03.08.02: Media Access

NIST SP 800-171 Rev. 3 requirement 03.08.02 (Media Access) requires you to restrict access to digital and non-digital media that contains CUI so only authorized users, systems, and processes can read, copy, move, or destroy it. To operationalize it fast, define what “media” means in your CUI environment, enforce access controls for each media type, and retain audit-ready evidence of who can access what and why. ¹

Key takeaways:

• Treat “media” as a full lifecycle problem: inventory, storage, access, movement, and disposal for any CUI-bearing media. ¹
• Enforce role-based access plus physical controls for removable media, backups, printed outputs, and device drives, not just shared folders. ¹
• Tie implementation to your SSP/POA&M with named owners, system boundaries, and recurring evidence collection so an assessor can test it. ¹

“Media access” is where many CUI programs fail quietly: teams lock down applications but forget the media that applications write to, back up to, export to, or print. Requirement 03.08.02 pushes you to control access to the media itself, not only to the systems that create CUI. That includes removable storage, device local drives, cloud storage sync folders, backup repositories, paper records, and any other form factor that can store CUI.

For a CCO or GRC lead, the fastest path is to translate this requirement into a small set of enforceable rules: define which media types are allowed to store CUI, restrict who can access each type, control how media moves, and keep evidence that access is authorized and reviewed. Your assessor will look for two things: (1) clear scoping of where CUI can land, and (2) operational proof that access is restricted and monitored.

This page gives you requirement-level implementation guidance, exam-ready artifacts, and a practical execution plan you can run through your SSP and POA&M. ²

Regulatory text

Requirement: “NIST SP 800-171 Rev. 3 requirement 03.08.02 (Media Access).” ¹

Operator interpretation: You must control who can access media that contains CUI across its lifecycle (creation, storage, transport, reuse, and disposal). “Access” includes reading, copying, modifying, exporting, printing, imaging, or destroying media. Your implementation has to be specific enough that an assessor can test it through observation, interviews, and evidence review. ²

Plain-English interpretation (what the requirement is really asking)

Media access is about preventing CUI from being exposed through “side doors”:

• A user who is blocked from a CUI app but can pull CUI from a backup share.
• A contractor who cannot access a project folder but can copy CUI to a USB drive.
• A printer/copier with a hard drive that stores scanned documents and can be browsed.
• A laptop that is deprovisioned but still has accessible local files.

So your goal is simple: only approved people and approved systems can touch CUI-bearing media, and you can prove it. ¹

Who it applies to

Entities: Any nonfederal organization (including federal contractors and subcontractors) that processes, stores, or transmits CUI in nonfederal systems. ¹

Operational context: This requirement touches:

• IT operations (endpoints, backups, storage, printing, device management)
• Security engineering (access control design, logging, encryption decisions)
• Records management (paper handling, retention/disposal)
• Program management (SSP/POA&M, ownership, periodic review) ¹

What you actually need to do (step-by-step)

Use this sequence to get to “assessable” quickly.

1) Define “media” for your CUI environment (scope first)

Create a list of media types that can store CUI in your environment, at minimum:

• Removable digital media: USB drives, external HDD/SSD, SD cards
• Endpoint media: laptop/desktop internal drives, mobile device storage
• Network/cloud storage: file shares, SharePoint/OneDrive sync folders, object storage buckets
• Backup media: backup appliances, backup shares, tapes (if used), snapshot repositories
• Output media: printers/copiers/MFD storage, scanned PDFs, fax-to-email workflows (if any)
• Non-digital media: printed CUI, notebooks, shipping labels, engineering drawings ¹

Deliverable: a “CUI Media Register” (table) that names each media type, where it exists, and whether it is allowed for CUI.

2) Decide what media is allowed to contain CUI (and prohibit the rest)

You need explicit rules such as:

• “CUI may be stored only in approved repositories.”
• “Removable media is prohibited unless exception-approved for mission need.”
• “Printing CUI requires secure print and controlled pickup.”

