03.08.02: Media Access

To meet the 03.08.02: media access requirement, you must restrict and control who can access, handle, and use media that contains CUI (paper, removable drives, backup media, images of screens, and exported files) across its full lifecycle. Implement role-based access, physical and logical safeguards, and auditable procedures for issuing, transporting, storing, reusing, and disposing of media. ¹

Key takeaways:

• Treat “media” broadly: paper, removable storage, portable devices, backups, and media images all count.
• Control access by role and need-to-know, and make access provable with logs, inventories, and sign-out records.
• Auditors look for operational proof: who touched CUI media, when, where it went, and how it was protected. ¹

Media is where CUI spills turn into investigations. Most organizations focus on system access controls and forget the practical paths data takes once it leaves a controlled application: a USB drive used for firmware updates, printed build packets, laptops used in the field, backup tapes shipped offsite, or an engineer exporting logs for a third party. The 03.08.02: media access requirement forces discipline around that reality.

For a CCO or GRC lead, the fastest path to operationalization is to treat this requirement as a repeatable lifecycle control: classify media, limit who can access it, document transfers, and prove disposal or reuse is safe. The work is not a single policy. You need a small set of procedures that frontline teams can follow without improvising: how media is requested, approved, issued, labeled, stored, transported, returned, sanitized, and destroyed.

This page translates 03.08.02 into execution steps, evidence to retain, and the exam questions you should expect. It assumes you handle CUI as a federal contractor or within a nonfederal system that processes, stores, or transmits CUI. ¹

Regulatory text

Requirement: “NIST SP 800-171 Rev. 3 requirement 03.08.02 (Media Access).” ¹

Operator interpretation (what you must do): Put controls in place so only authorized personnel can access media containing CUI, and you can demonstrate that control in practice. Media includes both physical media (paper records, tapes, drives) and digital removable media (USB, external SSDs), plus operational realities like mobile endpoints holding offline copies or exported data sets. You need both:

• Logical controls (permissions, encryption, DLP, endpoint controls, workflow approvals), and
• Physical controls (locked storage, restricted areas, sign-out logs, secure transport).

This requirement sits in the “Media Protection” family, so assessors expect you to manage media through its lifecycle: issuance, storage, transport, reuse, and disposal or destruction. ¹

Plain-English requirement: what it means

If CUI can be copied onto something that can walk out the door, you must control who can touch it and prove that control. The practical intent is to reduce:

• loss/theft of removable devices,
• uncontrolled printing and paper handling,
• informal data exports to laptops or shared drives,
• uncontrolled sharing with third parties, and
• exposure through forgotten backups or retired equipment.

A good mental model: treat CUI media like company cash. You track who has it, where it is stored, when it moves, and how it gets retired.

Who it applies to

Entities

• Federal contractors and subcontractors handling CUI.
• Any nonfederal organization operating systems that store, process, or transmit CUI. ¹

Operational scope

• Corporate IT (endpoints, printers, MFDs, file shares, backup systems).
• Engineering / manufacturing (portable media for machine updates, test rigs, lab data exports).
• Program teams handling CUI in documents (printed packets, signed forms).
• Facilities and physical security (secure storage, restricted areas).
• Third parties (managed print, eDiscovery, offsite storage, ITAD providers).

What you actually need to do (step-by-step)

1) Define “CUI media” for your environment

Create a short, explicit list your teams recognize. Include:

• Removable storage: USB, external drives, SD cards.
• Paper: printed CUI, notebooks, mailers.
• Backup media and images: tapes, offline backup drives, exported snapshots.
• Device-resident media: laptops used offline, phones/tablets if they store CUI, camera photos of CUI screens/whiteboards.

Deliverable: a one-page standard and a companion quick reference for users.

2) Set access rules by media type (who can touch what)

Build a media access matrix aligned to job roles. Example structure:

Media type	Default rule	Allowed roles	Approval required	Storage requirement
Printed CUI	Restricted	Program staff with need-to-know	Manager for bulk prints	Locked cabinet / restricted room
USB / external media	Prohibited by default	IT admins for specific tasks	Ticket + security approval	Encrypted + tracked + locked
Backup media	Restricted	Backup operators	Change record	Locked vault + controlled transport

Make “prohibited by default” the baseline for removable storage unless you have a strong operational need.

