Mastering Media Security for CMMC Success

Eric Marquette

Alright folks, welcome back to CMMC Unlocked! Today we're digging into a topic that, honestly, trips up almost everybody on their CMMC readiness journey: media protection. Specifically, what it really takes to safeguard CUI—Controlled Unclassified Information—on both physical and digital media. If any of you have ever sat through a gap analysis or a full-blown assessment, you already know assessors pay close attention to these controls. We're talking about CMMC practice MP.L2-3.8.1 here: basically, you must physically control and securely store system media containing CUI, whether it's good old-fashioned paper or digital drives. Paul, Roz—media controls seem simple on paper, but what does that actually mean in practice for folks out there?

Paul Netopski

Yeah, Eric, that's a good way to frame it. It's not just about sticking a label on a folder and locking your laptop in a desk drawer. The assessment criteria literally break out both paper and digital media. You have to show you physically control paper media with CUI—like you know exactly where those files are, they're in locked rooms or cabinets, and only authorized folks can get to 'em. Same thing for digital media: encrypted, access-controlled, and no random USB drives just floating around because someone needed to "make a quick copy." It's tangible, demonstrable controls. If you can't show where CUI lives, or if it's scattered all over personal laptops and thumb drives, that's an automatic finding on an assessment.

Roz the Rulemaker

And what always stands out to me—coming from the regulatory compliance world—is just how important those distinctions are between types of media. Assessors aren't going to just take your word for it. You need evidence: logs, storage inventories, check-out forms. The compliance mindset is: "How can we prove, right now, that no one unauthorized has walked off with a folder or copied a file to an unprotected device?" Especially in defense environments, these are not theoretical risks—every breach starts here.

Eric Marquette

Absolutely, Roz. I remember my first week onboarding at a major prime—a gigantic defense contractor. The assessor came around, kind of like, "Show me your CUI handling process, for both printouts and USB sticks." I thought we had our act together, but they immediately caught us mixing up our secure paper bins with regular recycling, and they wanted to see—down to the serial number—how we tracked encrypted drives. It's not just locked doors, it’s documentation and real accountability. If you haven't experienced that yet, trust me, you don't wanna be learning on the fly during the audit.

Paul Netopski

And that's a great point, Eric, because once you’ve got those controls in place, it gets way easier to respond to audit questions, or even just spot check yourself. It’s about repeatable, reliable evidence—whether it’s a badge scan log for a record room, or BitLocker logs for external drives. Don’t underestimate how granular those expectations can get.

Paul Netopski

So let's dig deeper into who can actually access this stuff. MP.L2-3.8.2 says access has to be limited to authorized users only. That means not just physically but digitally—you need solid access controls in place, whether it’s a locked file cabinet or permissions set up on your SharePoint drive. If you don’t limit access, none of these other controls really matter, do they?

Roz the Rulemaker

And adding to that, CMMC practice MP.L2-3.8.4 is all about proper marking—everything with CUI has to be clearly labeled, including any distribution limitations. I know, it sounds bureaucratic, but it’s crucial for legal compliance and for day-to-day handling. A lot of agencies I’ve worked with over the years got tripped up when people confused "internal use" with "controlled." Not the same! Markings define who is actually supposed to see or share that information—no guessing games allowed.

Eric Marquette

Right, and before we get too far, let’s talk cryptography. MP.L2-3.8.6 requires you to protect the confidentiality of CUI on digital media during transport—so if you’re moving files from site to site, you’d better have encryption or an approved alternative in place. Paul, didn’t you have a story from your BAE days where encryption-in-transit kind of failed spectacularly?

Paul Netopski

Oh yeah, that one stings—classic mistake. We had a classified backup tape heading between secure facilities, and someone thought, “Well, it’s inside a locked courier pouch, so that’s gotta be good enough.” But there was no cryptography on the data itself. That meant if the pouch was intercepted—or just lost in a taxi, which, uh, does happen—the data was exposed. The audit flagged it immediately. What saved us was detailed media logs and our ability to show that every marked piece of media was tracked, even if the crypto was missing. Still, it was a close call. Accountability for marked media—knowing who has it and where—mitigated some risk, but we had to tighten up a lot after that assessment. If you’re not sure, default to encryption in transit. Every time.

Roz the Rulemaker

And for all the listeners who might be groaning, “More labeling? Really?”—just remember: those markings and audit trails are what keeps your organization out of hot water if anything does go wrong. Distribution limitations, authenticity, marking—and yes, cryptography—protect both your compliance standing and your reputation in the supply chain.

Eric Marquette

Honestly, no organization has ever failed an audit because they labeled things too clearly or encrypted too much. Just saying.

