Mapped to NIST 800-171 Requirement: 3.8.1
CMMC Assessment Objective: MP.L2-3.8.1[a]
What This Control Means
You must maintain a comprehensive understanding of where CUI is stored or transferred, including:
• Electronic media
• Removable storage
• Cloud-based media
• Physical media (e.g., printed paper)
This identification process is foundational for securing CUI, applying proper access controls, and ensuring data is protected during transmission, storage, and destruction.
Why It Matters
If you don’t know which media contains CUI:
• You can’t apply appropriate safeguards
• CUI may be left unprotected on forgotten devices or drives
• You risk data spillage, loss, or unauthorized access
• You won’t be able to meet the requirements for media encryption, sanitization, or destruction
Knowing where CUI resides is the first step in controlling it.
How to Implement It
1. List All Media Types That May Contain CUI Examples include:
• Laptops and workstations
• USB drives
• External hard drives
• CD/DVDs
• Mobile devices
• Backup tapes
• Network file shares
• Cloud storage (e.g., OneDrive, AWS, Azure)
• Printed documents
2. Perform a Media Audit
• Identify where CUI is currently stored or processed
• Include user devices, shared systems, backup media, and transportable drives
3. Maintain an Inventory
• Keep a record of authorized media types and systems
• Update this list when new storage media is introduced or retired
4. Flag High-Risk or Portable Media
• Identify media that is easily lost, stolen, or mishandled
• Apply tighter controls for mobile storage (e.g., encryption, tracking)
Evidence the Assessor Will Look For
• A documented list of media types that contain or may contain CUI
• Inventories or asset lists identifying approved storage locations
• Procedures that define acceptable use of CUI-bearing media
• Logs or examples showing how CUI media is tracked
Common Gaps
• No awareness of where CUI is physically or digitally stored
• Uncontrolled use of USB drives, personal devices, or cloud folders
• No documentation showing how media is identified or classified
• Portable media used without proper tracking or approval
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Helping define and categorize authorized CUI media types
• Restricting CUI storage to secure, compliant platforms and systems
• Supporting media inventory management and tracking
• Logging and controlling removable or portable device usage
• Ensuring that all CUI is stored and transmitted only on vetted media
With Cuick Trac, your organization knows exactly where CUI lives—and how to protect it.
Final CTA
You can’t protect what you don’t track.
Schedule a Cuick Trac demo to identify and manage every media type that interacts with your CUI.