GRCWatch
Sign inStart free trial

NIST 800-171 3.8.1: Media Access Protection for CUI

Controlled Unclassified Information (CUI) lives on more than servers—it's printed, backed up, and archived on physical media that requires the same rigor as your digital safeguards. Control 3.8.1 mandates that you physically control and securely store all system media containing CUI, whether paper documents or external drives. For SMBs handling government contracts or sensitive data, this control is a foundational requirement that bridges your logical security with physical asset management.

What this means

Media Access Protection requires you to establish and enforce physical safeguards for all materials—digital and paper—that contain CUI. This means secure storage locations (locked cabinets, safes, or restricted rooms), limited access only to authorized personnel, documented chain-of-custody procedures, and secure disposal methods that prevent recovery. The control applies equally to backup tapes, USB drives, printed documents, DVDs, and any other storage medium that holds CUI.

How to comply

  1. 1.Conduct a media inventory: identify all physical locations where CUI is stored (servers, external hard drives, paper files, backups, archives).
  2. 2.Implement physical access controls: use locked storage, restricted rooms, or safes for media containing CUI with sign-in/sign-out logs.
  3. 3.Establish a labeling system: clearly mark all media and containers holding CUI so they're easily identified and handled correctly.
  4. 4.Document access procedures: create and enforce written policies specifying who can access CUI media, when, why, and for how long.
  5. 5.Create secure disposal protocols: define and implement methods for destroying or degaussing media (shredding for paper, certified data destruction for drives) to prevent recovery.
  6. 6.Monitor and audit: maintain access logs for sensitive media storage areas and conduct periodic reviews to ensure compliance.
  7. 7.Train staff: ensure all employees understand the importance of physical media security and their role in maintaining it.

Evidence auditors look for

  • Locked storage cabinet or safe with key/combination access logs showing who accessed CUI media and when
  • Physical security policy document detailing media storage requirements, access restrictions, and authorization levels
  • Labeling system examples (e.g., labels on storage boxes, file covers, or drive cases marking CUI status)
  • Disposal certificates from certified media destruction vendors showing CUI media was securely destroyed
  • Building access logs or badge swipe records for restricted rooms where CUI is stored
  • Backup and archive inventory with secure storage location documentation
  • Signed acknowledgment forms from employees confirming they understand media handling and security procedures

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates media inventory tracking, generates access logs with tamper-proof timestamps, and sends alerts when CUI media access deviates from policy—eliminating manual audits and reducing the risk of unauthorized exposure.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.8.2 Media Sanitization3.1.1 System Access Authorization3.4.1 Information Flow Enforcement3.13.1 User Session Establishment