GRCWatch
Sign inStart free trial

NIST SP 800-171 Control 3.8.2: Media Access Control

Control 3.8.2 requires organizations to restrict access to Controlled Unclassified Information (CUI) stored on system media to only authorized users. This foundational control prevents unauthorized data exposure through physical media, removable devices, and storage systems. For SMBs handling CUI, implementing effective media access controls is essential to meet NIST 800-171 compliance and protect sensitive government contracting data.

What this means

Media access control limits who can read, modify, or retrieve CUI from physical and digital storage media. This includes hard drives, USB devices, backup tapes, cloud storage, and internal databases. The control ensures that only personnel with explicit authorization and a documented need-to-know can access CUI-bearing media. Access must be enforced through technical mechanisms (encryption, role-based access control) and administrative processes (access request workflows, user provisioning).

How to comply

  1. 1.Identify all systems and media types that store, process, or transmit CUI within your organization.
  2. 2.Document authorized users and their access rights to each CUI storage location.
  3. 3.Implement role-based access control (RBAC) to enforce user-level permissions on files, databases, and cloud systems.
  4. 4.Enable encryption for sensitive media to prevent unauthorized access if physical devices are lost or stolen.
  5. 5.Establish and enforce a formal access request and approval process for CUI media.
  6. 6.Audit and log all access to CUI media, including who accessed what data and when.
  7. 7.Conduct periodic reviews of access rights to remove permissions for departed employees or role changes.
  8. 8.Restrict physical access to storage media through locked cabinets, secure rooms, or off-site storage facilities.
  9. 9.Train personnel on CUI handling requirements and media access policies.
  10. 10.Test access controls regularly to confirm they prevent unauthorized access as intended.

Evidence auditors look for

  • Access control policy documentation specifying CUI media restrictions and authorization levels.
  • Role-based access control (RBAC) configuration lists showing user assignments and permissions.
  • System screenshots showing encryption enabled on CUI-bearing storage devices.
  • Access request forms and approval workflows with documented authorizations.
  • Access logs and audit reports showing user activity on CUI media for a defined period.
  • Physical security measures documentation (lock inventory, key management logs, room access logs).
  • Employee access certification records confirming authorized users and removal of terminated staff.
  • Backup and disaster recovery procedures that address CUI media access restrictions.
  • User training completion records and signed acknowledgments of CUI handling policies.
  • System test results validating that unauthorized users cannot access restricted CUI media.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates CUI media access tracking by centralizing user provisioning, access logging, and periodic access reviews in one dashboard—eliminating manual spreadsheet management and ensuring audit-ready evidence for 3.8.2 compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

NIST SP 800-171 3.1.1 (Access Control Policy)NIST SP 800-171 3.1.2 (Access Enforcement)NIST SP 800-171 3.8.1 (Information and System Inventory)NIST SP 800-171 3.8.3 (Media Marking)NIST SP 800-171 3.8.4 (Media Storage)NIST SP 800-171 3.8.5 (Media Transport)