MP.L2-3.8.1 · NIST SP 800-171 3.8.1

Media Protection

Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

3 points if not metMust be fully met, cannot POA&M4 assessment objectives

What an assessor scores, the objectives

MP.L2-3.8.1 is met only when every one of these 4 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.paper media containing CUI is physically controlled
  • b.digital media containing CUI is physically controlled
  • c.paper media containing CUI is securely stored
  • d.digital media containing CUI is securely stored

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For MP.L2-3.8.1, an assessor uses these:

Examine

System media protection policy; procedures addressing media storage; procedures addressing media access restrictions; access control policy and procedures; physical and environmental protection policy and procedures; system security plan; media storage facilities; access control records; other relevant documents or records

Interview

Personnel with system media protection responsibilities; personnel with information security responsibilities; system or network administrators

Test

Organizat ional processes for restricting information media; mechanisms supporting or implementing media access restrictions

What it means, in context

System media includes digital and non- digital media. Digital media includes diskettes, magnetic tapes, external and removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes paper and microfilm. Protecting digital media includes limiting access to design specifications stored on compact disks or flash drives in the media library to the project leader and any individuals on the development team. Physically controlling system media includes conducting inventories, maintaining accountability for stored media, and ensuring procedures are in place to allow individuals to check out and return media to the media library. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library. Access to CUI on system media can be limited by physically controlling such media, which includes conducti ng inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.

CUI can be contained on two types of physical media: • hardcopy (e.g., CD drives, USB drives, magnetic tape); and • digital devices (e.g., CD drives, USB drives, video). You should store physical media containing CUI in a secure location. This location should be accessible only to those people with the proper permissions. All who access CUI should follow the process for checking it out and returning it. Example Your company has CUI for a specific Army contract contained on a USB drive. You store the drive in a locked drawer , and you log it on an inventory [d]. You establish a procedure to check out the USB drive so you have a history of who is accessing it. These procedures help to maintain the confidentiality, integrity, and availability of the data. Potential Assessment Considerations • Is hardcopy media containing CUI handled only by authorized personnel according to defined procedures [a]? • Is digital media containing CUI handled only by authorized personnel according to defined procedures [b]? • Is paper media containing CUI physically secured (e.g., in a locked drawer or cabinet) [c]? • Is digital media containing CUI securely stored (e.g., in access -controlled repositories) [d]?

What passing evidence looks like

Where CUI media lives (paper and digital) and the protection: locked storage for paper and drives, encrypted volumes for digital, shown with photos and settings.

Common ways contractors fail MP.L2-3.8.1

  • !Paper counts. The printed drawing set in an unlocked drawer fails the physical half; the locked cabinet photo answers it.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove MP.L2-3.8.1, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

MP.L2-3.8.1 questions, answered

How many points is CMMC requirement MP.L2-3.8.1 worth?+

MP.L2-3.8.1 is worth 3 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 3 from your total of 110.

Can MP.L2-3.8.1 be placed on a POA&M?+

No. MP.L2-3.8.1 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does MP.L2-3.8.1 belong to?+

MP.L2-3.8.1 is in the Media Protection (MP) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.8.1