This post gives practical, implementable steps to help small and mid-sized organizations meet the NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control MP.L2-3.8.1 requirement to protect digital media during transport and storage—covering classification, encryption, key management, secure transport channels, physical chain-of-custody, and evidence you need for compliance.
Understanding MP.L2-3.8.1 — objective and risk
MP.L2-3.8.1 expects organizations to protect digital media (storage devices, removable media, and digital files) containing Controlled Unclassified Information (CUI) when media is moved outside controlled areas. The key objectives are confidentiality, integrity, and auditable custody during transit and while stored outside a controlled perimeter. Failure to implement these controls risks CUI exposure, contract termination, regulatory penalties, reputational damage, and downstream supply-chain compromise.
Practical implementation steps
1) Classify, label, and maintain an inventory
Start by identifying which files and devices contain CUI. Maintain a simple inventory (CSV or small database) with fields: media ID, owner, location, classification, encryption status, last custody change, and disposal date. Label media physically (tamper-evident tags) and logically (metadata, tags in the file system). For example, a small engineering shop should tag USB drives with a serial and record: "Project X — CUI — Encrypted AES-256 — Assigned to Jane Doe." This inventory is the backbone of chain-of-custody evidence for auditors.
2) Encrypt media at rest using approved cryptography
Use vetted, FIPS-validated cryptographic implementations where possible. Recommended algorithms: AES-256-GCM for confidentiality and integrity; RSA-2048+ or ECDSA/P-256 for key wrapping/signatures; SHA-256 for hashing. Practical tools: BitLocker (Windows) or FileVault (macOS) for whole-disk encryption; VeraCrypt or self-encrypting drives (SEDs) with FIPS-validated controllers for removable media. For file-level encryption when sending individual files, GnuPG works well: gpg --symmetric --cipher-algo AES256 confidential.pdf. If you use OpenSSL, prefer AEAD modes and sufficient KDF iterations: e.g., openssl enc -aes-256-gcm -pbkdf2 -iter 200000 -in file -out file.enc (confirm OpenSSL version supports AES-GCM). Avoid custom crypto and weak ciphers (e.g., AES-CBC without HMAC).
3) Secure electronic transport channels
Never email unencrypted CUI attachments. Use secure transport channels: SFTP or SFTP servers configured to require key-based auth, HTTPS with TLS 1.2+ (prefer TLS 1.3) configured for strong ciphers (ECDHE + AES-GCM), site-to-site or client VPNs (IPsec or OpenVPN with modern suites), or managed secure file transfer solutions (MFT) that provide logging and access controls. Example: configure an SFTP transfer using key pairs and disable password auth, or use scp/sftp client: sftp -i /path/to/key user@host:/destination. When using cloud (AWS S3, Azure Blob), enable server-side and/or client-side encryption (SSE with KMS-managed keys or client-side AES-256) and enforce IAM policies restricting bucket access to specific principals and IP ranges.
4) Physical transport and chain-of-custody
For physical movement (USBs, drives), adopt a chain-of-custody form and procedures: two-person handoff where feasible, tamper-evident bags, locked courier transport, signed manifests, and GPS tracking for high-value shipments. Maintain a log entry at each custody change with time, person, and purpose. For example, when subcontracting PCB files on a drive, put the drive in a tamper-evident bag, log the bag ID and signatures, and ship via a contractual courier with signature-on-delivery and tracking. Keep copies of signed delivery receipts as evidence.
5) Key management and secure storage
Protect cryptographic keys separately from the media they protect. Use centralized KMS/HSM solutions (AWS KMS, Azure Key Vault HSM, or an on-prem HSM) for production keys—enable automatic rotation and strict IAM policies. For small businesses without HSMs, use cloud KMS with customer-managed keys and multi-person access controls, and never store passwords or key material on the same media as encrypted data. Enforce role-based access control (RBAC), keep access logs, and require MFA for key management consoles. For disk/drive disposal, prefer crypto-erase for SEDs (erasing the drive encryption key) or physical destruction for SSDs and optical media per NIST SP 800-88 guidelines.
Real-world example for a small business
Scenario: A 12-person avionics subcontractor needs to send CUI design files to a prime contractor. Implementation: 1) Tag each file set as CUI and add to the inventory spreadsheet; 2) Create a ZIP and encrypt it client-side with GPG: gpg --symmetric --cipher-algo AES256 design_package.zip; 3) Upload to an SFTP server restricted to the contractor's IPs, authenticating with SSH key pairs; 4) Place the original backup on an encrypted SED (FIPS-certified) and record the drive serial, custodian, and storage location; 5) Before transport of the backup drive, seal it in a tamper-evident bag, log the chain-of-custody, and ship via tracked courier with delivery signature. Retain logs, SFTP transfer logs, and signed receipts in the audit folder for the SSP/assessment.
Compliance tips, evidence, and common pitfalls
Document your procedures in the System Security Plan (SSP) and produce artifacts auditors expect: media inventory exports, sample chain-of-custody forms, configuration screenshots of encryption settings, KMS key policies, transfer logs (SFTP/HTTPS access logs), and training records. Common pitfalls: using weak or deprecated TLS/cipher suites, emailing unencrypted attachments, storing keys next to encrypted files, and failing to retain custody receipts. Train staff with short SOPs and tabletop exercises for media handling and loss scenarios, and create a POA&M entry for any compensating controls while you remediate.
Implementing MP.L2-3.8.1 is achievable for small businesses by combining simple procedural controls (inventory, chain-of-custody, SOPs) with strong technical controls (AES-256 encryption, secure transport channels, separated key management, logging). Prioritize consistent documentation and evidence collection—encrypted files plus transfer logs and signed custodial receipts will satisfy most assessors and reduce the risk of CUI exposure.
