MP.L2-3.8.1 requires organizations to protect system media containing Controlled Unclassified Information (CUI) — both physical (paper, removable media) and digital (file shares, backups) — and for a small business preparing for a CMMC 2.0 Level 2 assessment, that protection must be demonstrable through policies, technical controls, processes, and evidence aligned to NIST SP 800-171 Rev.2 and the Compliance Framework.
Understanding what assessors will look for
Assessors expect a clear statement of how you "protect (i.e., physically control and securely store) system media" that contains CUI. Key objectives are: maintain an inventory of media, limit access through role-based controls, enforce encryption for data at rest and in transit, secure physical storage, control and track removable media, and ensure secure sanitization or destruction when media is no longer needed. For Compliance Framework mapping, MP.L2-3.8.1 aligns directly to NIST SP 800-171 requirement 3.8.1 — your documentation and technical evidence must show implemented controls, not just policies.
Practical implementation steps for a small business
Start by creating a media inventory that lists media type (laptop, external HDD, USB, printed documents, backup tapes), owner, CUI classification, storage location, and retention requirement. Adopt a media protection policy that mandates encryption for laptops and removable media, locked storage for paper and archived media, and chain-of-custody procedures for transfers. Implement device controls via an MDM or endpoint management solution to enforce full-disk encryption (BitLocker, FileVault) and to prevent unauthorized use of USB ports where feasible. For physical media, use locked cabinets with access logs or badge control and require signed transfer receipts for any media that leaves your controlled environment.
Technical controls and specific configurations
For technical compliance, configure full-disk encryption with industry-standard algorithms and validated modules (AES-256 with FIPS 140-2/3 compliant crypto modules where available). Use BitLocker with TPM 2.0 and group policy settings to require encryption on Windows endpoints and escrow recovery keys to Active Directory/Intune; enable FileVault for macOS with institutional recovery keys. For removable media, require BitLocker To Go or hardware-encrypted USB drives (AES-256 hardware keys) and prohibit unencrypted external storage. For data in transit use SFTP, HTTPS/TLS 1.2+ or site-to-site VPNs; enforce strong certificates and cipher suites. Maintain centralized configuration records and screenshots showing encryption enforcement, MDM compliance reports, and firewall/VPN logs to evidence in-transit protections.
Documenting evidence for a CMMC 2.0 Level 2 assessment
Assessors will want artifacts: an up-to-date System Security Plan (SSP) describing how MP.L2-3.8.1 is implemented; a media inventory; the media protection policy and procedures; screenshots of encryption status and MDM compliance reports; audit logs for access to locked storage or transfer receipts; signed chain-of-custody forms; certificates of destruction or sanitization records (see NIST SP 800-88); training records showing staff awareness; and any POA&Ms describing planned remedial actions. Keep recovery key escrow evidence and configuration exported settings (GPO, Intune profiles) to demonstrate enforcement rather than reliance on user choice.
Real-world examples and scenarios
Example 1 — Small defense contractor (15 employees): The company enrolls all employee laptops in Microsoft Intune, enforces BitLocker with TPM and requires BitLocker recovery keys to be backed up to Azure AD. Removable media is disabled for most users; field technicians receive employer-issued hardware-encrypted USBs and sign a chain-of-custody form when they take media off-site. Example 2 — Remote-first consultant handling CUI: The firm uses an enterprise file sync service (with tenant-level encryption and sensitivity labels), prevents local downloads where possible, and leverages SFTP for file exchanges with clients. For physical paperwork, they use locked courier services and retain delivery receipts and destruction certificates when paper is scanned and shredded.
Risks of not implementing MP.L2-3.8.1 and mitigation
Failing to implement these controls increases the risk of CUI exposure through lost or stolen devices, unencrypted backups, or improper disposal — outcomes that can lead to data breaches, contractual penalties, loss of DoD contracts, and reputational harm. Technically, unprotected media makes lateral movement and exfiltration easier for attackers. Mitigation includes minimizing the number of media containing CUI, using default-deny device control, escrow of encryption keys, routine audits of media inventory, and immediate incident response playbooks for suspected media loss.
Compliance tips and best practices
Practical tips: 1) Automate inventory and compliance reporting via MDM/asset-management tools so you can produce evidence quickly during assessment; 2) Use hardware encryption and institutional key escrow to avoid dependence on user-managed passwords; 3) Apply NIST SP 800-88 Rev.1 guidance for sanitization (clear, purge, destroy) and retain certificates of destruction for physical media; 4) Train staff quarterly on handling CUI and require signed acknowledgements; 5) Document all exceptions and include them in your POA&M with realistic remediation milestones. During pre-assessment readiness, run a gap analysis against each artifact the assessor will request and perform table-top exercises for media transfer incidents.
In summary, demonstrating compliance with MP.L2-3.8.1 for CMMC 2.0 Level 2 is a combination of clear policies, enforceable technical controls (encryption at rest and in transit, MDM enforcement, secure transfer methods), physical protections, documented sanitization, and airtight evidence (SSP, inventories, logs, and receipts). For small businesses, prioritize reducing exposure (fewer devices with CUI), automating enforcement, and maintaining a small, easily auditable trail of artifacts to present to assessors — doing so reduces risk and positions you to pass the assessment with confidence.
