security plan

People they’ll talk to: Personnel with media protection responsibilities; information security personnel; anyone who handles CUI media

Live demos they’ll ask for: “Show me where paper CUI is stored. Is it locked?” “Show me where digital CUI media is stored.” “Who has keys? Show me the distribution list.” “Show me your checkout log.”

The Assessor’s Playbook

These are the actual questions. Have answers ready.

“Show me where paper CUI is stored. Is the cabinet locked right now?”
“Who has keys or combinations to CUI storage? Show me the list.”
“Where are USB drives and backup tapes with CUI stored?”
“Is there a checkout log for CUI media? Show me a recent entry.”
“Walk me through your office — is any CUI visible right now?”
“Are printers that produce CUI output in controlled areas?”

A defense contractor stores paper CUI in a locking filing cabinet in the IT Security Lead’s office — two people have keys (IT Security Lead and CEO). A checkout log inside the cabinet records who removed documents, when, and when they were returned. Digital CUI media (two encrypted backup drives, one USB drive for data transfer) are stored in a fireproof safe in the server room — the IT Security Lead has the combination. The safe inventory is checked monthly. CUI printing is restricted to a printer inside the CUI work area — configured through Intune to prevent printing to the hallway shared printer. During the assessment walkthrough, the assessor finds no CUI visible on desks, checks the filing cabinet (locked), reviews the safe inventory, and confirms the printer is in a controlled area.

Where Companies Trip Up

CUI left on desks. Printed documents sitting in the open after a meeting. Implement a clean desk policy: CUI goes back to locked storage when not actively in use.

Unlocked storage. The filing cabinet has a lock but nobody uses it. The safe code is on a sticky note. Enforce locking and limit who has keys or combinations.

No media inventory. USB drives with CUI exist somewhere, but nobody tracks how many or where. Maintain an inventory of all CUI media — type, location, custodian.

Shared printer in open area. CUI documents printing to the hallway printer where anyone can grab them. Restrict CUI printing to printers in controlled areas, or use pull-printing that requires authentication at the printer.

No custody tracking. A backup drive leaves the safe and nobody records who took it or when. Maintain a checkout log for all CUI media.

How to Talk About This

Connected Requirements

Requirement	Why it matters here
3.8.2 — Need-to-Know for Media	Limits who can access the CUI media stored here
3.8.4 — Mark Your CUI	Media must be marked so people know it contains CUI
3.10.1 — Lock the Doors	Physical access controls for areas where CUI media is stored
3.8.7 — Control Removable Media	Restricts use of removable media that might contain CUI

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

CMMC Practice ID: MP.L2-3.8.1 | SPRS Weight: 3 points | POA&M Eligible: No