Media Protection.

Controlling access to CUI media, sanitising before disposal, marking with handling caveats, and limiting where it goes.

3.8.1 Lock Up CUI. Physically control and securely store all system media containing CUI — paper documents, USB drives, backup tapes, and digital devices. 1 pts 3.8.2 Need-to-Know for Media. Only people with a documented need can access CUI media — physical or digital. Review access periodically. 1 pts 3.8.3 Destroy It Properly. Sanitize or destroy CUI media before disposal or reuse — per NIST SP 800-88. Document everything. 3 pts
L1 3.8.4 Mark Your CUI. Label all CUI media with correct CUI markings and distribution limitations per NARA guidance. 1 pts

Tracking media in transit, encrypting CUI on portable storage, and controlling removable-media use.

3.8.5 Track Media in Transit. Control access and maintain chain of custody for CUI media during transport outside controlled areas. 1 pts 3.8.6 Encrypt Media in Transit. Encrypt CUI on digital media before transport using FIPS-validated cryptography — or provide alternative physical safeguards. 1 pts 3.8.7 Control Removable Media. Restrict USB drives and external media on CUI systems — block by default, allow only approved encrypted devices. 3 pts

Prohibiting unowned portable storage on systems and protecting CUI backup confidentiality.

3.8.8 No Mystery USB Drives. Prohibit portable storage devices with no identifiable owner. Training plus technical controls. 1 pts 3.8.9 Protect Your Backups. Protect the confidentiality of backup CUI — encrypted, access-restricted, and stored with the same controls as production. 1 pts