A USB drive and a printer can undo months of security work in one afternoon. One file copy to the wrong thumb drive, or one “I’ll grab it later” printout, and CUI is exposed.
For CMMC media protection at Level 2, assessors don’t just want good intent. They want a repeatable plan, clear SOPs, and proof you follow them. As of February 2026, CMMC requirements are already showing up in contracts during the current rollout phase, so I treat USB and printing as “high-risk basics” that I lock down early.
Below is the plan and SOP structure I use for small and mid-sized contractors who want to pass a CMMC Level 2 assessment without turning daily work into chaos.
What I document for CMMC Level 2 media protection (scope + control statements)
First, I define what counts as “media” in our environment. I include removable storage (USB, external SSD), paper, and anything that can store or cache jobs (MFPs, copiers, scanners, fax modules, print servers, and workstation spoolers). I also document where CUI is allowed to exist, because that boundary drives everything else.
If you want a plain-English overview of the Media Protection family, I like the framing in CMMC media protection controls explained as a starting point for internal alignment.
Control statements (Level 2 ready)
I write short control statements that map to how we actually operate:
- MP-Control-01 (Media authorization): Only approved media may store or transport CUI.
- MP-Control-02 (Access limits): Only authorized users may access CUI on media, using least privilege.
- MP-Control-03 (Removable media control): Systems block unapproved removable storage by default, and log allowed use.
- MP-Control-04 (Hard copy control): Printed CUI stays under positive control, is stored in locked containers, and is destroyed by approved methods.
- MP-Control-05 (Sanitization before reuse or disposal): Media containing CUI is sanitized or destroyed using documented methods, with verification and chain-of-custody records.
Sample policy language (paste-ready)
I keep policy language tight so it’s enforceable:
Policy: “Personnel may not use personal USB devices or unapproved printers for CUI. Only company-issued, encrypted removable media may be used, and only for approved business needs. Printed CUI must be retrieved immediately, marked, stored securely, and destroyed using approved destruction methods. All media must be sanitized or destroyed before reuse, transfer, or disposal.”
USB and removable media SOP (approved encrypted USB only)
This is where most teams fail. People like convenience, and USB is convenient. For the control intent and common assessor expectations, I align to guidance like MP.L2-3.8.7 Removable Media.
Minimum configuration baseline (what I set as “non-negotiable”)
Here’s the baseline I aim for across endpoints and the CUI enclave:
| Baseline area | Minimum requirement | Example evidence to retain |
|---|---|---|
| Device control | Block USB mass storage by default, allow-list approved devices | Device control policy screenshot, exported configuration |
| Encryption | Approved encrypted USB only (hardware-encrypted or centrally enforced) | Encrypted device inventory with serial numbers |
| Autorun | Disable autorun/autoplay | Endpoint policy screenshot |
| Least privilege | Standard users can’t install drivers or override device blocks | GPO/MDM policy, role list |
| Malware checks | Scan removable media on insertion and on file write | EDR policy screenshot, detection logs |
| Logging | Log insert events and file operations when possible | SIEM/EDR logs, alert rules |
This is classic Endpoint Security and Device Hardening work, and it’s easier when your Cybersecurity Services stack includes EDR plus device control, and your Cloud Management and directory policies are consistent.
Step-by-step procedure (USB request to return)
- User request: User opens a ticket stating business need, data type (CUI or not), and destination system.
- Approval: Data owner or compliance approves; IT validates it fits the boundary.
- Issue device: IT issues a company-owned encrypted USB, labels it, and records serial number.
- Configure access: Device is allow-listed for that user (or role) and only for required systems.
- Use rules: User copies only the minimum required files, then removes the device immediately.
- After-use handling: USB returns to locked storage (or stays assigned, stored in a locked container).
- Audit: IT reviews monthly device logs, exceptions, and any blocked-device alerts.
Evidence assessors ask for (and what I keep ready)
I keep a simple evidence folder with: USB inventory, tickets for issuance and approvals, screenshots of device control and autorun settings, EDR logs showing device insert blocks, and annual training attestations that call out “no personal USB.”
Printing and hard copy SOP (shared printers, home printing, and MFP storage)
Printing is physical media protection. It fails when ownership gets fuzzy, especially with shared printers in hallways.
