MP.L2-3.8.2 — Limit access to CUI on system media to authorized users.
What this control requires
Limit access to CUI on system media to authorized users.
Source: CMMC L2 v2.13 MP.L2-3.8.2 / NIST SP 800-171 R2 3.8.2 (official control text).
Why this matters
This control prevents unauthorized individuals from accessing, copying, or removing physical media containing CUI — such as USB drives, external hard drives, backup tapes, printed documents, or CDs. Without strict physical access controls, an adversary, contractor, or visitor could walk away with sensitive data. Media containing CUI must be tracked through check-out logs, stored in locked containers, and handled only by personnel with a legitimate need to access that information. This addresses insider threats, loss incidents, and physical theft scenarios.
What evidence assessors expect
Assessors typically look for: photo, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on MP.L2-3.8.2.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →