3.8.2 — Need-to-Know for Media

The One-Liner

Locking the cabinet isn’t enough if everyone has a key. Access to CUI media must be limited to people who need it for their work.

What It Says

Limit access to CUI on system media to authorized users.

What It Actually Means

Only authorized users — people with a documented, current need for that specific CUI — can access the media containing it. This applies to both physical and digital media, and the assessor checks both:

Physical media: Who has keys to the CUI filing cabinet? Who has the combination to the safe where backup drives are stored? Who can check out a CUI USB drive? Each access path needs a named list of authorized people, and that list must be reviewed periodically — because people change roles, leave projects, and transfer out.

Digital media: Who has permissions to the CUI file share, the CUI SharePoint site, the backup storage? Access should be controlled via security groups with membership limited to CUI-authorized personnel. “Everyone” or “All Employees” groups on CUI repositories are instant findings.

The principle is need-to-know: being an employee doesn’t automatically grant access to CUI media. Being on the CUI project does. And when someone comes off the project, their access is removed.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is access to CUI on system media limited to authorized users?	Named access list for physical (key holders, safe access) and digital (share permissions, security groups) CUI media; reviewed at least quarterly

---

What to Have Ready on Assessment Day

Documents they’ll review: Media protection policy; access control procedures; list of personnel authorized to access CUI media (physical and digital); access review records; system security plan

People they’ll talk to: Personnel with media protection responsibilities; information security personnel; data owners who authorize CUI access

Live demos they’ll ask for: “Show me who has access to your CUI file share — pull up the security group membership.” “Show me your key distribution list for the CUI cabinet.” “When was access last reviewed? Show me the record.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Who can access CUI media? Show me the list — both physical and digital.”
• “How do you determine who’s authorized? Who approves access?”
• “Show me the security group membership for your CUI SharePoint site.”
• “When was the access list last reviewed? Show me the review record.”
• “What happens when someone changes roles — is CUI media access reviewed?”
• “Is the ‘Everyone’ or ‘All Users’ group on any CUI repository?”

Real-World Example

A defense contractor’s CUI SharePoint site is restricted to a security group (“CUI-Authorized-Users”) containing only the 18 people actively working on DoD contracts. The group membership is managed by the IT Security Lead and reviewed quarterly against the current project staffing list. When a project manager rotates off a contract, they’re removed from the group within the week. The CUI filing cabinet key list has three names — the IT Security Lead, the project lead, and the CEO. Physical media in the safe (backup drives) requires the safe combination known only to the IT Security Lead. The assessor checks: SharePoint group membership matches the current CUI-authorized personnel list, the key distribution list has only three names, and the quarterly review is documented with dates and any changes made.

---

Where Companies Trip Up

Everyone has access. The CUI file share is open to the entire company because “it’s easier.” Restrict to a security group with only CUI-authorized members. This is one of the most common findings.

No access review. Access was appropriate when granted but nobody has reviewed it in a year. People change roles, leave projects, transfer departments. Quarterly reviews catch drift.

Physical access too broad. Ten people have cabinet keys when only three handle CUI. Limit physical access devices to the minimum necessary.

No data owner approval. People are added to the CUI access group by IT without the data owner approving. Define who authorizes CUI access — typically the project lead or security officer.

---

How to Talk About This

To a CEO or Board

Access to CUI media is limited strictly to people who need it for their current work — not the whole company. Both physical and digital access lists are reviewed quarterly, and access is removed when someone changes roles or comes off a CUI project.

To an Engineering Team

CUI SharePoint: “CUI-Authorized-Users” security group, membership managed by IT Security Lead. Physical media: key distribution list (3 people), safe combination (1 person). Quarterly access review: compare group membership vs. current project staffing. Deprovisioning tied to personnel actions (3.9.2). Data owner approves all additions.

---

Connected Requirements

Requirement	Why it matters here
3.8.1 — Lock Up CUI	Secure storage that this requirement controls access to
3.1.1 — Who Gets In	Access control principles applied specifically to CUI media
3.1.2 — What They Can Do	Function-level access control on CUI repositories
3.9.2 — Revoke on Departure	Personnel actions trigger CUI media access removal

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: MP.L2-3.8.2 | SPRS Weight: 3 points | POA&M Eligible: No