Roz the Rulemaker

Let's head into the world of removable media—where everything can go sideways pretty quickly. MP.L2-3.8.8 is explicit: you have to prohibit the use of portable storage devices with no identifiable owner. In other words—no anonymous thumb drives allowed. But, honestly, enforcing that is tough in practice. Everyone loves their USB sticks, right? But that’s why MP.L2-3.8.7 exists: it requires organizations to strictly control all removable media in use on system components. Too much freedom and, next thing you know, you’ve got shadow IT, lost drives, or worse.

Paul Netopski

Yeah Roz, we see this a lot—people think, “Oh, it’s just marketing data, it’s not CUI, why bother tracking this drive?” But all it takes is one mislabeled or unidentified drive floating around and you’ve got a real incident. Assessors expect clear records of ownership, device tracking, and, if possible, technical controls like disabling USB ports or using only encrypted, issuer-managed drives.

Eric Marquette

And when it comes to transporting media outside controlled spaces—say, taking an external drive to a backup site—MP.L2-3.8.5 says you need full accountability. That means you can demonstrate who transported the device, when, and where it went, and that access was controlled every step of the way. People overlook this, especially with backup tapes or cloud storage locations.

Roz the Rulemaker

I remember this from my days advising federal agencies—a case where they had reasonable technical protections, but terrible removable media logs. A portable drive with sensitive project files was checked out but never logged back in. No paper trail, no user assigned. They only noticed months later during a routine audit. That triggered a full data incident notification, because you can’t prove what happened. It was a great example of why policies, yes, but also real follow-through and accountability on backup CUI matter—especially under MP.L2-3.8.9, which says backup CUI must be protected, whether it’s stored locally or in some offsite bunker.

Paul Netopski

And don’t forget—with cloud storage, same principles apply. Just because an external provider holds your backups doesn’t mean you’re off the hook with CUI confidentiality. Always verify their controls and maintain your own audit logs.

Eric Marquette

Alright, so now that everybody’s scared of rogue USB sticks—how do you actually build policies to avoid all these pitfalls? You can’t just staple a copy of the CMMC practices to the break room wall and call it a day.

Roz the Rulemaker

Exactly. You need comprehensive, written procedures for classifying, labeling, and handling any media containing CUI. That means every team—from IT to HR to facilities—knows precisely what needs to be labeled, how to secure it, and who’s responsible at each step. And it’s gotta be consistent. Policies should outline not just what to do, but how, when, and by whom.

Paul Netopski

And then there’s the technical side—strict access controls and authentication for all digital CUI media. Think multifactor for any kind of remote or privileged access; role-based permissions; even disabling device interfaces where practical. We talked about MFA requirements in a past episode—same story here. Without strict controls, you’re not truly limiting access to authorized users.

Eric Marquette

Regular training is huge. It’s easy to forget what goes into proper handling if folks aren’t reminded and tested regularly. Plus, those little lapses—like assuming a locked conference room equals secure storage—add up. Assessors love finding inconsistencies between policy and what’s happening on the ground.

Roz the Rulemaker

Yeah, and ongoing audits are critical too. In my experience, organizations that treat audits as continuous improvement tools—not just something to “pass”—do much better year over year. Proactive checks catch gaps before an assessor does.

Paul Netopski

Exactly. You want to make lessons from past incidents or findings part of your policy review process. Update your procedures after every assessment or near-miss. That’s how you build muscle memory across the whole organization.

Paul Netopski

Speaking of audits, the final piece of this puzzle is continuous monitoring and improvement. MP controls aren’t a one-and-done thing—you need ongoing audits, regular spot checks, and compliance reporting to make sure your policies are working as intended. You don’t want to be caught off guard by an assessor or, worse, an incident.

Eric Marquette

What I’ve seen work best is a mix of scheduled and surprise audits. Document your walkthroughs and findings—if you spot a lapse in media storage or questionable use of a thumb drive, log it and address it. And use those findings, not just as evidence, but as a springboard for fixes. That means targeted corrective actions—patch the specific problem, update your training, and make sure folks don’t repeat the same mistakes.

Roz the Rulemaker

Exactly. You want a feedback loop, where lessons from audits get folded into the next wave of policy updates or staff training. It’s about creating a living program that evolves with new real-world risks, regulatory changes, and even shifting technologies. Create the expectation that everyone helps drive media security forward—not just compliance teams or IT.

Paul Netopski

And remember, the best organizations actually celebrate improvements. They treat lessons learned as a win, not a punishment. That’s how you turn compliance from a headache into a real security asset.

Eric Marquette

Well said, Paul. And that’s where we’re gonna wrap for today. Thanks, Roz, Paul—always a pleasure. And thanks to all of you listening. We’ll be back soon to tackle the next piece of the CMMC puzzle. Until then: keep your CUI protected, your drives labeled, and your audit logs up to date. Take care, everyone!

Paul Netopski

Thanks, Eric. Always a great discussion—see everyone next time!

Roz the Rulemaker

Goodbye everyone, and remember: rules are your friends—if you write them down and actually follow them. See you next episode!