Media Protection is the control family that asks a deceptively simple question: where can CUI exist, and what keeps it protected there? In a GCC High environment, that question goes far beyond paper records and USB drives. It includes SharePoint libraries, OneDrive folders, Exchange mailboxes, Teams messages, endpoint hard drives, portable storage devices, and backup media. If CUI can be stored, copied, transported, or disposed of there, the MP family applies.

That is what makes this family more important than many organizations expect. A C3PAO is not just checking whether your files are stored in Microsoft’s encrypted cloud. They are evaluating whether CUI media is stored only in approved locations, marked correctly, access-restricted, encrypted when transported, controlled when removable, protected in backups, and sanitized appropriately before disposal or reuse.

GCC High provides several important building blocks for the family. Microsoft encrypts cloud-stored data at rest, supports sensitivity labels and DLP in Purview, provides BitLocker and removable media controls through Intune, and offers additional device control capabilities through Defender for Endpoint. But Media Protection is still a heavily shared family. Some controls depend on tenant configuration, some depend on organizational procedures outside Microsoft 365, and several require both.

This is Part 8 of the NIST 800-171 GCC High Configuration Guide. It assumes you already have a functioning Microsoft 365 GCC High tenant, understand the shared responsibility model, and are implementing against NIST SP 800-171  Rev. 2.

Media Protection family overview

The Media Protection family includes nine controls focused on protecting media containing CUI, limiting access to that media, sanitizing it before disposal or reuse, marking it appropriately, maintaining accountability during transport, encrypting portable storage, controlling removable media, prohibiting unknown portable storage devices, and protecting the confidentiality of backups.

At a practical level, this family breaks into three implementation groups. Some controls are shared between Microsoft and your organization, especially where the platform protects cloud-stored data but your team still has to define approved storage locations, control access, or document handling procedures. Some require direct configuration in your GCC High tenant, particularly around labeling, encryption, DLP, and removable media enforcement. Others are primarily customer-owned because they deal with physical handling, sanitization, disposal, transport, and organizational accountability outside the Microsoft platform.

Operationally, the family tends to cluster around three themes: where CUI is allowed to live, who can access or move it, and how it is protected through its full lifecycle from storage to transport to disposal.

If Access Control governs who should have access to CUI, Media Protection governs how the actual media containing that CUI is stored, labeled, transported, and ultimately destroyed.

MP controls and CMMC scope

The MP family applies across the full CMMC assessment boundary. Any in-scope system, endpoint, storage location, portable device, collaboration workload, or physical medium that can contain CUI falls within the reach of these controls.

That is especially important in enclave architectures. Organizations often think of media protection in terms of cloud storage alone, but the real boundary is broader. If a user downloads a controlled file to an endpoint, copies it to removable storage, prints it, exports it through email, retains it in a backup, or carries it outside a controlled area, the MP family is now in play. In other words, the control family follows the media, not just the original workload where the file was created.

This is also one of the clearest places where hidden scope appears. Teams may believe CUI is confined to a handful of SharePoint sites, only to discover that the same content is cached locally on laptops, retained in mailbox attachments, copied into Teams, printed for meetings, or included in third-party backups. A strong scoping model for MP is not just about where CUI is supposed to be stored. It is about every location where it can realistically persist or travel.

How media protection works in GCC High

Before walking through the controls, it helps to understand the architecture you are actually using in GCC High.

Microsoft Purview provides much of the classification and policy layer for the MP family. Sensitivity labels can apply CUI markings, encryption, and usage restrictions to files and emails. Data Loss Prevention policies can help keep CUI from being shared, copied, or stored in unauthorized ways.

Intune supports several of the endpoint-focused protections in this family. It can enforce BitLocker, require encryption for portable media, and apply configuration policies that restrict removable storage behavior. Defender for Endpoint adds stronger device control and more granular visibility for organizations that want to monitor or allowlist specific devices rather than rely only on basic blocking.

SharePoint Online, OneDrive, and Exchange Online provide the primary storage and collaboration layer for cloud-resident CUI. Microsoft encrypts this data at rest by default, but your organization still needs to decide which sites, mailboxes, libraries, and locations are approved to store it. Conditional Access, permissions, label-based encryption, and DLP all play a role in keeping that storage model defensible.

