Controlling and protecting controlled unclassified information (CUI) while it is moved or transported is a core CMMC 2.0 Level 2 requirement mapped to NIST SP 800-171 Rev.2 control MP.L2-3.8.5; small and midsize contractors must show auditors practical, repeatable controls for media handling and transport to pass assessments and keep DoD work. This post gives actionable steps, technical specifics, and real-world examples that you can implement now to prepare for your assessment and to reduce the risk of CUI loss during transit.
Understand the control and map it to your environment
MP.L2-3.8.5 expects organizations to protect media containing CUI during transport outside controlled areas. For Compliance Framework purposes, translate that to concrete policies, technical enforcement, and evidentiary artifacts: identify what qualifies as media (paper, USB/SSD, laptops, CDs, printed reports), define approved transport methods (encrypted electronic transfer, locked containers, vetted couriers), and document roles and responsibilities (who may approve transport, who performs chain-of-custody).
Implementation notes — policies, roles, and minimization
Create a short, specific Media Transport Policy that: (1) mandates use of approved encrypted channels or hardware-encrypted removable media; (2) requires labeling and CUI markings; (3) defines chain-of-custody forms and procedures; and (4) specifies sanitization/destruction procedures when media is no longer needed. For small businesses, a single two-page policy plus one operational procedure per media type (electronic, physical) is sufficient if it's enforced and evidenced.
Technical controls you should implement
Practical technical controls include full-disk encryption for laptops (e.g., BitLocker or FileVault configured using enterprise policy), hardware-encrypted removable drives (self-encrypting SSDs/USBs), and secure file-transfer mechanisms (SFTP, HTTPS with TLS 1.2+ or 1.3). Ensure the cryptographic modules and configurations are vendor-documented as FIPS-validated or use AES-256 or AES-128 in approved modes; during assessment you will want vendor statements or screenshots showing encryption is enabled and enforced via MDM/endpoint management (e.g., Microsoft Intune, JAMF).
Example configuration for a small company
Example: A 25-person subcontractor uses Microsoft Intune to enforce BitLocker with XTS-AES 256, require TPM+PIN, and block access to removable storage unless the device is compliant. They issue hardware-encrypted USB drives (with serial numbers tracked in an asset register), and mandate SFTP with client certificates for electronic transfers. For travel, laptops must be in hard-sided carry cases and never checked as baggage.
Operational controls, evidence and chain-of-custody
Operationalize the controls with checklists and artifacts that assessors will expect: media inventory logs (asset tags, serial numbers), signed chain-of-custody forms for each transfer (origin, destination, handlers, times), courier contracts with confidentiality clauses and tracking numbers, tamper-evident seals on packages, and transport manifests. Capture screenshots of MDM policies, export audit logs showing application of encryption settings, and retain training attendance records proving staff know the procedures.
Real-world scenarios and small-business workflows
Scenario 1 — Overnight delivery of engineering drawings: Sanitize and mark printed drawings as CUI, place them in a tamper-evident numbered bag, record the bag serial number in the media log, and use a vetted courier with tracking and signature required. Keep a scanned copy of the chain-of-custody in a secure repository. Scenario 2 — Researcher traveling with a laptop: Ensure BitLocker is enabled, require multi-factor authentication for VPN access, use a pre-travel checklist, and have the researcher sign a documented fast-response plan in case of loss/theft.
Compliance tips, best practices and the risk of non‑implementation
Best practices: minimize removable media use by preferring secure cloud or SFTP transfers; centrally manage encryption settings through MDM; rotate keys and use appropriate key management (documented key escrow procedures); sanitize devices per NIST SP 800-88 before reuse or disposal (cryptographic erasure or physical destruction); and run quarterly internal audits of the media inventory and transport logs. The risk of not implementing this control is material: loss of CUI can lead to contract termination, loss of DoD eligibility, regulatory penalties, and reputational damage — plus, undetected loss increases the chances of supply-chain compromise and espionage.
Assessment preparation checklist
Before the assessor arrives, compile: (1) Media Transport Policy and procedures; (2) asset inventory and media register; (3) screenshots/configuration exports (MDM, encryption status, SFTP server configs); (4) recent chain-of-custody logs and transport manifests; (5) courier agreements and vetting records; (6) training records showing staff completion of media-handling training; and (7) evidence of sanitization/disposal practices (receipts from destruction vendor or photos of destroyed media). Walk through two live examples end-to-end to show an assessor the process works.
In summary, meeting MP.L2-3.8.5 for CMMC 2.0 Level 2 is about combining clear, enforceable policy with practical technical controls (enterprise-managed encryption, secure transfer protocols, hardware-encrypted media) and repeatable operational evidence (chain-of-custody, inventories, training). Small businesses can achieve this with focused investments: adopt enterprise MDM, standardize hardware-encrypted drives, formalize transport procedures, and collect the artifacts auditors need — doing so significantly reduces the risk of CUI exposure and positions you to pass your CMMC assessment.
