Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MP.L2-3.8.6 – Implement cryptographic mechanisms to protect the confidentiality of “Controlled Unclassified Information” (CUI) stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Understanding the Requirement
This control requires that any digital media containing CUI that leaves your facility be protected so that the confidentiality of the data is maintained during transport. In practice, that means encrypting portable media (USBs, external drives, backup disks, optical media) or using an approved physical safeguard (a locked container) when encryption is not feasible. The objective is simple: prevent unauthorized access to CUI while it is in transit, using cryptographic mechanisms or tightly controlled physical protections.
Technical Implementation
- Inventory and classification: Maintain an up-to-date inventory of all digital media types that may contain CUI. Tag media with an owner, the content classification, and an approved transport method in your inventory system. Only media listed and approved in the inventory may be transported offsite.
- Use approved encryption: Encrypt all portable media containing CUI with strong, industry-standard algorithms (for SMBs, AES-256 is a practical choice). Implement full-disk or container encryption tools that support enterprise management (examples for context: BitLocker, FileVault, or enterprise-grade hardware-encrypted drives). Ensure cryptographic modules are from reputable vendors and, where applicable, validated (e.g., FIPS 140 series validations).
- Hardware-encrypted devices for portability: For USBs and portable drives that move frequently, purchase hardware-encrypted devices with built-in PIN or keypad authentication. These reduce exposure to misconfiguration and provide granular access control without requiring users to install software on every workstation.
- Key and credential management: Never store encryption keys or passwords on the same physical media as the encrypted data. Use a centralized key management practice: unique keys per device, secure key storage (e.g., enterprise password manager, HSM for larger SMBs), and clearly defined procedures for key issuance, rotation, and revocation. Require multi-factor authentication for access to key administration functions.
- Transport procedures and physical safeguards: Define standard operating procedures for transporting media: sealed tamper-evident packaging, locked metal cases, or courier services with chain-of-custody tracking. When encryption cannot be used, require locked containers with documented access controls and immediate return to secure areas. Record who had custody, timestamps, and purpose for every movement.
- Verification, logging and periodic testing: Before dispatch, verify that the media can be decrypted by an authorized recipient and that encryption is intact. Log transport events and perform periodic audits of inventory, device configurations, and adherence to procedures. Test recovery procedures to ensure encrypted media can be read when needed (and that lost keys do not cause data loss).
Example in a Small or Medium Business
Acme Engineering, a 45-employee firm that handles CUI for government subcontractors, implemented a simple program to meet MP.L2-3.8.6. They began by inventorying all portable media types and tagging backup drives used for off-site storage. For regular transport they purchased hardware-encrypted external drives and issued each to an assigned custodian. Every drive is encrypted with a unique key and recorded in the inventory system; keys are stored in the company’s secure key repository and never placed on the drives themselves. When drives leave the office to go to the off-site storage facility, the custodian completes a chain-of-custody form and places the drive in a tamper-evident locked case. The receiving facility verifies encryption integrity before accepting custody and logs the transfer. Acme also trained staff on handling procedures, prohibiting use of personal USBs for CUI and requiring manager approval for any exception. Quarterly audits confirm inventories, verify encryption settings, and test decryption at the storage site to ensure the controls work end-to-end.
Summary
Combining clear policies, inventory and labeling, strong cryptographic controls, disciplined key management, and practical physical safeguards provides a straightforward path for SMBs to meet this requirement. Encryption of portable media is the preferred technical control; when encryption is not possible, documented physical safeguards and chain-of-custody procedures close the gap. Regular verification and employee training ensure the controls are effective in protecting CUI confidentiality during transport.
