Mapped to NIST 800-171 Requirement: 3.8.2
CMMC Assessment Objective: MP.L2-3.8.2
What This Control Means
System media includes any digital medium that stores or processes CUI, such as:
• Hard drives (internal or external)
• Solid-state drives (SSDs)
• USB flash drives
• Backup tapes or disks
• Virtual machine disks
• Shared cloud storage
This control requires that access to those media types be strictly limited to users who are authorized and have a legitimate business need.
Why It Matters
Without access restrictions:
• CUI may be accessed by unauthorized staff
• Insider threats may go undetected
• Accidental exposure is more likely
• You lose control over sensitive data, especially on removable media
Restricting access helps maintain confidentiality, traceability, and accountability.
How to Implement It
1. Define Authorized Users
• Establish access control groups for users permitted to access CUI
• Maintain a list or log of approved individuals or roles
2. Apply Role-Based Access Controls (RBAC)
• Limit access permissions at the file system, platform, or cloud level
• Only grant access based on “least privilege” and job relevance
3. Enforce Media Encryption
• Use full disk encryption (FDE) on all CUI-bearing media
• Require password or certificate-based access to unlock media
4. Control Removable Media Access
• Block or restrict use of USB ports
• Require IT approval before external drives are used
5. Log and Monitor
• Enable access logging for systems and cloud storage containing CUI
• Periodically review access logs to identify anomalies
Evidence the Assessor Will Look For
• Access control configurations on systems or storage platforms
• Policies defining who can access which types of system media
• Logs showing access to CUI-containing media
• Encryption reports showing that only authorized users can decrypt and use the media
• Documentation of role-to-access mappings
Common Gaps
• Shared or generic access to folders containing CUI
• Portable media used without controls or logging
• Access permissions based on convenience, not business need
• No enforcement or oversight of who accesses sensitive system media
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Applying access controls to all system media within the enclave
• Restricting who can mount, decrypt, or interact with sensitive storage
• Automatically logging access to CUI files and drives
• Integrating with identity providers for precise user-based media access
• Helping document and verify access restrictions for audits
With Cuick Trac, system media access is secured by default—and always provable.
Final CTA
Protect your systems by protecting their storage.
Schedule a Cuick Trac demo to secure access to all CUI on system media—anywhere, anytime.