The Media Protection Domain: protecting CUI across every surface that can carry it

What the Media Protection Domain Is For

The Media Protection domain addresses the protection of CUI as it exists on physical and digital media. The scope is broader than the term "media" might suggest. Paper printouts, engineering drawings, backup tapes, hard drives, USB drives, optical disks, and mobile device storage all fall within the domain. Anywhere CUI is written, stored, or carried, the MP requirements apply.

The practitioner reading of MP is that it protects the CUI that escapes the network-level controls every other domain focuses on. Access controls, authentication, and network segmentation all protect CUI while it exists as data flowing through systems. Media Protection extends that protection to CUI once it has been written to paper, copied to a drive, backed up to tape, or otherwise committed to physical form. A contractor with strong network security and weak media handling has a compliance posture that protects data in motion but exposes data at rest to the people, vehicles, and storage facilities that routinely touch physical media.

For defense contractors preparing for CMMC Level 2 assessment, the MP domain is the area where paper-based processes, legacy practices, and informal media handling most frequently produce findings. A manufacturer that has strong digital security may still print engineering drawings, maintain paper travelers on the shop floor, and send failed drives back to vendors without sanitization. Each of those routine activities has MP implications that are easy to miss when the compliance effort focuses on IT systems.

The Structure of the 9 Controls

The nine MP requirements organize into three clusters that reflect distinct concerns within the domain.

The first cluster covers media protection foundations. These three controls (3.8.1, 3.8.2, and 3.8.4) establish the baseline obligations: that CUI media is protected, that access to it is restricted, and that it is marked appropriately. This cluster applies to all forms of media and establishes the reference point that the rest of the domain builds on.

The second cluster covers lifecycle and transport. These four controls (3.8.3, 3.8.5, 3.8.6, and 3.8.9) address CUI media in states other than normal in-place operation: disposal, transport outside controlled areas, encryption during transport, and backup storage. The lifecycle cluster contains the most technical complexity in the domain because sanitization standards, cryptographic requirements, and chain-of-custody procedures each have specific implementation demands.

The third cluster covers removable media use. These two controls (3.8.7 and 3.8.8) restrict how removable storage devices can be used within the environment. The cluster is small but consequential because removable media is simultaneously an attack vector, an exfiltration path, and an operational necessity that is difficult to eliminate entirely.

The first cluster establishes the baseline protection, access, and marking obligations that apply to all media containing CUI. These three controls form the reference point that the rest of the domain operates against.

MP.L2-3.8.1Media Protection

System media containing CUI, both paper and digital, must be protected. The control is the umbrella obligation of the domain. Protection includes physical security for media at rest, access controls for media in use, and appropriate handling for media in transit. The explicit inclusion of paper is important because many contractors treat MP as a digital-only concern and overlook the printed drawings, traveler sheets, contract documents, and shop floor records that carry CUI in physical form. The assessable evidence covers every medium on which CUI exists, not just the electronic ones.

MP.L2-3.8.2Media Access

Access to CUI on system media must be limited to authorized users. The control extends the Access Control principle from systems to media. The authorization that permits a user to access CUI on a system is the same authorization that permits access to media containing that CUI. The implementation includes physical controls such as locked storage, logical controls such as file system permissions on digital media, and procedural controls such as check-out processes for shared media. The assessable evidence shows that unauthorized users cannot reach CUI media in practice, not just that policy prohibits them from doing so.

MP.L2-3.8.4Media Markings

Media must be marked with necessary CUI markings and distribution limitations. The marking requirement is procedural rather than technical, but it carries assessment weight because marking is the mechanism by which handlers know that the media requires CUI-level protection. The markings must comply with the National Archives CUI Registry requirements, which specify the format and content of CUI designators. Findings often involve digital media that is protected technically but not marked visibly, such as files on a shared drive that carry CUI without any indication in their filename or metadata that would alert a recipient to the handling obligation.

The second cluster addresses CUI media in states other than normal in-place operation. Disposal, transport outside controlled areas, encryption during transport, and backup storage each involve the media leaving its protected context, and each requires specific protections to maintain confidentiality.