Minimum printing baseline (what I standardize)
- Approved printers only for CUI (named list, not “any printer on the network”).
- Secure print release where possible (badge, PIN, or workstation release).
- No home printing for CUI unless there’s a documented exception with controls.
- MFP internal storage managed (disable job retention where possible, wipe storage on service events, and restrict admin access).
- Printer placement supports positive control (not public areas, not open lobbies).
- Service access supervised (vendor techs don’t roam unattended).
Gotcha I see in assessments: a “secure” network printer that quietly stores copies of print jobs, then gets swapped or serviced with no sanitization record.
Step-by-step procedure (print to storage)
- Select printer: User prints only to an approved device on the CUI network segment.
- Release securely: User uses secure release (or prints only when standing at the device).
- Immediate retrieval: User retrieves pages right away, checks for misprints, and collects all pages.
- Mark and control: User marks the document per internal marking rules and keeps it in their control.
- Secure storage: When not in use, paper CUI goes in a locked drawer, locked office, or approved container.
- Internal sharing: If it must move, it goes in a sealed envelope with recipient and date logged.
- End of life: User places it in locked shred bins (or approved cross-cut shredding process).
Evidence I keep for printing controls
I retain: approved printer list, photos showing printer placement, secure release configuration screenshots, admin access list for printers and MFPs, service tickets showing supervision, and training records that cover shared printer rules.
Media sanitization and disposal SOP (reuse, return, and destruction)
Sanitization is where “we meant to” turns into a finding. I follow NIST SP 800-88 concepts (clear, purge, destroy) and document which method applies to each media type. For assessor-aligned discussion on the requirement, I reference MP.L2-3.8.3 Media Disposal.
Step-by-step procedure (sanitization through chain of custody)
- Identify: IT records asset tag, serial number, media type, and whether it handled CUI.
- Approve method: Choose sanitize (cryptographic erase/purge) or destroy (shred, pulverize) based on media and risk.
- Execute: Authorized staff perform the method, or a vetted destruction vendor does it onsite.
- Verify: A second person verifies completion (tool output, spot check, or destruction witness).
- Document: Update the sanitization log, attach certificates, and record date, method, and approvers.
- Dispose: Store media in a locked “to be destroyed” container until final pickup or destruction.
- Close out: Close the ticket and link it to the asset record.
Evidence package (what makes an assessor comfortable)
I keep a sanitization log, destruction certificates, chain-of-custody forms, photos of locked bins, vendor contracts, and tickets tied to each serialized asset. I also keep MFP disposition records because MFP internal storage gets overlooked.
Short implementation roadmap for small contractors
I break rollout into quick wins and longer-term controls:
| Timeline | What I implement | Why it matters |
|---|---|---|
| 0 to 30 days | Block unknown USB, disable autorun, ban home printing for CUI, lock shred bins | Stops the easy leaks fast |
| 30 to 90 days | USB inventory and issuance process, secure print release, printer approval list, monthly log reviews | Makes controls repeatable |
| 90 to 180 days | MFP storage management, formal chain-of-custody, SIEM correlation, regular internal audits | Holds up under a Level 2 assessment |
This roadmap also supports the bigger picture work my clients expect from a modern Business Technology Partner: Small Business IT, Managed IT for Small Business, Technology Consulting, and IT Strategy for SMBs that connect Cloud Infrastructure, Secure Cloud Architecture, Office 365 Migration, Data Center Technology, and Infrastructure Optimization into real Business Continuity & Security. Even teams outside defense benefit, including environments that need Restaurant POS Support and Kitchen Technology Solutions, because physical media mistakes happen everywhere. Done right, these controls become part of your Digital Transformation, guided by Tailored Technology Services and Innovative IT Solutions that people will actually follow.
Conclusion
USB and printing controls don’t need to slow your team down, but they do need to be strict. When I build CMMC media protection around approved encrypted USB, secure printing, and provable sanitization, assessments go smoother and daily risk drops fast. If you can’t show logs, tickets, training, and chain-of-custody, the control usually won’t pass. Build the evidence as you build the process, then keep it boring and consistent.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.