Keep rules enforceable. If you can’t enforce it, treat it as an exception that must be documented and time-bound in your POA&M. ¹

3) Implement access controls per media type (map to owners and systems)

A practical control set most assessors can test:

Digital repositories (file shares / cloud):

• Restrict access using groups/roles tied to job function.
• Require approvals for access grants and changes.
• Enable audit logging for access and permission changes where supported. ¹

Endpoints (laptops/desktops):

• Require full-disk encryption for devices that may store CUI.
• Use endpoint management to control local admin rights and removable storage use.
• Ensure deprovisioning includes data handling (wipe/crypto-erase) and evidence. ¹

Removable media:

• Default-deny removable storage, or restrict to approved encrypted devices.
• Maintain an issuance log (asset tag, custodian, purpose, return/disposal).
• Gate exceptions through a ticketing workflow with risk acceptance. ¹

Backup media:

• Restrict who can access backup consoles, repositories, and restore functions.
• Separate backup admin roles from general IT roles where feasible.
• Log restore events and periodically review restores that involved CUI locations. ¹

Printers/MFDs and scanning workflows:

• Restrict device admin interfaces.
• Turn on secure print release where feasible.
• Control scan destinations (only approved email domains or repositories). ¹

Paper CUI:

• Store in locked cabinets or controlled rooms with need-to-know access.
• Define who can copy, transport, and destroy paper CUI.
• Use shred bins and document destruction procedures with accountability. ¹

4) Make it assessable: map to SSP statements and POA&M gaps

Operationalizing this requirement fails when it stays “policy-only.” Do three things:

• Write SSP control statements that name the media types, enforcement mechanisms, and responsible teams. ¹
• Attach system components (endpoint manager, IAM/IdP, backup platform, printer management, physical security controls) to each statement.
• Track gaps in POA&M with owners, target dates, and closure validation evidence before marking complete. ¹

If you use Daydream to run your control library, keep 03.08.02 linked to: (1) your SSP narrative, (2) the media register, and (3) recurring evidence tasks (permission reviews, restore logs, removable media exceptions). That linkage is what reduces scramble during assessments.

5) Establish recurring reviews (keep it operating, not “set and forget”)

Assessors expect controls to operate over time. Build recurring activities:

• Review membership of CUI storage access groups.
• Review removable media exception list and re-approve or revoke.
• Sample backup restore events for appropriateness and authorization.
• Validate deprovisioning/wipe evidence for devices that stored CUI. ³

Required evidence and artifacts to retain (audit-ready)

Keep evidence that shows both design and operation:

Design artifacts

• CUI Media Register (allowed/prohibited media types; owners; locations)
• Media handling policy/standard (digital + paper)
• SSP control statement(s) for 03.08.02 with named tooling and owners ¹

Operational artifacts

• Access control lists / group membership exports for CUI repositories
• Access request/approval tickets for CUI media access
• Endpoint management configuration showing removable media controls and encryption posture
• Backup platform role assignments and restore logs
• Printer/MFD configuration screenshots/exports (admin restriction; secure print; scan destinations)
• Device disposal/deprovision records (wipe/crypto-erase certificates or equivalent)
• Physical access logs or sign-in sheets for controlled records rooms (if used)
• POA&M items and closure evidence tied to 03.08.02 gaps ²

Common exam/audit questions and hangups

Expect these lines of questioning:

1. “Show me where CUI is allowed to be stored.” If you cannot answer in one page, you will lose time and credibility.
2. “Who can access backup data and perform restores?” Backup access is frequently over-permissioned.
3. “Do you permit USB storage?” If yes, the assessor will ask for encryption, issuance control, and exception approvals.
4. “How do you control printed CUI?” Many programs ignore paper because it is “outside IT.”
5. “Prove it operates.” Assessors will ask for evidence samples, not only policy. ³

Frequent implementation mistakes (and how to avoid them)

