CMMC Practice Requirement:

Limit access to “Controlled Unclassified Information” (CUI) on system media to authorized users.

CMMC Requirement Explanation:

By only allowing authorized persons access to “Controlled Unclassified Information” (CUI) you can reduce the risk of it being exposed to unauthorized persons. Creating an inventory for “Controlled Unclassified Information” (CUI), securely storing it, and document who has possession of it all support this practice.

Example CMMC Implementation:

Create an inventory of media (e.g., external drives) containing “Controlled Unclassified Information” (CUI). Store them in a locked container such as a file cabinet. Only provide access to the container to authorized persons. Requiring them to sign media in and out when they handle it.


- Scenario 1:

The DoD has provided you with “Controlled Unclassified Information” (CUI) on a CD. To protect it you store it in a locked drawer and only provide access to the drawer to persons working on the DoD project. When an employee wants to take possession of the CD they must sign their name, time, and date.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance