The CMMC Media Protection (MP) family wants three things from your storage: CUI backups that are encrypted, versioned, and recoverable, plus a documented way to sanitize media before you reuse or dispose of it. A small shop covers it with an encrypted NAS (Synology DS923+ with mirrored NAS drives), an encrypted SSD for an off-site copy, and a drive-eraser dock for NIST 800-88 wipes. The gear supports the MP controls — configuring, testing, and documenting it is what makes them count.
Backups feel like the boring part of compliance right up until the morning a drive dies or ransomware locks the server. Then they're the only thing standing between you and a lost contract. The Media Protection family is quiet in the framework and loud in real life, and it's one of the more affordable control families to actually get right.
This is the storage and sanitization stack I'd put in a small contractor's back room. Not a NAS buyer's guide — a Media Protection build. Every piece maps to a specific MP requirement: protect the data at rest, keep a recoverable copy off-site, encrypt what leaves the building, and prove you wiped the old drives instead of tossing them in a drawer.
The Media Protection family in NIST 800-171 is about protecting controlled data wherever it physically lives — hard drives, SSDs, USB sticks, backup tapes, and the paper in your printer tray. Cut through the control language and it comes down to four plain jobs:
Notice what an assessor is really checking: not "do you have a backup" but "is it encrypted, can you restore it, who can touch it, and what happens to the drive when it dies." The stack below answers each of those with a specific piece of gear — and, just as important, with a record you can hand over.
The center of the build is a network-attached storage box you own and control. Cloud backup has its place, but a private NAS gives you an encrypted, auditable backup target that no vendor can lock you out of and no subscription lapse can erase. For a small shop, the Synology DS923+ is the one I reach for.
Three features do the compliance work. Encrypted volumes keep CUI protected at rest, satisfying the encryption side of Media Protection. Versioned snapshots are the ransomware answer — if a workstation gets encrypted by malware, you roll the backup back to a clean point instead of paying anyone. And access controls plus logging let you restrict who can reach the backup and show an assessor a record of it. Buy it diskless so you choose the drives; that's the next piece.
A four-bay NAS with encrypted volumes, versioned snapshots, and off-site sync — a private, auditable backup target that satisfies the recoverable, access-controlled backup side of Media Protection. Diskless so you pick NAS-rated drives and mirror them. You own the hardware; there's no subscription that can lock you out of your own backups.
View on Amazon →An empty NAS needs drives built for it, and the phrase that matters is NAS-rated. Desktop drives aren't designed for the constant 24/7 duty a backup target runs, and they use recording tech (SMR) that's slow and risky for RAID rebuilds. The WD Red Pro 8TB is a CMR, 7200-RPM, NAS-rated drive with a five-year warranty — the boring, reliable choice.
Buy them in pairs and mirror them (RAID 1, or SHR with redundancy). That's not upselling — it's the difference between "recoverable" being true and being a wish. A mirror means one drive can die and your backup survives on the other while you swap in a replacement. A single drive means the day it fails, your backup fails with it, and you've technically got a backup control that doesn't back anything up.
NAS-rated CMR drives built for 24/7 duty, 7200 RPM, five-year warranty. Buy in pairs and mirror them so a single drive failure never takes the backup with it — redundancy is what "recoverable" actually means on paper. Size to at least double your CUI footprint so snapshots have room to live.
View on Amazon →Media Protection is one family of fourteen. Estimate your NIST 800-171 self-assessment score across all 110 controls in about two minutes — free, no consultant required.
Check my SPRS score →A NAS in your server closet is one copy in one building. Fire, flood, theft, or a ransomware strain that reaches the NAS itself takes out your backup and your live data together. The old rule survives because it works: 3-2-1 — three copies, two media types, one off-site. The NAS is your second copy; you still need the off-site one.
The simplest off-site copy for a small shop is a hardware-encrypted external SSD you rotate out of the building — home safe, safe deposit box, wherever's secure and separate. The Samsung T7 Shield 2TB is rugged, pocketable, and encrypted, which is the point: the moment CUI leaves the building, the "encrypt media in transit" requirement kicks in, and an encrypted drive answers it. Rotate it, keep it locked, and log where it is.
Hardware-encrypted, rugged (IP65), and pocket-sized — your encrypted off-site copy that satisfies the protect-media-in-transit line of Media Protection. Rotate one out of the building on a schedule, store it locked and separate from the NAS, and you've made 3-2-1 real instead of theoretical. Confirm the encryption meets your CUI bar before you trust it.
View on Amazon →Here's the control shops forget until an old laptop or a failed NAS drive is sitting in a box, and nobody remembers whether it had CUI on it. Media Protection requires you to sanitize media before reuse or disposal, and the standard method is NIST Special Publication 800-88. Dragging files to the trash doesn't count — the data is still on the platters.
A standalone drive eraser dock does this without tying up a computer: drop the drive in, run the erase, and the CUI is gone by a repeatable method. The part assessors care about as much as the wipe is the record — drive serial, date, method, who did it. For drives that can't be reliably wiped or are being retired for good, physical destruction is the documented fallback. Either way, "we sanitize per NIST 800-88 and here's the log" is what turns a drawer full of old drives from a liability into a checked box.
Standalone erase for SATA drives before any device is reused, returned, or retired — a repeatable NIST 800-88 sanitization method that doesn't tie up a workstation. Old drives are CUI leaks waiting in a drawer; wipe them on a documented process and keep the log. The record is the control as much as the erase is.
View on Amazon →The stack above protects data at rest, inside your walls. But CUI rarely stays put — you email a spec to a prime, share a drawing with a sub, upload a report to the government. The second controlled data leaves the NAS, your local encryption stops protecting it, and a different requirement takes over: protecting CUI in transit and in someone else's inbox.
The tool I pair with the backup stack for that is PreVeil. The reasoning is specific. PreVeil provides end-to-end encrypted email and file sharing purpose-built for CUI — the data is encrypted before it leaves your device and only the intended recipient can open it, so it stays protected across the wire and at rest wherever it lands. It's become a common answer for small contractors who need to handle CUI without standing up a full GCC High tenant. The NAS handles recoverable local backup under Media Protection; PreVeil handles the secure-sharing and transmission side the NAS was never meant to cover. Run them together and you've closed both ends — where the data sleeps and where it travels.
End-to-end encrypted email and file sharing built for CUI. Controlled data is encrypted before it leaves your device, so it stays protected in transit and in the recipient's inbox — the piece a local NAS can't cover. A practical way for a small shop to share CUI with primes, subs, and the government without an enterprise cloud buildout. Complements the backup stack; it doesn't replace it.
Get PreVeil →Be clear-eyed, because "compliance in a box" is a lie that fails assessments. This stack supports the Media Protection family. It does not make you CMMC compliant. Compliance is 110 controls across fourteen families, and MP is one of them. A NAS on a shelf isn't a control — an encrypted, access-restricted, tested, documented backup is. Same gear, two very different outcomes, and the difference is configuration and paperwork.
Two specifics worth pinning down. First, encryption validation: if the media holds CUI, confirm the encryption you rely on is FIPS-validated rather than trusting a spec-sheet "AES 256-bit" line. Where you're unsure, layer a validated encryption tool over the storage. Second, the record is the control: test restores, sanitization logs, and access records are what an assessor grades — the hardware is just what those records describe. Buy the box and skip the documentation, and you've spent money without earning evidence.
The honest promise is audit-ready preparation, not a passing grade. If your contract requires Level 2 certification, a C3PAO still runs the assessment — no product, mine included, replaces that. What this stack and good documentation buy you is walking in with Media Protection already handled instead of scrambling to explain a backup you never tested.
The CMMC Level 2 DIY Compliance Kit is the documentation a consultant would bill five figures to produce: a pre-written System Security Plan, all 20 required policies (including media protection), a POA&M template, an evidence checklist, and a per-control SPRS scorer. It's where your backup, encryption, and sanitization gear becomes written, tested, assessor-ready evidence.
Building the rest of the stack? Pair this with hardware MFA for the access controls, and read the full CMMC cost breakdown plus The CUI Enclave Method to keep the whole scope — and the bill — small.
The Media Protection (MP) family in NIST 800-171 requires you to protect controlled data on both digital and physical media, limit who can access that media, encrypt CUI on media during storage and transport, and sanitize or destroy media before reuse or disposal. For backups specifically, that means encrypted, access-controlled, recoverable copies of your data and a documented, verifiable method for wiping drives at end of life. It's about protecting the data wherever it physically lives, not just on the live server.
A Synology NAS is a strong tool for the Media Protection controls — it gives you encrypted volumes, versioned snapshots that survive ransomware, access control, and off-site sync you own instead of rent. But no appliance is compliant by itself. The NAS supports the MP backup and recoverability requirements; you still have to configure encryption, restrict access, test restores, and document all of it in your System Security Plan. Treat it as gear that satisfies specific controls, not a compliance button.
The Media Protection family requires you to sanitize media before reuse or disposal, and NIST Special Publication 800-88 is the standard method. In practice that means a documented erase — a standalone eraser dock or software that overwrites or issues a secure-erase command, with a log recording the drive serial, date, and method. For drives that can't be reliably wiped or are being retired, physical destruction is the fallback. The record of the wipe matters as much as the wipe itself, because that's what you show an assessor.
You need recoverable backups, and a single on-site copy fails the moment there's a fire, flood, theft, or ransomware that reaches the NAS. The 3-2-1 rule — three copies, two media types, one off-site — is the practical way to make "recoverable" true. An encrypted external SSD rotated off-site, or encrypted cloud sync, gives you the off-site copy. Whatever you use, the CUI on it must be encrypted in transit and at rest, and you should test that you can actually restore from it.
If the media holds CUI, the encryption protecting it is the control assessors scrutinize, and FIPS-validated cryptography is the safe bar to clear. Consumer "AES 256-bit" marketing is not the same as a FIPS 140-2/140-3 validated module. Confirm the encryption you rely on for CUI is FIPS-validated, or layer a validated encryption tool on top of the storage. This is the one place not to assume the built-in feature is enough — check the validation before you trust it with controlled data.
A NAS protects data at rest inside your walls; it doesn't protect CUI the moment you email or share it with a prime, sub, or the government. PreVeil adds end-to-end encrypted email and file sharing built for CUI, so controlled data stays protected in transit and in other people's inboxes. The NAS handles recoverable local backup under Media Protection; PreVeil handles secure sharing and transmission. Run them together and you cover both where the data sleeps and where it travels.