Subscribe to the Non-Human & AI Identity Journal

Who is accountable for CUI media once it moves outside Microsoft 365?

The organisation remains accountable for any CUI media that leaves the original workload, even when Microsoft provides the platform protections. That includes transport, printing, backup copies, and disposal. Accountability has to be assigned in procedures and supported by records, because the platform cannot own physical handling decisions on behalf of the customer.

Why This Matters for Security Teams

Once CUI media leaves Microsoft 365, responsibility shifts from platform control to organisational control. That matters because handling risk becomes a process issue, not just a cloud configuration issue. Teams often assume retention labels, encryption, or sharing restrictions cover the full lifecycle, but those protections do not decide who signs for a printed copy, who carries a backup export, or who approves destruction. For CUI, accountability has to follow the media, not the workload.

This is where policy, records, and operational ownership matter as much as technical safeguards. Guidance in NIST SP 800-53 Rev 5 Security and Privacy Controls aligns with the idea that protection must extend beyond the application boundary through media protection, auditability, and controlled disposal. Microsoft can provide security features inside the service, but it cannot be accountable for a paper copy in transit or a USB export sitting in a file drawer. In practice, many security teams encounter this only after a printout, export, or backup copy has already left the system, rather than through intentional media governance.

How It Works in Practice

Accountability for CUI media outside Microsoft 365 should be assigned through documented procedures, role ownership, and evidence of handling. The practical question is not whether Microsoft protected the data inside the service, but who is responsible once the content becomes a separate object. That includes printed documents, downloaded files, removable media, archived exports, and offline backups. Each of those media forms needs a named owner, handling rule, and disposal path.

A workable approach usually includes:

  • Defining who may export, print, copy, transport, store, and destroy CUI media.
  • Recording when media leaves Microsoft 365, where it goes, and who accepts custody.
  • Applying encryption or physical safeguards based on the media type and destination.
  • Using chain-of-custody logs for high-risk transfers or regulated storage.
  • Retaining destruction evidence for paper, disks, and backup media where required.

For cloud and hybrid programs, this should be tied to asset and data handling controls, not left to user discretion. A good reference point is the media protection and disposal control family in NIST SP 800-53 Rev 5 Security and Privacy Controls. The same logic applies whether the media is sent to a printer, a mailroom, a records archive, or a third-party storage vendor. Microsoft can help enforce in-service safeguards, but the organisation must govern the out-of-band lifecycle. These controls tend to break down when exports are allowed from shared mailboxes, unmanaged endpoints, or ad hoc backup workflows because custody is lost the moment the file leaves the system.

Common Variations and Edge Cases

Tighter media control often increases operational overhead, requiring organisations to balance ease of use against traceability and disposal discipline. That tradeoff becomes obvious when users need quick access for collaboration, legal review, or incident response. Best practice is evolving, but there is no universal standard for treating every CUI media type the same way. A printed page, an encrypted USB drive, and a cloud-to-cloud backup copy all create different exposure patterns and different control expectations.

Edge cases usually arise when multiple parties touch the media. For example, if a business unit prints CUI for onsite review, the business unit still owns the handling process even if facilities manage the physical printer. If a contractor transports backup media, the organisation still needs a clear custody record and contractual accountability. If media is destroyed by a third party, the organisation remains responsible for ensuring destruction requirements were defined and verified. For records retention and privacy considerations, the handling model should also align with NIST privacy and security guidance where personal or sensitive data processing overlaps with CUI handling.

The main exception is when a contract or regulatory regime assigns a specific external custodian, but even then the organisation cannot outsource accountability entirely. It can delegate tasks, not responsibility. For that reason, procedures should name the accountable owner for each media stage, define what evidence must exist, and specify how exceptions are approved. Current guidance suggests that the strongest programs treat out-of-service media as a separate control domain rather than an extension of Microsoft 365 governance. In practice, gaps appear when teams rely on cloud policy alone and never test what happens after export, print, or offline backup.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.DS CUI media handling outside the platform is a data security lifecycle issue.
NIST SP 800-53 Rev 5 MP-2 Media access and handling procedures are central to accountability once CUI leaves M365.

Map media export, transport, storage, and disposal to PR.DS controls and verify owners for each stage.