Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MP.L2-3.8.5 – Control access to media containing “Controlled Unclassified Information” (CUI) and maintain accountability for media during transport outside of controlled areas.
Understanding the Requirement
This control requires that both digital and non-digital media containing CUI be protected while they leave your controlled facility and that you can account for who had possession of the media during transport. Practically, that means implementing access controls (who can handle and move CUI), physical safeguards (locked containers, tamper-evident packaging), and transport accountability (chain-of-custody records, authorized carrier and recipient, and tracking numbers). The two objectives are to ensure only authorized access to media and to maintain a documented accountability trail while media are en route.
Technical Implementation
- Encrypt portable digital media: Use full-disk or container encryption for hard drives, SSDs, USB devices and mobile storage. For SMBs, deploy BitLocker (Windows), FileVault (macOS), or a vetted open-source tool (e.g., VeraCrypt) configured with strong algorithms and company-controlled keys. Ensure recovery keys are stored securely in a central secrets manager or password manager with restricted access.
- Protect paper and non-digital media physically: Require locked containers (lockable briefcases, tamper-evident envelopes, or hardened transport boxes) for any printed CUI. Use tamper-evident seals and record seal IDs on the chain-of-custody form to detect unauthorized opening.
- Define and document authorization and chain-of-custody: Maintain a simple authorization roster listing employees permitted to transport CUI and the types of media they can carry. Use a one-page chain-of-custody log for each shipment or movement that records date/time, sender, recipient, purpose, media ID, seal number, and signatures.
- Use trackable, signature-required shipping: When shipping CUI off-site, use carriers that provide tracking numbers and require recipient signature upon delivery. Record the tracking number in your shipment record and confirm delivery with the recipient before unlocking or decrypting media.
- Minimize exposure and avoid labeling CUI in transit: Do not mark external packaging with language that identifies the contents as CUI. Internally label media with an opaque identifier mapped to your inventory system, and keep the CUI classification out of publicly visible shipment labels.
- Train staff and prepare procedures for loss/theft: Provide short, role-based training on transport procedures and require immediate reporting of lost or missing media. Maintain an incident plan that details notification, containment (remote wiping if possible), and documentation steps for any suspected compromise during transport.
Example in a Small or Medium Business
Acme Engineering, a 50-person firm, needs to move client technical drawings (paper) and raw sensor datasets (external hard drives) between its two offices. The IT manager encrypts each drive with BitLocker and records the drive serial numbers and the encryption recovery keys in the company secrets manager. Paper drawings are placed in a lockable briefcase and sealed with a tamper-evident stripe whose serial is recorded. A simple chain-of-custody form is filled out listing the authorized carrier (an employee), destination, purpose, and expected delivery time. For cross-country shipments, Acme uses a commercial carrier with tracking and signature required; the shipping clerk writes the carrier tracking number and recipient name on the shipment record and emails the recipient to expect the delivery. The employee transporting the items signs out the media on the daily custody log and returns it signed when the items are delivered; the receiving office verifies the tamper-evident seal and confirms decryption success for digital media. Acme also trains staff quarterly on these procedures and keeps shipment records for the contract retention period so they can demonstrate accountability if audited.
Summary
Combining straightforward policies (authorized transporter lists, chain-of-custody forms, and incident procedures) with technical controls (encryption, tamper-evident packaging, and tracked, signature-required shipping) lets SMBs meet MP.L2-3.8.5: controlling access to media containing CUI and maintaining accountability while media move outside controlled areas. Practical, documented steps and simple tools keep CUI protected in transit without requiring large security teams, and they provide the audit trail needed to demonstrate compliance and respond quickly if something goes wrong.
