Media Access
Limit access to CUI on system media to authorized users.
What an assessor scores, the objectives
MP.L2-3.8.2 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.access to CUI on system media is limited to authorized users
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For MP.L2-3.8.2, an assessor uses these:
System media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; system security plan; system media; designated controlled areas; other relevant documents or records
Personnel with system media protection and storage responsibilities; personnel with information security responsibilities
Organizational processes for storing media; mechanisms supporting or implementing secure media storage and media protection
What it means, in context
Access can be limited by physically controlling system media and secure storage areas. Physically controlling system media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return system media to the media library, and maintaining accountability for all stored media. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library.
Limit physical access to CUI to people permitted to access CUI. Use locked or controlled storage areas and limit access to only those allowed to access CUI. Keep track of who accesses physical CUI in an audit log. Example Your company has CUI for a specific Army contract contained on a USB drive. In order to control the data, you establish specific procedures for handling the drive. You designate the project manager as the owner of the data and require anyone who needs access to the data to get permission from the data owner [a]. The data owner maintains a list of users that are authorized to access the information. Before an authorized individual can get access to the USB drive that contains the CUI they have to fill out a log and check out the drive. When they are done with the data, they check in the drive and return it to its secure storage location. Potential Assessment Considerations • Is a list of users who are authorized to access the CUI contained on system media maintained [a]?
What passing evidence looks like
Access to CUI media limited to authorized users: who holds the cabinet key, whose accounts reach the digital store, matching your roster.
Common ways contractors fail MP.L2-3.8.2
- !Key control is the physical mirror of account control. If everyone knows where the cabinet key hangs, access is not limited. Name the key holders.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove MP.L2-3.8.2, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
MP.L2-3.8.2 questions, answered
How many points is CMMC requirement MP.L2-3.8.2 worth?+
MP.L2-3.8.2 is worth 3 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 3 from your total of 110.
Can MP.L2-3.8.2 be placed on a POA&M?+
No. MP.L2-3.8.2 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does MP.L2-3.8.2 belong to?+
MP.L2-3.8.2 is in the Media Protection (MP) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.8.2