Just as important, some of the most consequential MP controls do not live mainly in Microsoft 365 at all. Sanitization, physical marking, transport logs, media inventories, and backup handling often depend more on your written procedures and operational discipline than on any portal setting.

What GCC High configures by default

Three MP controls are supported in part by the platform, but none of them are satisfied by Microsoft alone.

3.8.1 Protect system media containing CUI

MP.L2-3.8.1

This control requires media containing CUI to be physically controlled and securely stored.

For cloud-resident digital media, Microsoft provides strong underlying protections. Data stored in SharePoint Online, OneDrive, and Exchange Online is encrypted at rest within Microsoft’s authorized government cloud infrastructure. The physical datacenter protections that support those services are part of Microsoft’s own cloud operations and compliance obligations.

That helps, but it is only part of the control. Your organization still has to define where CUI is authorized to be stored, make sure it is not ending up in unapproved locations, and describe how physical media and printed material are controlled outside the cloud platform. A C3PAO will usually want to see both sides addressed: the platform protection Microsoft provides and the location, storage, and handling rules your organization enforces.

This control usually weakens when organizations rely on “Microsoft encrypts everything” as the whole answer while leaving approved storage locations undefined or physical media handling undocumented.

3.8.4 Mark media with CUI markings and distribution limitations

MP.L2-3.8.4

This control is where Purview sensitivity labels become central.

In a GCC High implementation, sensitivity labels are the most natural way to apply digital CUI markings to files and emails. They can add headers, footers, watermarks, and encryption while also helping enforce how content is handled after it is created. For many organizations, this is the practical bridge between regulatory CUI marking requirements and day-to-day Microsoft 365 usage.

At the same time, this is not only a digital control. Physical media such as printed documents, removable drives, and backup media also need marking procedures where applicable. That part is entirely your responsibility.

The strongest implementations here do three things well. They create labels that reflect the organization’s actual CUI handling needs, they publish those labels in a way users can actually apply them, and they reinforce manual labeling with auto-labeling or supporting policy where possible. The weakest implementations create a “CUI” label in Purview and stop there.

A common finding in this control family is that labeling exists conceptually but not operationally. The labels are drafted, but not published. Or they are published, but they do not include usable marking conventions. Or digital labels exist, but nothing addresses printed or portable media.

3.8.5 Control access to CUI media and maintain accountability during transport

MP.L2-3.8.5

This control has two distinct dimensions: controlling access to media containing CUI and maintaining accountability for that media when it is transported outside controlled areas.

For digital media in GCC High, access control is supported through SharePoint permissions, Exchange and OneDrive access controls, sensitivity-label encryption, Conditional Access, and audit logging. That makes the Microsoft side of the control fairly strong, but it still depends on the organization configuring access narrowly and keeping CUI storage locations well defined.

The transport accountability part of the control is much more customer-owned. If physical media or portable storage leaves a controlled area, you need a transport and receipt process that shows who sent it, who received it, how it was protected in transit, and how accountability was maintained.

This is one of the places where cloud-first organizations sometimes under-document reality. They do a decent job restricting access in SharePoint, but they have no formal process for hand-carried drives, mailed documents, courier shipments, or receipt confirmation for transported media.

The four MP controls you must configure yourself

These are the controls where direct configuration in GCC High and on managed endpoints does most of the work.

3.8.2 Limit access to CUI on system media to authorized users

MP.L2-3.8.2

This control requires that access to CUI on system media be limited to authorized users. In practice, this means the organization needs a defined authorization model and technical enforcement that matches it.

For cloud-stored CUI, that usually starts with dedicated security groups for approved users and explicitly permissioned SharePoint sites, document libraries, and related storage locations. Broad inheritance, “everyone except external users,” or ad hoc sharing models are very difficult to defend here.

Sensitivity-label encryption strengthens this control because it lets protection travel with the file even if the content is moved outside the original SharePoint site or mailbox. DLP can add another layer by blocking unauthorized sharing or copying of labeled content across Exchange, SharePoint, OneDrive, Teams, and devices.

