CMMC Level 2 Practice 3.8.1: Protect (i.e., physically control and securely store) system media containing CUI, both paper and

CMMC Level 2 Practice 3.8.1 requires you to physically control and securely store any system media that contains CUI, including both paper records and digital media. To operationalize it fast, inventory where CUI media exists, define approved storage and handling rules, restrict access, and retain repeatable evidence that storage and control are working in practice. ¹

Key takeaways:

• Treat “media” broadly: paper, removable drives, laptops, backup devices, and printed exports that contain CUI. ¹
• Your assessor will look for physical controls plus proof of day-to-day operation (logs, sign-out, photos, procedures). ²
• The fastest path is: inventory → storage standards → access control → handling workflow → evidence cadence mapped to the practice. ¹

This requirement is easy to “say you do” and surprisingly easy to fail in an assessment. CMMC Level 2 Practice 3.8.1 focuses on physical protection of CUI-bearing media, which means you need controls for how media is stored, who can touch it, and how you prevent loss or unauthorized access during normal operations. The scope includes paper files and “system media,” such as removable storage, external drives, portable devices, and other media used to store or transport CUI. ¹

For a Compliance Officer, CCO, or GRC lead, the operational challenge is consistency: engineering may handle removable drives one way, program teams may print CUI for meetings, and facilities may control keys without a clear access list tied to CUI storage locations. Assessors tend to ask, “Show me where CUI media lives, who can access it, and how you know the process is followed.” ²

This page gives requirement-level guidance you can implement quickly: who is in scope, what controls to stand up, what evidence to keep, and how to avoid common audit traps, all mapped back to the CMMC Level 2 / NIST SP 800-171 Rev. 2 intent. ¹

Requirement: what 3.8.1 is asking for (plain English)

You must prevent unauthorized physical access to media containing CUI by controlling it and storing it securely. That includes:

• Paper CUI (printed emails, drawings, work instructions, shipping docs, meeting packets).
• Digital media that stores CUI (removable USBs, external HDD/SSD, backup tapes/drives, portable devices used to transfer files, and other system media). ¹

“Protect” here is about physical control (who can possess it) and secure storage (where it is kept when not actively used). Encryption helps for other practices, but 3.8.1 is satisfied (or failed) based on whether media is physically protected in the real world. ¹

Regulatory text

CMMC Level 2 Practice 3.8.1 is mapped to NIST SP 800-171 Rev. 2 requirement 3.8.1: “Protect (i.e., physically control and securely store) system media containing CUI, both paper and [digital].” ¹

Operator translation: you need defined, implemented, and evidenced controls that keep CUI media:

• In approved secure storage (locked rooms, locked cabinets, controlled-access areas).
• Under accountable control when in use (sign-out, assigned custody, supervision).
• Access-limited to authorized personnel with a business need. ¹

CMMC program context: CMMC Level 2 assessments validate practice implementation through objective evidence, not intentions. Plan your control so you can show it repeatedly and consistently. ³

Who it applies to (entity + operational context)

Applies to: defense contractors and other federal contractors that handle CUI in nonfederal systems and are pursuing/required to meet CMMC Level 2. ⁴

Applies where: any facility, office, lab, production floor, program area, or remote work context where CUI may be:

• Printed, stored, or archived.
• Copied to removable media or portable devices.
• Shipped, hand-carried, or temporarily staged for use. ¹

Common “surprise” in-scope areas:

• Conference rooms (printed CUI left behind).
• Shared printers/MFP output trays.
• Engineering labs with shared removable drives.
• Shipping/receiving and document control rooms.
• Home offices if printing is permitted. ¹

What you actually need to do (step-by-step)

1) Define what “media containing CUI” means in your environment

Create a short, specific definition and examples list. Include:

• Paper records with CUI markings or known CUI content.
• Removable storage used to transfer or back up CUI.
• Portable endpoints that may store CUI locally (if permitted by your architecture). ¹

Deliverable: “CUI Media Handling & Storage Standard” (one to three pages) that staff can follow.

2) Inventory CUI media types and storage locations

You need a practical inventory that answers: What media exists, where is it stored, and who owns it?

• Paper repositories: file rooms, cabinets, binders, safes.
• Device repositories: locked drawers for USBs, evidence lockers, IT secure storage for backup media.
• Workflow touchpoints: printers, scanning stations, mailroom staging. ¹

Tip: keep this as a register with “owner” and “approved storage method” columns so you can assign accountability.

3) Establish approved secure storage controls (by media type)

Pick storage controls that match your facility reality and then standardize them.

Paper CUI storage options:

• Locked cabinets in access-controlled areas.
• Locked rooms with controlled key/badge access.
• Controlled document control center with check-in/check-out. ¹

Digital/removable media storage options:

• Locked cabinets or safes for removable drives.
• IT-controlled secure room for backup media.
• Custody rules for portable media (assigned to a person, not a shared drawer). ¹

4) Restrict and document access (authorization + need-to-know)

3.8.1 is physical, but your access model must still be defined:

• List roles authorized to access CUI storage areas (program roles, document control, IT custodians).
• Tie access approvals to HR onboarding/offboarding.
• Maintain a current access list for each CUI storage location. ¹

Facilities alignment: if Facilities manages keys/badges, integrate their records into your evidence package.

5) Implement handling workflows for “in use” and “in transit”

Secure storage covers “at rest,” but assessors will also test “during use” behaviors.