MP.L2-3.8.3Media Disposal

System media containing CUI must be sanitized or destroyed before disposal or release for reuse. The sanitization standard is typically NIST SP 800-88 Rev 1, which defines the acceptable methods for clearing, purging, and destroying media based on sensitivity level. Disposal by deletion alone does not satisfy the control for most media types. Digital media requires secure wiping or cryptographic erasure, and paper records require shredding or equivalent destruction. The evidence must show the sanitization actually occurred, typically through a sanitization log or certificate of destruction. This control interacts directly with the Maintenance domain, where MA.3.7.3 requires equipment sanitization before off-site maintenance.

MP.L2-3.8.5Media Accountability

Access to media containing CUI must be controlled and accountability maintained during transport outside of controlled areas. The control addresses chain of custody when CUI media leaves the controlled environment. A backup tape being sent to an off-site storage facility, a drive being transported to a data center, or a printed drawing being carried to a meeting off-premises all fall within the control. The accountability evidence typically includes a log of custody transfers, identification of the personnel responsible at each stage, and procedures for handling transport incidents such as loss or theft.

MP.L2-3.8.6Portable Storage Encryption

Cryptographic mechanisms must protect the confidentiality of CUI stored on digital media during transport, unless otherwise protected by alternative physical safeguards. The control requires FIPS-validated encryption on digital media that leaves controlled areas. The alternative physical safeguards provision is a narrow exception that applies when a secure courier or similar physical protection makes encryption unnecessary, but the exception is more restrictive in practice than the language suggests. Most implementations rely on encryption rather than on the physical safeguards alternative, because the encryption requirement is easier to evidence. This control interacts with the System and Communications Protection domain, which governs the broader cryptographic requirements that MP inherits.

MP.L2-3.8.9Protect Backups

The confidentiality of backup CUI must be protected at storage locations. The control addresses the specific scenario of backup media held at locations other than the primary environment. The protection obligation at the backup location must be commensurate with the protection at the primary location. A backup tape held in a storage facility that does not provide the same access controls, environmental protections, and handling procedures as the primary location creates a confidentiality gap that the control is designed to close. Off-site backup services that claim security by assertion rather than by demonstrable evidence do not satisfy the control. The protection must be verifiable.

The third cluster restricts how removable storage devices can be used within the environment. Removable media is simultaneously an attack vector for malicious code, an exfiltration path for CUI, and an operational necessity for many legitimate activities. The two controls in this cluster address the use restrictions that balance these competing realities.

MP.L2-3.8.7Removable Media

The use of removable media on system components must be controlled. The control requires that removable media use is governed by policy, technical enforcement, or both. Technical enforcement typically includes endpoint policies that prevent unauthorized USB devices from functioning, group policies that block removable storage classes, or allowlists that permit specific approved devices. This control has a notable interaction with hardware-based MFA tokens, which are removable devices that must be permitted even when general removable media is restricted. The MFA implementation white paper addresses this interaction in depth, including the USB device class conflict that frequently arises between 3.8.7 and the hardware authenticators required to satisfy IA.3.5.3.

MP.L2-3.8.8Shared Media

The use of portable storage devices must be prohibited when such devices have no identifiable owner. The control addresses the anonymous USB drive problem. Shared devices without accountability create an attack vector in which malicious code can be introduced and an exfiltration path in which CUI can leave the environment without traceable responsibility. The implementation typically requires that every permitted portable storage device is registered to a specific owner, with the registration tied to organizational asset management. A drive found on the floor, brought in by a visitor, or left in a shared tray does not have an identifiable owner and must be prohibited from use.

Where Media Protection Intersects with Other Domains

Media Protection intersects with several domains because media handling is a physical activity that combines access, authentication, and configuration concerns.

Access Control is the upstream source of the authorization that MP.3.8.2 extends to media. The access decisions that AC makes about systems apply equally to the media that carries the data from those systems. AC.3.1.19 on encrypting CUI on mobile devices overlaps directly with MP.3.8.6 on portable storage encryption, and the two controls are often satisfied together.

Identification and Authentication interacts with MP through the hardware token question. IA.3.5.3 requires multi-factor authentication, and hardware tokens satisfying that requirement are removable devices that must coexist with the restrictions under MP.3.8.7. The interaction is operationally significant because overly strict removable media policies can prevent the hardware authenticators from functioning.