This control is also where governance matters. Access should not only be restricted technically. There should also be a process for approving, reviewing, and removing CUI access over time.

Common weaknesses include broad cloud permissions, labels that mark content without actually restricting access, and no documented review process to confirm that authorized users still need that access.

3.8.6 Implement cryptographic mechanisms to protect CUI on digital media during transport

MP.L2-3.8.6

This control is fundamentally about encryption for portability. If digital media containing CUI is transported outside controlled areas, the confidentiality of that media needs to be protected cryptographically.

In a Windows-centric GCC High environment, BitLocker is usually the foundation for this control. Fixed drives on managed endpoints should be encrypted, and removable storage should be governed through BitLocker To Go or an equivalent approved mechanism. The most defensible implementations also block write access to unencrypted removable media so users cannot copy CUI to a portable device that lacks protection.

This control usually becomes much stronger when tied to device compliance. If an endpoint is not encrypted, it should not remain compliant for CUI access. That linkage turns encryption from a one-time deployment goal into an enforceable access condition.

A common assessment problem here is assuming that BitLocker deployment equals compliance. In practice, assessors often find a small but important percentage of devices that never encrypted properly, lost protection state, or were never brought under policy. That is why reporting and verification matter just as much as the policy itself.

3.8.7 Control the use of removable media on system components

MP.L2-3.8.7

This control requires that removable media usage be actively controlled on in-scope systems.

The strongest answer is usually a block-by-default model. Defender for Endpoint device control can support granular policies that deny removable storage broadly while allowlisting only specific approved devices. Intune device restriction profiles can also help, though they are generally less granular than a full Defender device control deployment.

The important point is that this control needs actual enforcement. A written statement that users are not supposed to use USB drives is not enough if any endpoint in the enclave will still accept them. Assessors typically want to see policy, technical control, and evidence that the policy is being applied consistently across in-scope devices.

Organizations that do allow specific removable media need an inventory and assignment model behind that decision. Without it, the organization ends up with a vague exception process that is difficult to defend.

This control often fails when only some devices are covered, when read access is left broadly open without justification, or when approved-device inventories are incomplete and poorly maintained.

3.8.9 Protect the confidentiality of backup CUI at storage locations

MP.L2-3.8.9

This control requires the confidentiality of backup CUI to be protected at storage locations.

In GCC High, part of this control is supported by the encrypted cloud storage architecture of Microsoft 365 itself. Retention features, service-side encryption, and native storage protections all help. But that does not eliminate customer responsibility. Your organization still needs to understand where backups exist, what systems create them, whether third-party backup tools are in use, where that backup data is stored, and how encryption and access control are enforced at those locations.

This is especially important when the environment includes third-party Microsoft 365 backup tooling or on-premises backup infrastructure. Those backup copies may sit outside the direct Microsoft 365 boundary, which means the organization has to be ready to explain the encryption model, storage location, key handling approach, and access restrictions independently.

The control often becomes weak when organizations rely on native Microsoft encryption for primary cloud storage but do not fully understand how their third-party or offline backups are protected. Backup CUI is still CUI, and assessors treat it that way.

The two MP controls that are primarily customer-owned

These controls are less about tenant configuration and more about operational policy, physical handling, and procedural evidence.

3.8.3 Sanitize or destroy media before disposal or release for reuse

MP.L2-3.8.3

This control requires media to be sanitized or destroyed before disposal or reuse.

For Microsoft-managed cloud infrastructure, Microsoft handles the sanitization of its own storage media. But for your organization’s endpoints, removable drives, printed records, backup media, and other customer-controlled assets, this is your responsibility.

A defensible implementation usually starts by adopting a defined sanitization standard such as NIST SP 800-88 and then mapping approved methods to the media types your organization actually uses. Hard drives, SSDs, USB media, optical media, tape, and paper do not all require the same treatment, and assessors often look closely at whether the organization understands that distinction.

