CMMC practice MP.L2-3.8.2, derived from NIST SP 800-171 Rev 2 control 3.8.2, requires organizations to limit access to CUI on system media to authorized users only. System media includes both digital media (USB drives, external hard drives, optical discs, flash memory cards, mobile devices) and non-digital media (paper documents, microfilm, printed output). Authorization must be defined through formal access control policies that specify which users or roles may access media containing CUI. Access limitations must be enforced through both technical controls (e.g., role-based access, encryption) and physical controls (e.g., locked storage for physical media). This practice builds directly on MP.L2-3.8.1, which establishes the baseline requirement to protect and control system media, and extends it by explicitly scoping access to verified, authorized personnel.
Where it stops · what it isn't
- —This practice does not govern access to CUI transmitted across networks — that is addressed by System and Communications Protection (SC) domain controls.
- —This practice does not address the sanitization or destruction of media, which is covered by MP.L2-3.8.3 and MP.L2-3.8.4.
- —This practice does not define how access authorization lists are created or maintained; that is the responsibility of the Access Control (AC) domain policies.
- —This practice does not cover mobile device management (MDM) policy enforcement as a standalone requirement — MDM is a mechanism, not the requirement itself.
- —This practice does not address cryptographic protection of CUI during transport; that is covered by MP.L2-3.8.6.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/media-protection