System and Communications Protection provides the cryptographic foundations that MP.3.8.6 relies on for transport encryption. FIPS-validated cryptographic modules are SC responsibilities that MP inherits for its encryption requirements.

Maintenance intersects through MA.3.7.3, which requires equipment sanitization before off-site maintenance. The sanitization standards and procedures are MP responsibilities that MA depends on. A weak MP implementation produces MA findings because the maintenance controls cannot demonstrate the required sanitization.

Physical Protection provides the environmental controls under which media storage occurs. The locked rooms, controlled facilities, and environmental protections that MP depends on for physical security are PE obligations. Transport of media through physical spaces also invokes PE concerns during the transit portion of MP.3.8.5.

System and Information Integrity interacts through the malicious code concern that underlies MP.3.8.7 and 3.8.8. Removable media is a common vector for malicious code introduction, and the integrity controls that SI addresses depend on MP preventing the unauthorized media that would otherwise bypass them.

Common Implementation Pitfalls

Several patterns come up repeatedly in Media Protection readiness work.

Paper records overlooked entirely. The compliance program addresses digital media but does not extend to the printed engineering drawings, traveler sheets, and contract documents that carry CUI in physical form. The 3.8.1 obligation explicitly includes paper, and a program that treats MP as a digital-only concern has a coverage gap that assessors will identify.

CUI markings inconsistently applied. The policy requires CUI markings, but digital files, email attachments, and printed outputs are not consistently marked in practice. The marking requirement under 3.8.4 is not satisfied by intermittent compliance. The assessable standard is that every instance of CUI media carries the required markings.

Sanitization by deletion rather than by NIST SP 800-88 methods. Drives are reformatted, files are deleted, or operating systems are reinstalled, and the media is considered sanitized. The 3.8.3 standard is clearing, purging, or destroying per NIST 800-88, and deletion does not meet that standard for most media types. Remediation requires a sanitization procedure that uses appropriate tools and produces verifiable evidence.

Transport encryption that is not FIPS-validated. The portable media is encrypted, but the encryption implementation is not on the FIPS validated list. The 3.8.6 requirement specifies FIPS validation, and implementations that use correct algorithms through non-validated modules do not satisfy the control. The distinction matters because assessors verify the FIPS validation status of the cryptographic modules in use.

Removable media policies that block hardware MFA tokens. The organization deploys an aggressive removable media restriction under 3.8.7 and subsequently discovers that the restriction also blocks the hardware authenticators that IA.3.5.3 requires. The remediation is class-specific policy rather than blanket restriction, permitting HID devices while blocking mass storage, which the MFA implementation white paper addresses in detail.

Backup storage with weaker controls than the primary environment. The backup service provides encrypted storage, but the access controls, environmental protections, and handling procedures at the backup location are not at the level that the primary environment maintains. The 3.8.9 requirement calls for commensurate protection, and weakening the controls at the backup location creates a compliance gap that the backup encryption alone does not close.

Shared USB drives with no ownership tracking. The organization permits removable media use but has no accountability mechanism that ties each permitted device to a specific owner. The 3.8.8 prohibition on anonymous portable storage requires that every permitted device have an identifiable owner, which in turn requires an asset inventory and a registration process.

Where to Start

For an organization new to the MP domain, the first work is the media inventory.

The foundational deliverable is an inventory of every medium on which CUI exists in the environment. The inventory must cover digital media (drives, tapes, optical disks, mobile storage), physical media (printed documents, drawings, files), and the storage locations for each. Without this inventory, the controls in the domain cannot be applied systematically because the scope of media handling is not known.

The second deliverable is the marking and handling procedure. How CUI media is marked at creation, how those markings are maintained through the media lifecycle, and how handlers know that specific media requires CUI-level protection. The marking procedure addresses 3.8.4 directly and supports the handling evidence for the rest of the domain.

The third deliverable is the sanitization and disposal procedure. What methods are used for each media type, how sanitization is verified, and what records document that sanitization occurred. The procedure addresses 3.8.3 directly and also supports the MA.3.7.3 equipment sanitization obligation for off-site maintenance.

With the inventory, marking procedure, and sanitization procedure in place, the remaining MP controls become implementation work against a documented foundation. The removable media restrictions, transport encryption, and backup protection obligations each operate against known media that the organization has chosen to permit rather than against an undefined population of devices and handling scenarios.