Got questions? Contact our team today for a free CMMC Consultation
3.8.1
Protect system media (digital and physical) containing CUI by implementing physical controls (e.g., locked cabinets, safes), logical access restrictions (e.g., file permissions, encryption), and secure storage to prevent unauthorized disclosure. Applies to removable devices, drives, paper, and printouts.
More details Less details
+ —
Relevant NIST SP 800-53 R5
MP-2: Restrict access to digital and physical media to authorized personnel only
MP-4: Physically and logically protect stored media to prevent unauthorized access
MP-6: Sanitize or destroy media before disposal or reuse
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Microsoft Purview DLP for digital protections, BitLocker for encryption, Intune for device management, and Compliance Center for audit and eDiscovery)
3.8.2
Restrict access to CUI stored on system media (e.g., USB drives, DVDs, SSDs) to only authorized users using physical and logical controls, including encryption, access permissions, and monitoring.
More details Less details
+ —
Relevant NIST SP 800-53 R5
MP-2: Restrict access to digital and physical media to authorized personnel only
MP-4: Physically and logically protect stored media to prevent unauthorized access
MP-6: Sanitize or destroy media before disposal or reuse
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Microsoft Purview DLP, BitLocker, Intune removable storage controls, and device compliance policies)
3.8.3
Encrypt CUI is stored on removable media using FIPS-validated cryptographic modules unless otherwise protected by approved physical safeguards. Encryption must be enforced before transport or external use.
More details Less details
+ —
Relevant NIST SP 800-53 R5
MP-5 (4): Use cryptographic methods to protect data on removable media
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI) (includes BitLocker for removable drive encryption and Microsoft Purview Data Loss Prevention policies for removable storage enforcement)
3.8.4
Mark all media containing CUI with appropriate classification labels and distribution limitations in accordance with the organization’s security policies. Ensure markings are visible, accurate, and consistently applied across digital and physical media.
More details Less details
+ —
Relevant NIST SP 800-53 R5
MP-3: Label and mark media containing sensitive information based on classification levels
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Microsoft Purview Information Protection with sensitivity labels, labeling policies, and content marking enforcement)
3.8.5
Control access to media containing CUI and maintain accountability (e.g., logs, chain of custody) during transport outside controlled environments. This includes tracking location, encryption, and authorized handlers.
More details Less details
+ —
Relevant NIST SP 800-53 R5
MP-5: Protect and track media during transport to prevent loss, theft, or unauthorized access
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Microsoft Purview Data Loss Prevention and Microsoft Information Protection for tagging, auditing, and encryption of data-in-transit)
3.8.6
Protect the confidentiality of CUI on portable or transportable digital media using FIPS-validated encryption unless an alternative physical safeguard (e.g., hand-carry procedures with escort) is used.
More details Less details
+ —
Relevant NIST SP 800-53 R5
SC-28 (1): Encrypt information at rest using approved cryptographic methods to prevent unauthorized access
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes BitLocker, Microsoft Purview Information Protection, and Defender for Endpoint for encryption policy enforcement and monitoring)
3.8.7
Control the use of removable media on system components
More details Less details
+ —
Relevant NIST SP 800-53 R5
MP-7: Restrict the use of digital and removable media to prevent unauthorized access
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Intune for device control, Defender for Endpoint to restrict USB access, and logging via Microsoft Purview or Sentinel)
3.8.8
Prohibit the use of portable storage devices that do not have a known, verifiable owner or cannot be attributed to a managed, authorized system user.
More details Less details
+ —
Relevant NIST SP 800-53 R5
MP-7: Restrict the use of digital and removable media to prevent unauthorized access
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(includes Microsoft Defender for Endpoint device control, Intune policy enforcement, and removable media restrictions)
3.8.9
Protect the confidentiality of CUI contained in backup media by applying encryption and access controls at storage locations (e.g., cloud backup, on-prem storage, removable drives).
More details Less details
+ —
Relevant NIST SP 800-53 R5
CP-9: Conduct backups of information system data, applications, and configurations to support recovery in the event of a system failure or security incident
Recommended Microsoft Licensing
Microsoft 365 E5 (or GCC High E5 for CUI)
(supports encrypted backup via Microsoft Purview, Azure Backup, and Defender for Endpoint)
Contact our team today
See how Agile IT's MSP for CMMC can strengthen your data security and allow your team to focus on your business's objectives and success.
Schedule a FREEconsultation