3) Implement technical controls that enforce the rules

Pick controls that stop policy from becoming “trust-based.”

• Endpoint controls: block removable storage by default; allow by exception; log insertions and file transfers where feasible.
• Encryption requirements: require encryption for any approved removable media holding CUI; manage keys centrally.
• Print controls: restrict who can print to certain devices; require badge release for printing in controlled spaces where feasible; reduce “print and forget.”
• DLP / content controls: flag or block copying CUI-labeled content to removable devices or unmanaged locations where feasible.
• Identity and access: ensure only authorized roles can access shared folders where CUI is staged for print or export.

Your auditor does not need perfection; they need a coherent design, consistent operation, and evidence.

4) Implement physical controls for storage and handling

• Secure storage: locked cabinets, safes, or restricted rooms for paper and removable media.
• Restricted areas: limit where CUI media can be handled (e.g., no printing to open floor devices).
• Transport rules: secure containers; documented chain-of-custody for offsite movement; prohibit casual transport in personal bags without controls.
• Visitor/clean desk alignment: ensure facility procedures do not allow unescorted access to areas where CUI media is present.

5) Establish a media issuance and chain-of-custody process

This is where most organizations fail audits: they can’t show who had the media. Minimum viable workflow:

1. Requester opens a ticket describing purpose, data type, and duration.
2. Approver validates need-to-know and authorizes media type.
3. Media is issued from controlled stock (or uniquely identified if reusable).
4. Custodian signs out the media (physical log or ticket acknowledgment).
5. Return, sanitization, and closure are recorded.

Keep it simple enough that teams follow it under deadline pressure.

6) Control reuse, sanitization, and disposal (tie-in, don’t duplicate)

03.08.02 is access-focused, but assessors will test whether access controls extend through end-of-life. Integrate with your sanitization and destruction procedures:

• Define when media can be reused.
• Require sanitization before reassignment.
• Use approved destruction for media that cannot be sanitized.
• Ensure third-party ITAD providers are under contract and monitored if they touch CUI media.

7) Train the people who touch media

Training must be role-based:

• Engineers: approved removable media use cases and exceptions.
• Program staff: printing rules, storage, and shredding.
• IT: encryption and logging requirements.
• Facilities: secure storage and after-hours controls.

Track completion and include scenario-based examples (“What do I do if I must deliver a CUI build packet to a restricted lab?”).

Required evidence and artifacts to retain

Auditors will ask for proof that controls operate, not just policy. Retain:

• Media protection policy covering media access expectations. ¹
• Media access matrix (roles × media types × approval rules).
• Removable media exceptions log (tickets, approvals, business justification).
• Media inventory for controlled removable media (unique IDs, custodians, status).
• Chain-of-custody records for issued media and offsite transfers.
• Printer/MFD configuration evidence (approved devices list, secure print settings where in scope).
• Endpoint control evidence (removable storage control configuration and sample logs).
• Training records for roles that handle CUI media.
• Sanitization/destruction certificates (internal or third party) tied to asset IDs where feasible.
• Periodic review records (access list reviews, exception recertifications).

Daydream tip: map each artifact to the 03.08.02: media access requirement and schedule recurring evidence pulls so you’re not rebuilding proof during an assessment. ¹

Common exam/audit questions and hangups

Expect questions like:

• “Show me how you prevent or control USB use on endpoints that handle CUI.”
• “Which roles are authorized to print CUI? Which printers are approved?”
• “Prove chain-of-custody for this removable drive or this offsite backup transfer.”
• “How do you ensure media is returned and sanitized before reuse?”
• “What’s your exception process, and who approves it?”

Hangups that trigger findings:

• Policies say “restricted,” but there are no logs, tickets, or inventories.
• Teams use personal or untracked removable drives “just this once.”
• Printing is uncontrolled; pages sit in output trays; no accountability.
• Backups are handled by a third party with unclear chain-of-custody.

Frequent implementation mistakes (and how to avoid them)

1. Defining media too narrowly. If you only cover USB drives, assessors will ask about paper and backups. Fix: publish a simple “what counts as media” list and train it.

2. Relying on “no one should” statements. Fix: add enforcement controls (endpoint blocking, approvals) and evidence (logs, exceptions).

3. No ownership. Media controls fail when nobody owns the process. Fix: name an operational owner for removable media issuance and an owner for print controls.

4. Exceptions become the default. Fix: require time-bounded approvals, periodic recertification, and closure steps (return/sanitize).

5. Third parties are ignored. Fix: include offsite storage, managed print, and ITAD in your third-party due diligence and contract controls if they can access CUI media.

Risk implications (why assessors care)

Media is a high-probability loss path because it bypasses perimeter controls. A single untracked USB drive or printed packet can create:

• reportable incident exposure,
• contractual noncompliance with CUI handling obligations, and
• downstream flow-down issues to subcontractors and service providers.

The operational risk is compounded by weak evidence. If you cannot prove who accessed CUI media and how it was protected, you will struggle to support a compliant determination even if teams “generally do the right thing.” ¹

Practical execution plan (30/60/90-day)

First 30 days (stabilize and define)

• Publish the definition of CUI media and the initial media access matrix.
• Stand up an exception workflow for removable media (ticket + approval).
• Identify all printers/MFDs in CUI spaces and set an “approved for CUI” list.
• Choose evidence sources (endpoint logs, ticketing, inventory) and assign owners.

Next 60 days (enforce and instrument)

• Roll out endpoint removable media controls with allow-by-exception.
• Implement encryption requirements for approved removable media and document key management responsibilities.
• Implement or tighten print controls for CUI-approved devices (configuration baselines and admin access).
• Launch role-based training focused on media handling scenarios.

By 90 days (prove it and keep it running)

• Perform an internal control test: sample issued media, validate chain-of-custody, verify return/sanitization closure.
• Review exception trends and remove “permanent” exceptions.
• Run a tabletop exercise for a lost-media scenario and validate escalation and containment steps.
• Operationalize recurring evidence collection in Daydream (or your GRC system): inventories, exception logs, sample control configs, and review attestations. ¹

Frequently Asked Questions

Does “media” include laptops and phones, or only removable drives and paper?

Treat endpoints as in scope when they store offline copies of CUI or function as portable repositories (exports, synced folders, cached email). The safest approach is to define “CUI media” explicitly to include device-resident storage for portable endpoints that handle CUI. ¹

We block USB storage, but engineers sometimes need it for equipment updates. Is an exception process enough?

Yes, if exceptions are controlled: documented justification, named approver, encrypted approved media, and auditable chain-of-custody from issuance through return and sanitization. Auditors will test whether exceptions are rare and governed rather than informal. ¹

Do we need a formal inventory for every piece of media?

Inventory controlled items that can easily leave your environment or are reused across tasks (for example, removable drives and backup media). For paper, focus on controlled printing, secure storage locations, and sign-out practices for high-sensitivity packets.

How do we handle outsourced printing, offsite storage, or IT asset disposal providers?

Treat them as third parties that may access CUI media. Contractually require secure handling, chain-of-custody, and destruction evidence, then retain the certificates and transfer records as part of your audit trail.

What evidence is most persuasive in an assessment for 03.08.02?

Assessors respond well to artifacts that connect policy to operation: an access matrix, device configurations, exception tickets, issuance logs, and a small sample showing end-to-end custody and closure (return and sanitization/destruction). ¹

Our policy says “locked cabinet,” but teams store printed CUI in desk drawers. How should we fix this without stopping work?

Start by designating approved storage locations per area, distribute lockable storage where needed, and train on the new rule with manager reinforcement. Add spot checks and require attestation for teams that routinely handle printed CUI.

Footnotes

1. NIST SP 800-171 Rev. 3