Media Accountability
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
What an assessor scores, the objectives
MP.L2-3.8.5 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.access to media containing CUI is controlled
- b.accountability for media containing CUI is maintained during transport outside of controlled areas
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For MP.L2-3.8.5, an assessor uses these:
System media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; system security plan; system media; designated controlled areas; other relevant documents or records
Personnel with system media protection and storage responsibilities; personnel with information security responsibilities; system or network administrators
Organizational processes for storing media; mechanisms supporting or implementing media storage and media protection
What it means, in context
Controlled areas are areas or spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting systems and information. Controls to maintain accountability for media during transport include locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used . Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes . For the actual transport, authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.
CUI is protected in both physical and digital formats. Physical control can be accomplished using traditional concepts like restricted access to physical locations or locking papers in a desk or filing cabinet. The digitization of data makes access to CUI much easier. CUI can be stored and transported on magnetic disks, tapes, USB drives, CD -ROMs, and so on. This makes digital CUI data very portable. It is important for an organization to apply mechanisms to prevent unauthorized access to CUI due to ease of transport. Example Your team has recently completed configuring a server for a DoD customer . The customer has asked that it be ready to plug in and use. An application installed on the server contains data that is considered CUI. You box the server for shipment using tamper-evident packaging and label it with the specific recipient for the shipment [b]. You select a reputable shipping service so you will get a tracking number to monitor the progress. Once the item is shipped, you send the recipients the tracking number so they can monitor and ensure prompt delivery at their facility. Potential Assessment Considerations • Do only approved individuals have access to media containing CUI [a]? • Is access to the media containing CUI recorded in an audit log [b]? • Is all CUI data on media encrypted or physically locked prior to transport outside of secure locations [b]?
What passing evidence looks like
The media accountability rule for transport: media leaving the facility is logged out and in, restricted to authorized carriers, with the transport log.
Common ways contractors fail MP.L2-3.8.5
- !If media never leaves the building, say exactly that in the note, that is a legitimate and clean answer. The log exists for when it does.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove MP.L2-3.8.5, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
MP.L2-3.8.5 questions, answered
How many points is CMMC requirement MP.L2-3.8.5 worth?+
MP.L2-3.8.5 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.
Can MP.L2-3.8.5 be placed on a POA&M?+
Yes. A gap on MP.L2-3.8.5 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.
What family does MP.L2-3.8.5 belong to?+
MP.L2-3.8.5 is in the Media Protection (MP) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.8.5