MP.L2-3.8.5 Media Accountability: Control CUI Access & Transport
Media containing Controlled Unclassified Information (CUI) requires strict access controls and accountability tracking throughout its lifecycle. CMMC Level 2's MP.L2-3.8.5 mandates that organizations establish processes to restrict who can access sensitive media and maintain documented accountability during transport. Failing to implement these controls exposes your organization to data breaches, unauthorized disclosure, and compliance violations.
What this means
This control requires you to implement technical and administrative measures that restrict access to media containing CUI to authorized personnel only, while maintaining a clear audit trail of accountability. During transport—whether physical movement between locations or handoff between users—you must track who has possession of the media, where it's going, and why. This ensures that if media is lost, stolen, or misused, you can immediately identify the responsible party and the circumstances of the breach.
How to comply
- 1.Classify all media that stores or processes CUI and label it appropriately for identification
- 2.Restrict physical and logical access to CUI media through locked storage, encryption, or role-based access controls
- 3.Establish a chain-of-custody process that requires authorized personnel to sign for media when transferred or transported
- 4.Document all media movements including date, time, origin, destination, and responsible parties
- 5.Conduct regular audits to verify accountability records match actual media inventory
- 6.Implement secure transport procedures such as sealed containers or encrypted transmission for remote movement
- 7.Train personnel on media handling procedures and their accountability responsibilities
- 8.Establish procedures to revoke access and retrieve media when personnel are terminated or transfer roles
Evidence auditors look for
- Media inventory log showing all CUI storage devices with labeling and classification markings
- Chain-of-custody documentation for media transfers with signatures and timestamps
- Access control list (ACL) or role-based permissions restricting media access to authorized roles
- Encrypted transport procedures or secure courier agreements for media in transit
- Audit trail reports showing media location and custodian changes over time
- Personnel training records demonstrating completion of media handling procedures
- Incident reports documenting lost, stolen, or misplaced media investigations
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates media accountability tracking by centralizing chain-of-custody documentation, flagging custody gaps in real-time, and generating audit-ready reports—eliminating manual spreadsheets and enabling instant proof of compliance for CMMC assessments.
See how GRCWatch handles this control automatically
Start free trial