• Mistake: Defining media too narrowly (only USB). Fix: include endpoints, backups, printers/MFDs, and paper in the media register. ¹
• Mistake: Permissions are “inherited” without review. Fix: run scheduled access reviews for CUI repositories and backup roles; store exports and approvals.
• Mistake: Exceptions become permanent. Fix: require expiration dates and re-approval for removable media and printing exceptions; track in POA&M when controls are not yet enforceable.
• Mistake: No ownership. Fix: name control owners per media type in SSP and assign evidence collection tasks. ¹
• Mistake: You can’t produce evidence quickly. Fix: centralize artifacts and evidence mapping (SSP ↔ control ↔ system ↔ evidence). Daydream-style evidence schedules reduce gaps during assessment.

Risk implications (why assessors care)

Media access failures create straightforward loss paths for CUI: theft of a laptop, a misplaced USB drive, a restore performed for the wrong user, or printed documents left in shared spaces. Even if your app access control is strong, CUI often “escapes” through exports, caches, local sync folders, and backups. This requirement exists to close those escape paths. ¹

Practical 30/60/90-day execution plan

No sourced timelines exist in the provided material, so treat this as a pragmatic sequence you can adapt.

First 30 days (stabilize scope and stop obvious bleed)

• Build the CUI Media Register and get system owners to sign off.
• Document “allowed media” rules and publish a short standard for staff handling CUI.
• Identify top CUI repositories and export current access lists; correct egregious over-permissioning.
• Decide removable media posture (prohibit by default or tightly controlled exception path) and implement the configuration baseline where feasible.
• Update SSP language for 03.08.02; open POA&M items for any media types you can’t yet control. ¹

Next 60 days (implement enforceable controls and evidence loops)

• Implement or tighten endpoint controls: encryption assurance, local admin restrictions, removable storage controls.
• Harden backup access: restrict restore permissions, log restore events, document restore approval process.
• Address printers/MFDs: restrict admin access, lock scan destinations, implement secure print where feasible.
• Define paper CUI storage and destruction procedure with physical security partners.
• Stand up evidence collection routines (access review exports, tickets, logs) and store them in a single audit repository mapped to 03.08.02. ³

By 90 days (make it repeatable and assessment-ready)

• Run your first full “media access control test”: sample users, sample repositories, sample restore events, sample device disposals, and verify approvals and logs exist.
• Close high-risk POA&M items with validation evidence; re-scope any lingering exceptions with leadership sign-off.
• Confirm your SSP, media register, and evidence set tell one consistent story an assessor can follow end-to-end. ²

Frequently Asked Questions

Does “media” include cloud storage like SharePoint, OneDrive, or Google Drive?

Yes for operational purposes. Any storage location that can contain CUI should be treated as media in your register and controlled through access groups, approvals, and logs. ¹

Are backups in scope even if users never directly browse them?

Yes. Backup admins and restore operators can access CUI through backup systems, so you must restrict backup roles and keep restore evidence. ¹

Can we allow USB drives if they’re encrypted?

You can, but you still need a controlled issuance process, approvals, and an exception path that is easy to audit. Encryption alone does not prove access is restricted to authorized users. ¹

How do we handle paper CUI in a mostly digital program?

Treat paper as a first-class media type: define where it can be stored, who can access it, how it is transported, and how it is destroyed. Retain sign-out logs or other accountability evidence where practical. ¹

What will an assessor ask for under NIST SP 800-171A for this requirement?

Expect requests for objective evidence: documented procedures, role assignments, configurations, and samples of access approvals and logs. The assessor will test that the control exists and operates, not just that it is written down. ³

What’s the fastest way to make 03.08.02 defensible in the SSP?

Write one SSP statement per media type (endpoints, removable, backups, paper, printers), list the enforcing systems, name the owner, and attach the evidence you will produce on a recurring basis. Track anything incomplete in the POA&M until you can show operating proof. ¹

Footnotes

1. NIST SP 800-171 Rev. 3

2. NIST SP 800-171 Rev. 3; Source: NIST SP 800-171A

3. NIST SP 800-171A