Encrypting Controlled Unclassified Information (CUI) at rest on portable media and laptops is a practical, high-impact control required by NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 (MP.L2-3.8.6); this post lays out step-by-step implementation guidance, real-world small-business scenarios, and concrete configuration advice so you can achieve compliance in a repeatable way.
Why this control matters and risks of non-compliance
MP.L2-3.8.6 requires that CUI remain protected when stored on removable media and mobile devices β the most common cause of data exposure is loss or theft of an unencrypted device. For a small engineering firm, a lost laptop or USB with program specifications can lead to contract termination, regulatory penalties, and reputational damage. Operationally, the absence of encryption increases risk of lateral compromise (if an attacker mounts the disk) and makes incident response and breach notification more likely and more costly.
High-level implementation approach for Compliance Framework
At a high level implement three parallel components: 1) policies and inventory (identify where CUI resides and who may carry it), 2) technical enforcement (full-disk and removable-media encryption), and 3) operational controls (key/recovery management, MDM, training, and sanitization). Map each step into your System Security Plan (SSP), and document any planned deviations in a Plan of Action and Milestones (POA&M) if full coverage cannot be achieved immediately.
Step-by-step technical implementation (laptops)
1) Inventory and classify endpoints: use an asset tracker or MDM to label devices that may process CUI. 2) Choose platform-native FDE where possible: BitLocker (Windows 10/11 Pro/Enterprise) with TPM+PIN or FileVault 2 (macOS) are accepted, widely supported options. 3) Configure and enforce via MDM: for Windows use Intune/Group Policy settings (RequireDeviceEncryption, Configure TPM startup PIN); for macOS use Jamf to enable FileVault and escrow keys to Jamf/SSO. Example PowerShell to enable BitLocker to fixed drives (run as admin): Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -TpmProtector -UsedSpaceOnlyEncryption -SkipHardwareTest. Ensure encryption algorithm is AES-256 (XTS-AES-256) and pre-boot authentication required when policy dictates.
Step-by-step technical implementation (USBs and removable media)
Options: hardware-encrypted USBs (e.g., FIPS-certified drives), BitLocker To Go (Windows), FileVault-encrypted containers (macOS), or cross-platform solutions (VeraCrypt, enterprise file sync solutions). For small businesses: 1) Prefer hardware-encrypted USBs for shared removable use β they provide PIN access and built-in key storage. 2) If using BitLocker To Go, configure group policy to require encryption and prevent automatic unlocking. Use Intune policy "Require encryption for removable drives" and configure recovery key escrow to Azure AD. 3) For cross-platform teams, implement encrypted VeraCrypt containers with strong passphrases and an operational policy that prevents storing unencrypted copies elsewhere. Example Linux LUKS command for creating an encrypted partition: sudo cryptsetup luksFormat /dev/sdb1 --type luks2 --pbkdf argon2i --cipher aes-xts-plain64 --key-size 512.
Operational controls: key management, recovery, inventory, and sanitization
Key and recovery management make or break usability and compliance. Escrow recovery keys centrally (Azure AD for BitLocker, Jamf key escrow for FileVault, or a secured KMIP/HSM-backed vault for enterprise encryption). Define retention and access rules for recovery keys (who can retrieve, audit trail). Maintain an up-to-date inventory of USBs and removable media β tag physical devices and track assigned users. Establish secure sanitization processes per NIST SP 800-88 (cryptographic erasure or physical destruction for end-of-life drives) and require documented receipt when devices are returned or retired.
Small-business scenarios and real-world examples
Scenario A: A 12-person design shop uses laptops and occasional USBs to transfer CUI to subcontractors. Implement Intune to enforce BitLocker, require employees to store recovery keys in Azure AD, supply hardware-encrypted USBs for subcontractor handoffs, and include a brief training module on βnever send CUI on unencrypted email.β Scenario B: A consulting firm with mixed macOS/Windows clients uses VeraCrypt containers on shared USBs β accompany this with policy that forbids storing the container on cloud storage without encryption and require passphrase complexity and change cadence. Both scenarios should include periodic checks: MDM compliance reports and quarterly audits of inventory.
Compliance tips and best practices
Use FIPS-validated or vendor-certified crypto if your contract requires it; prefer full-disk encryption (FDE) with pre-boot authentication over file-only encryption for laptops. Enforce least privilege for device access, disable auto-run and automatic file sync of CUI to personal cloud accounts, and limit USB write access through MDM/NAC. Test your recovery workflow quarterly (can an authorized admin retrieve a recovery key and decrypt a device?) and incorporate encryption status checks into onboarding/offboarding checklists. Finally, document all choices in the SSP and reference MP.L2-3.8.6 in procedures and training materials.
In summary, meeting MP.L2-3.8.6 is straightforward with a disciplined program: classify assets, use platform-native FDE (BitLocker/FileVault/LUKS) or approved hardware-encrypted USBs, centralize recovery key escrow, enforce encryption through MDM, and operationalize inventory and sanitization procedures; doing so significantly reduces the risk of CUI loss and positions your small business for successful NIST/CMMC assessment.
