NIST SP 800-171 & CMMC 2.0 Control 3.8.2 Requirement:

Limit access to “Controlled Unclassified Information” (CUI) on system media to authorized users.

NIST SP 800-171 & CMMC 2.0 3.8.2 Requirement Explanation:

By only allowing authorized persons access to “Controlled Unclassified Information” (CUI) you can reduce the risk of it being exposed to unauthorized persons. Limit physical access to CUI to people permitted to access CUI. Use locked or controlled storage areas and limit access to only those allowed to access CUI. Keep track of who accesses to CUI in an audit log.

Example NIST SP 800-171 & CMMC 2.0 3.8.2 Implementation:

Create an inventory of media (e.g., external drives) containing “Controlled Unclassified Information” (CUI). Store them in a locked container such as a file cabinet. Only provide access to the container to authorized persons. Requiring them to sign media in and out when they handle it.

NIST SP 800-171 & CMMC 2.0 3.8.2 Scenario(s):

- Scenario 1:

The DoD has provided you with “Controlled Unclassified Information” (CUI) on a CD. To protect it, you store it in a locked file cabinet. Only authorized persons may access the file cabinet. When an employee wants to take possession of the CD they must sign their name, time, and date on a sheet.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.