3.8.2—Media Protection - Basic
Basic Requirement
>Control Description
Limit access to CUI on system media to authorized users
>Discussion
Access can be limited by physically controlling system media and secure storage areas. Physically controlling system media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return system media to the media library, and maintaining accountability for all stored media. Secure storage includes a locked drawer, desk, or cabinet, or a controlled media library
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern limiting CUI access to authorized users?
- •What procedures control access to CUI media?
- •How do you determine who needs access to CUI media?
- •Who approves access to media containing CUI?
- •What governance ensures only authorized users access CUI media?
Technical Implementation:
- •What technical controls limit CUI media access?
- •How do you implement authentication for media access?
- •What encryption protects CUI media from unauthorized access?
- •How do you enforce access controls on removable media?
- •What monitoring tracks authorized vs unauthorized media access?
Evidence & Documentation:
- •Can you provide access control lists for CUI media?
- •What logs show media access by authorized users only?
- •Can you demonstrate encryption and access restrictions?
- •What evidence proves unauthorized users cannot access CUI media?
- •What audit findings verify media access control compliance?
Ask AI
Configure your API key to use AI features.