This post explains how to implement NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control MP.L2-3.8.5 — which requires organizations to control and track media containing Controlled Unclassified Information (CUI) when it leaves controlled areas — with practical, step-by-step actions, small-business examples, and technical specifics you can apply directly under a Compliance Framework program.
What MP.L2-3.8.5 requires (high level)
At its core, MP.L2-3.8.5 wants you to ensure that any physical or digital media carrying CUI is protected, labeled, tracked, and accounted for when transported outside your controlled environment. The key objectives under Compliance Framework are (1) minimize exposure by limiting transport, (2) encrypt and protect the media, (3) maintain an auditable chain of custody, and (4) detect and respond to loss or compromise quickly.
Step-by-step implementation
1) Policy, classification, and inventory
Start by updating or creating a Media Handling and Transport Policy referencing MP.L2-3.8.5. Your policy should define CUI types, who is authorized to transport media, approved transport methods (digital vs physical), required markings, and retention of chain-of-custody records. Maintain an up-to-date inventory of media assets (removable drives, CDs, printed sets) and assign asset IDs (barcode/RFID) and owner fields in a CMDB or simple spreadsheet for small shops. Require authorization requests before any CUI leaves the facility (email ticket or signed physical form).
2) Minimize and choose the safest transport method
Minimize the number of physical media movements: prefer encrypted network transfer (SFTP, HTTPS with TLS 1.2/1.3), cloud transfer to an approved FedRAMP or DoD-approved solution, or secure remote access. When network transfer is not feasible, use encrypted containers (AES-256, FIPS 140-2/3 validated crypto modules) such as BitLocker (with TPM+PIN), VeraCrypt with AES-256, or an enterprise file sync solution configured for encryption-in-transit and at-rest. For electronic transport, require multi-factor authentication and certificate-based or public-key authentication for SFTP/SSH-based transfers and log the transfer session with user IDs and timestamps.
3) Controls for physical media transport
If physical transport is required, apply layered controls: (a) mark media clearly with CUI designation per contract guidance, (b) use tamper-evident packaging and seals, (c) employ approved couriers with signature-required and restricted delivery options, (d) require two-person custody for high-risk items, and (e) document chain-of-custody forms that record who had custody, times, locations, and transfer signatures. For small businesses, that can be a printed form or an electronic ticketing entry tied to the asset ID and scanned/signature capture.
4) Tracking, logging, and technical controls
Implement observable tracking: attach barcode or RFID tags to physical media and scan on each handoff; integrate scans into a ticketing or asset management system (e.g., ServiceNow, Jira, or a lightweight asset tracker). For electronic media, produce immutable logs (SFTP server logs, cloud object access logs) and forward them to a SIEM for alerting on unusual transfers. Configure retention of chain-of-custody and transfer logs per your Compliance Framework retention requirement (commonly 1–3 years or per contract). For key management use a KMS or HSM where possible; avoid storing decryption keys with the media itself — use separate, protected storage for keys and require MFA/role-based access to decrypt.
Small-business real-world scenarios
Example 1: A 12-person engineering firm must deliver CAD files to a DoD prime. Instead of shipping USB drives, they set up an SFTP server with certificate-based client auth and enforce AES-256 encryption on disk; they provision short-lived client certs, log all transfers, and require the recipient to sign an access agreement. Example 2: A subcontractor must send classified drawings to an on-site contractor. They use an encrypted USB drive (BitLocker with TPM+PIN), place the drive in a tamper-evident bag, and use a commercial courier with signature and tracking; the driver and recipient both sign a printed chain-of-custody form scanned into the project ticket. These low-cost steps meet MP.L2-3.8.5 expectations for small shops when documented and audited.
Compliance tips, technical specifics, and best practices
Prefer electronic transfers over physical media whenever possible. Use FIPS-validated crypto (AES-256) and ensure TLS 1.2+ or SSH with modern KEX and ciphers. For removable media, require full-disk encryption and disable autorun on endpoints. Implement DLP rules to block unauthorized uploads or copy-to-USB attempts, and whitelist approved removable media via endpoint management. Train staff on the transport policy and run quarterly audits of asset inventory and chain-of-custody forms. When selecting service providers (couriers or cloud), perform a vendor security review and include SOC 2 / FedRAMP / DoD-specific assurances where required by contract.
Risks of not implementing MP.L2-3.8.5
Failing to control and track CUI in transit increases the risk of unauthorized disclosure, espionage, contract termination, financial penalties, and failed CMMC assessments. Beyond compliance penalties, loss of CUI can damage your reputation and eliminate the ability to bid on future government contracts. Technical fallout includes potential lateral movement if an attacker acquires unencrypted media containing credentials or private keys.
Implementing MP.L2-3.8.5 is achievable for small businesses by combining clear policies, minimization of physical transfers, proven encryption, documented chain-of-custody, and simple tracking. Start with a written policy, inventory your media, prefer secure network transfers, and add physical controls and logging where physical transport is unavoidable — then test through audits and tabletop exercises to ensure the controls work in practice.
