MP.L2-3.8.1[b] – Examine documentation to confirm media types that contain CUI are identified.
This objective ensures that the media types your organization uses to store, process, or transmit Controlled Unclassified Information (CUI) are not only recognized internally but are also formally documented in your policies, procedures, or security plans.
MP.L2-3.8.2 – Limit access to CUI on system media to authorized users.
This control reinforces the requirement to limit access to Controlled Unclassified Information (CUI) stored on system media—specifically ensuring that only authorized users can access, read, write, or modify that information, whether the media is removable, internal, or virtual.
MP.L2-3.8.7 – Control the use of removable media on system components.
This control requires your organization to manage and restrict the use of removable media (e.g., USB drives, external hard drives, SD cards) on systems—especially those that store, process, or transmit Controlled Unclassified Information (CUI). You must establish and enforce policies that determine when and how removable media can be used.
MP.L2-3.8.5[b] – Examine documentation to confirm controls to protect CUI during transport are identified.
This objective ensures that your organization has formally documented the security controls used to protect Controlled Unclassified Information (CUI) when it is transported—whether digitally or physically. The documentation must outline specific practices, technologies, and rules to prevent data loss, exposure, or unauthorized access in transit.
MP.L2-3.8.9 – Protect the confidentiality of backup CUI at storage locations.
This control requires your organization to safeguard any backups that contain Controlled Unclassified Information (CUI)—ensuring that CUI is encrypted, access is restricted, and storage locations are secure whether they are onsite, offsite, or in the cloud.
MP.L2-3.8.3[a] – Identify tools or techniques used to mark media with CUI designation.
This objective requires your organization to identify how you mark or label media that contains Controlled Unclassified Information (CUI). The goal is to ensure media is visibly or digitally marked so that users know the sensitivity of the data and apply proper handling procedures.
MP.L2-3.8.4[a] – Identify individuals authorized to access CUI on media.
This objective requires your organization to identify and document who is authorized to access CUI stored on media, whether digital or physical. This includes access to USB drives, hard drives, backup tapes, cloud storage, and printed materials containing Controlled Unclassified Information.
MP.L2-3.8.1[d] – Determine if access to CUI on media is limited to authorized users.
This objective confirms that your organization has controls in place to restrict access to CUI stored on media—ensuring that only authorized users can view, modify, or handle the data. This applies to both digital and physical media that contain Controlled Unclassified Information.
MP.L2-3.8.8 – Prohibit the use of portable storage devices when such devices have no identifiable owner.
This control requires your organization to explicitly prohibit the use of any portable storage device (e.g., USB drives, SD cards, external hard drives) if the device’s owner cannot be clearly identified. This is a protective measure to reduce the risk of introducing malware or unauthorized access to Controlled Unclassified Information (CUI) systems.
MP.L2-3.8.1[a] – Identify media types that contain CUI.
This objective requires your organization to identify all forms of media—both digital and physical—that are used to store, transmit, or process Controlled Unclassified Information (CUI). This includes any medium that could carry sensitive data, whether actively in use or in storage.