• Printing: require immediate pickup, prohibit leaving CUI on printers, define secure bins for misprints.
• Meetings: require end-of-meeting paper sweep; return to locked storage.
• Transport: require sealed envelopes/containers, maintain chain-of-custody for removable media when moved between controlled spaces.
• Remote work (if allowed): specify whether printing is allowed and what storage controls are required at the alternate worksite. ¹

6) Train and enforce with simple checks

Train the roles that handle media most: program staff, engineering, admin staff, IT, document control, shipping/receiving. Then enforce:

• Periodic spot checks of printers, conference rooms, and file cabinets.
• A simple “found CUI” escalation path and incident ticket category. ²

7) Map the practice to recurring evidence capture (assessment readiness)

CMMC assessments reward organizations that can show the control operating over time. Build an evidence cadence:

• Monthly or quarterly spot-check records.
• Updated storage location register when spaces change.
• Access list reviews when roles change. ²

Daydream fit: Daydream is useful here to map 3.8.1 to an owned control, schedule recurring evidence requests (Facilities/IT/Document Control), and keep artifacts packaged for assessment without chasing screenshots at the last minute. ²

Required evidence and artifacts to retain

Keep evidence that proves both design (the rule) and operation (people follow it).

Core artifacts (high value):

• CUI Media Handling & Storage policy/standard with scope covering paper and digital media. ¹
• Inventory/register of CUI media storage locations and custodians.
• Photos or diagrams of approved storage (locked cabinets, secure rooms) with location identifiers.
• Access control lists for CUI storage areas (badge groups, key logs, room authorization lists).
• Check-out / chain-of-custody logs for removable media (if removable media is allowed).
• Printer/misprint handling procedure and secure disposal bin process documentation (if you generate paper CUI).
• Training completion records for in-scope roles. ²

Operational proof (what assessors often ask for):

• Spot-check records (date, checker, findings, remediation).
• Tickets/incidents for lost media, unattended printouts, or process violations, plus corrective actions.

Common exam/audit questions and hangups

• “Show me every place CUI is stored physically.” If your inventory is incomplete, you will scramble.
• “Who can access this cabinet/room?” Facilities may have the answer, but you need it packaged and current.
• “How do you prevent CUI printouts from being abandoned?” A policy alone fails if printers sit in open areas without controls.
• “Do you allow USB drives?” If yes, expect follow-ups on storage, labeling, custody, and disposal. ¹
• “Prove the control operates.” Assessors often request recent examples of checks, logs, or records. ²

Frequent implementation mistakes (and how to avoid them)

1. Relying on “clean desk” language without storage specifics. Fix: name approved storage types and locations; assign owners.
2. Ignoring shared printers and conference rooms. Fix: add meeting sweep steps and print pickup rules; do spot checks.
3. No custody model for removable media. Fix: prohibit by default or require check-out logs and locked storage.
4. Facilities controls exist but aren’t connected to CUI. Fix: tag CUI storage areas and align badge/key access reviews to those areas.
5. Evidence is ad hoc. Fix: predefine what evidence you collect and when; keep it in an assessment-ready package. ²

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, but the risk is straightforward: lost or uncontrolled media is a common path to CUI exposure, and CMMC assessments require objective evidence that practices are implemented. Treat 3.8.1 as a “show me” control: if you cannot demonstrate secure storage and physical control consistently, you risk failing the practice in a Level 2 assessment. ³

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and rules)

• Name a control owner (GRC) and operational owners (Facilities, IT, Document Control).
• Publish the CUI Media Handling & Storage Standard (paper + digital media).
• Build the initial inventory of CUI storage locations and media types.
• Implement quick wins: lock cabinets, move printers, add secure misprint bins where needed.

Next 60 days (operationalize and evidence)

• Implement access lists per CUI storage area; reconcile badges/keys to authorized roles.
• Stand up check-out / chain-of-custody for removable media (or formally prohibit removable media where feasible).
• Deliver role-based training and require acknowledgement for in-scope roles.
• Start spot checks and record findings and remediation.

Next 90 days (prove repeatability)

• Run a mini internal assessment: walk an assessor-style sample (one office, one lab, one printer area).
• Close gaps found in spot checks; document corrective actions.
• Package evidence by practice (3.8.1) so it is ready for assessor requests and management review. ²

Frequently Asked Questions

Does 3.8.1 apply if we never print CUI?

Yes, if you handle CUI on any media you still need physical control and secure storage for that media type. If printing is prohibited, document the prohibition and confirm it operationally (for example, printer access controls and spot checks). ¹

Are laptops “system media” for this requirement?

If laptops store CUI (even temporarily), they are in scope for physical control and secure storage expectations. You should define storage and handling rules for portable endpoints as part of your media standard. ¹

Can we meet 3.8.1 with encryption alone for removable drives?

Encryption helps protect confidentiality, but 3.8.1 is explicitly about physical control and secure storage of media. Keep the physical controls (locked storage, custody rules, access restriction) even if encryption is enabled. ¹

What evidence is most persuasive in a CMMC Level 2 assessment?

Assessors typically respond well to a complete package: written standard, storage inventory, access lists, and operational records like spot checks and sign-out logs. Evidence that spans time is stronger than a one-time screenshot set. ²

How do we handle conference rooms where teams review printed CUI?

Require a “paper sweep” step at meeting close, designate who is responsible, and require immediate return to locked storage. Back it up with occasional spot checks and documented remediation when a lapse occurs. ¹

We use a third-party shredding service. Does that affect 3.8.1?

Yes, because CUI on paper is media that must remain physically controlled until destruction. Treat the shredding provider as a third party in scope for your handling process, and retain chain-of-custody documentation aligned to your internal procedures. ¹

Footnotes

1. NIST SP 800-171 Rev. 2

2. DoD CMMC Program Guidance

3. DoD CMMC Program Guidance; Source: 32 CFR Part 170

4. 32 CFR Part 170; Source: DoD CMMC Program Guidance