Just as important, this control is about records as much as method. If media was sanitized or destroyed but the organization kept no log, certificate, or chain-of-custody record, it becomes difficult to prove the control was followed. Informal disposal is one of the fastest ways to weaken this control family.

3.8.8 Prohibit portable storage devices with no identifiable owner

MP.L2-3.8.8

This control is conceptually simple but easy to under-document.

The organization must prohibit the use of portable storage devices when those devices have no identifiable owner. In practice, this means no found USB drives, no gifted media, no unlabeled personal devices, and no untracked removable storage introduced into the environment.

If 3.8.7 is implemented well with a block-by-default or allowlist model, much of this control is reinforced technically. But the core obligation is still procedural. You need an inventory of approved portable storage, a policy stating that unknown devices are prohibited, training that explains the risk, and an incident path for reporting or handing over found devices.

This control often breaks down when the technical controls are decent but the organization has never written down the rule itself. A device-control policy can help block unknown USB devices, but assessors still expect supporting policy language, user guidance, and accountability records.

A practical PowerShell reference for the MP family

The following PowerShell commands help administrators quickly verify several Media Protection controls in a GCC High environment. These examples focus on areas where assessors often request evidence, including CUI access group membership, device encryption status, removable media policy deployment, and backup encryption coverage.

Verify CUI authorized user access (supports 3.8.2)

This command exports the membership of the security group used to control access to CUI storage locations.

# Connect to Microsoft Graph (GCC High)
Connect-MgGraph -Environment USGov -Scopes "Group.Read.All","User.Read.All"

# Retrieve the CUI authorized users group
$CUIGroup = Get-MgGroup -Filter "displayName eq 'SG-CUI-Authorized-Users'"

# Export membership list
Get-MgGroupMember -GroupId $CUIGroup.Id -All |
    Select-Object @{N="DisplayName";E={$_.AdditionalProperties.displayName}},
                  @{N="UserPrincipalName";E={$_.AdditionalProperties.userPrincipalName}} |
    Export-Csv -Path "CUI_Authorized_Users.csv" -NoTypeInformation

Assessors often request this export to confirm that access to CUI storage locations is limited to approved personnel.

Verify endpoint encryption status (supports 3.8.6)

This command exports BitLocker encryption status for all managed devices in the environment.

# Connect to Microsoft Graph (GCC High)
Connect-MgGraph -Environment USGov -Scopes "DeviceManagementManagedDevices.Read.All"

# Export device encryption status
Get-MgDeviceManagementManagedDevice -All |
    Select-Object DeviceName,
                  UserPrincipalName,
                  IsEncrypted,
                  ComplianceState,
                  OperatingSystem |
    Export-Csv -Path "Device_Encryption_Status.csv" -NoTypeInformation

This export helps demonstrate that endpoints capable of storing CUI are encrypted.

Identify unencrypted devices (supports 3.8.6)

This command highlights any devices that may fall out of encryption compliance.

Get-MgDeviceManagementManagedDevice -All |
    Where-Object { $_.IsEncrypted -eq $false } |
    Select-Object DeviceName,
                  UserPrincipalName,
                  ComplianceState,
                  OperatingSystem |
    Export-Csv -Path "Unencrypted_Devices.csv" -NoTypeInformation

Security teams often include this report in their evidence package to show active monitoring of encryption compliance.

List removable media control policies (supports 3.8.7)

This command lists Intune configuration profiles related to removable storage or device control.

# Connect to Microsoft Graph (GCC High)
Connect-MgGraph -Environment USGov -Scopes "DeviceManagementConfiguration.Read.All"

# Retrieve device configuration profiles
Get-MgDeviceManagementDeviceConfiguration -All |
    Where-Object { $_.DisplayName -like "*removable*" -or $_.DisplayName -like "*device control*" } |
    Select-Object DisplayName,
                  Id,
                  LastModifiedDateTime |
    Format-Table -AutoSize

This helps verify that removable media restrictions are configured and deployed to managed endpoints.

Export managed device inventory (supports 3.8.9 backup protection visibility)

This command produces a high-level inventory of all managed devices that may store or process CUI.

