Shared Media
Prohibit the use of portable storage devices when such devices have no identifiable owner.
What an assessor scores, the objectives
MP.L2-3.8.8 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.the use of portable storage devices is prohibited when such devices have no identifiable owner
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For MP.L2-3.8.8, an assessor uses these:
System media protection policy; system use policy; procedures addressing media usage restrictions; system security plan; rules of behavior; system configuration settings and associated documentation; system design documentation; system audit logs and records; other relevant documents or records
Personnel with system media use responsibilities; personnel with information security responsibilities; system or network administrators
SELECT FRO M: Organizational processes for media use; mechanisms prohibiting use of media on systems or system components
What it means, in context
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code).
A portable storage device is a system component that can be inserted into and removed from a system and is used to store data or information. It typically plugs into a laptop or desktop port (e.g., USB port). These devices can contain malicious files that can lead to a compromise of a connected system. Therefore, use should be prohibited if the device cannot be traced to an owner who is responsible and accountable for its security. This requirement, MP.L2 -3.8.8, furthers the protections provided by MP.L2-3.8.7 by prohibiting unidentified media use even if that media type is allowable. Example You are the IT manager. One day, a staff member reports finding a USB drive in the parking lot. You investigate and learn that there are no labels on the outside of the drive to indicate who might be responsible for it. You send an email to all employees to remind them that IT policies expressly prohibit plugging unknown devices into company computers . You also direct staff members to turn in to the IT help desk any devices that have no identifiable owner [a]. Potential Assessment Considerations • Do portable storage devices used have identifiable owners [a]?
What passing evidence looks like
The no anonymous media rule: portable storage with no identifiable owner is prohibited, in the media policy, and unlabeled found drives are quarantined.
Common ways contractors fail MP.L2-3.8.8
- !The found USB in the parking lot scenario. The rule is one line; train it in awareness so staff hand strays to the incident lead instead of plugging them in.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove MP.L2-3.8.8, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
MP.L2-3.8.8 questions, answered
How many points is CMMC requirement MP.L2-3.8.8 worth?+
MP.L2-3.8.8 is worth 3 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 3 from your total of 110.
Can MP.L2-3.8.8 be placed on a POA&M?+
No. MP.L2-3.8.8 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does MP.L2-3.8.8 belong to?+
MP.L2-3.8.8 is in the Media Protection (MP) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.8.8