Part of a Collection
This article is part of the collection: The 14 CMMC Domains: A Comprehensive Guide
CMMC Deep Dive: Media Protection (MP)
A guide to the Media Protection (MP) domain, focusing on securing digital and physical media containing CUI.
Published: June 25th, 2024By: CMMC Dashboard TeamLast updated: August 7th, 2025
Media ProtectionMPEncryptionSanitization
This article is part of our series on The 14 CMMC Domains.
The Media Protection (MP) domain provides requirements for protecting information on both digital (e.g., USB drives, backup tapes) and physical (e.g., paper printouts) media throughout its lifecycle.
Why It Matters
A lost or stolen USB drive containing CUI can lead to a significant data breach. This domain ensures that sensitive information is protected regardless of where it is stored.
Key Practices
- MP.L1-3.8.3: Sanitize or destroy media containing FCI before disposal.
- MP.L2-3.8.1: Protect and securely store system media containing CUI.
- MP.L2-3.8.5: Control the use of removable media (e.g., USB drives).
- MP.L2-3.8.8: Encrypt CUI stored on digital media.
What Assessors Look For
- A media protection policy.
- Procedures for media marking, handling, and destruction.
- Evidence of technical controls restricting USB drive usage.
- Proof that encryption is used for CUI at rest on media.
- Logs of media sanitization and destruction.