Get-MgDeviceManagementManagedDevice -All |
    Select-Object DeviceName,
                  UserPrincipalName,
                  ComplianceState,
                  OperatingSystem,
                  IsEncrypted,
                  ManagementAgent |
    Export-Csv -Path "Managed_Device_Inventory.csv" -NoTypeInformation

Maintaining this inventory helps demonstrate awareness of systems that may contain cached or locally stored CUI.

The evidence your C3PAO will usually want to see

For the MP family, evidence needs to show that the organization knows where CUI media exists, who can access it, how it is protected in storage and transport, and what happens to it at the end of its lifecycle.

That usually includes sensitivity label configuration, label publication policies, DLP policies, approved CUI storage location documentation, SharePoint and OneDrive access controls, BitLocker enforcement evidence, removable media policies, approved-device inventories, backup protection documentation, sanitization procedures, destruction records, transport logs, physical marking procedures, and supporting policy language in the SSP and related SOPs.

Assessors also tend to compare cloud controls with physical handling procedures in this family. If the Microsoft 365 side is strong but the organization has no story for printed material, backup drives, sanitization, or portable storage accountability, the implementation will feel incomplete.

The most common MP findings in real assessments

One of the most common problems in this family is the absence of a real CUI marking strategy. Organizations may create a sensitivity label named “CUI,” but the label is never published, never used consistently, or does not align with the organization’s actual marking requirements. In other cases, digital labels exist but nothing addresses printed or portable media at all.

Removable media is another frequent weak point. Many organizations have a policy that discourages USB usage, but no technical control to back it up. When endpoints still allow unknown removable storage, the control is difficult to defend.

Encryption gaps are also common. BitLocker may be deployed broadly, but not verified well. Assessors often find a handful of unmanaged or failed devices that remain unencrypted even though the organization believes endpoint encryption is universal.

Media sanitization is another recurring issue because the organization may be handling disposal informally. Devices get reimaged, discarded, handed to third parties, or physically disposed of without clear records showing what sanitization method was used and when.

Backup protection becomes a finding when the organization cannot explain where backup CUI is stored, how it is encrypted, or how access to backup content is restricted. This is especially common when a third-party backup product was added without being fully folded into the compliance program.

And finally, many organizations underweight physical media in an otherwise cloud-first program. Printed CUI, labeled drives, shipped documents, and transported backup media still count. Assessors tend to notice quickly when the organization’s media protection story stops at Microsoft 365.

How the MP family supports other control families

Media Protection is tightly connected to the rest of the framework.

Access Control overlaps directly with MP because limiting access to CUI storage locations, encrypted media, and backup content depends on defined authorization models. System and Communications Protection supports MP by providing the encryption foundation that protects CUI at rest and in transit. Audit and Accountability helps demonstrate MP because media access events, policy violations, DLP activity, and device control events can all become evidence. Personnel Security intersects where onboarding, transfers, and terminations affect who should retain access to media. Physical Protection also supports this family because physical storage locations, printed material handling, and off-site media accountability depend on controlled physical environments.

That is why this family matters more than its name sometimes suggests. Media Protection is not just about flash drives. It is the control family that governs how CUI persists in real life across files, devices, storage locations, backups, transport paths, and disposal workflows.

Get started

Media Protection is where classification, encryption, storage governance, device control, and physical handling all have to line up. Labels, DLP, BitLocker, removable media controls, backup protections, and sanitization procedures should all point to the same conclusion: your organization knows where CUI media exists, who can handle it, and how it stays protected throughout its lifecycle.

Secureframe Defense connects directly to your GCC High environment and continuously monitors the controls that support the MP family, including CUI labeling and DLP coverage for 3.8.2 and 3.8.4, endpoint encryption and portable media protections for 3.8.6, removable media policy enforcement for 3.8.7, and evidence related to backup protection under 3.8.9. When a C3PAO asks how you know your media protection controls are active and aligned across cloud storage, endpoints, and portable media, the goal is not to start exporting CSVs from several portals. The goal is to already have that evidence organized and ready.

See how Secureframe automates CMMC evidence collection for the MP family by scheduling a demo today.