NIST SP 800-171 Rev 2 requirement 3.8.1 mandates that organizations protect system media containing CUI, both in paper and digital form, through physical controls and secure storage. Physical control means limiting who can handle, access, or move media, while secure storage means placing media in locked, access-restricted locations such as safes, locked cabinets, or controlled server rooms. The practice applies to all media types: hard drives, USB drives, optical discs, magnetic tapes, printed documents, and any other medium that stores or displays CUI. Organizations must ensure that only authorized personnel can access CUI-bearing media, and that media is tracked and accounted for. This is the foundational media protection requirement upon which all other MP domain practices build.
Where it stops · what it isn't
- —This practice does not cover the sanitization or destruction of media, which is addressed in mp-l2-3.8.3 and mp-l2-3.8.7.
- —This practice does not address the marking or labeling of CUI media, which falls under separate CUI program requirements and mp-l2-3.8.2.
- —This practice does not govern the transport or movement of media outside controlled facilities, which is covered by mp-l2-3.8.5.
- —This practice does not define cryptographic protections for media in transit, addressed by mp-l2-3.8.4 and SC domain controls.
- —This practice does not govern access control at the system or network level; logical access to CUI is covered under the AC domain (ac-l2-3.1.1).
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/media-protection