Media Protection

Media Protection governs every physical and digital container of CUI — paper documents, USB drives, backup tapes, external drives, and portable devices.

The Big Picture

CUI on a lost, unencrypted USB drive is a reportable incident. CUI on paper in the regular trash is a finding. This family ensures CUI media is protected throughout its entire lifecycle — from creation through destruction.

The Lifecycle

Store & Access (3.8.1–3.8.2) — Lock up CUI media and limit access to need-to-know.

Mark & Track (3.8.4–3.8.5) — Label all CUI media correctly and maintain chain of custody during transport.

Transport & Encrypt (3.8.6–3.8.7) — Encrypt before transport. Control removable media on CUI systems.

Dispose & Protect (3.8.3, 3.8.8–3.8.9) — Destroy properly per NIST 800-88. Don’t plug in unknown drives. Protect backups like production data.

---

All 9 Requirements

Ref	Short Name	What It Covers
3.8.1	Lock Up CUI	Physically control and securely store CUI media
3.8.2	Need-to-Know for Media	Access to CUI media limited to authorized users
3.8.3	Destroy It Properly	Sanitize or destroy per NIST 800-88 before disposal
3.8.4	Mark Your CUI	CUI markings and distribution limitations
3.8.5	Track Media in Transit	Chain of custody during transport
3.8.6	Encrypt Media in Transit	FIPS-validated encryption before transport
3.8.7	Control Removable Media	Block USB by default, allow by exception
3.8.8	No Mystery USB Drives	Prohibit unidentified portable storage
3.8.9	Protect Your Backups	Backup CUI encrypted and secured like production