This post explains how small businesses can practically meet the Compliance Framework requirement MP.L2-3.8.5 (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2) to protect Controlled Unclassified Information (CUI) when media is transported offsite—covering policy, technical controls, chain-of-custody, vendor requirements, real-world examples, and testing steps so you can implement a defensible program that auditors and contracting officers will accept.
Implementation Overview (Framework, Practice, Requirement, Key Objectives)
Framework: Compliance Framework — Practice: Protecting media in transit — Requirement: Ensure physical control and protection of removable media containing CUI when moved outside controlled areas. Key objectives include preventing unauthorized access or loss, maintaining chain-of-custody, using strong encryption, and ensuring recoverability and reporting. Your implementation notes should map policy language to technical controls (e.g., AES-256 encryption, tamper-evident seals), operational procedures (authorization, manifests), and evidence artifacts (logs, receipts, CCTV footage) for audits.
Step-by-Step Procedure to Securely Transport CUI Media
1) Classify and approve: Before any movement, identify the media containing CUI and obtain authorization. Maintain an approval form that lists media IDs, owner, destination, authorized courier, and purpose. 2) Apply technical protections: Encrypt the media using FIPS-validated mechanisms (AES-256 with a validated cryptographic module such as a hardware-encrypted drive or BitLocker with TPM+PIN). For removable USBs use self‑encrypting drives (SED) with unique device serial numbers. 3) Physical protections: Seal media in tamper-evident packaging with a unique seal ID and label the package with the media ID (avoid including CUI content on external labels). 4) Record chain-of-custody: Use a signed manifest that records timestamps, personnel, and handoffs; capture courier ID and vehicle details for each transfer. Retain manifests for the retention period specified in contracts or policy.
Chain-of-Custody, Transport, and Destination Handling
Vet couriers and carriers: For persistent offsite transfers use pre-approved couriers with background checks, NDA and cyber clauses in contracts, and insurance. For high-risk items consider two-person integrity (two authorized staff members present for handoff). Use GPS-tracked secure containers or courier apps that provide live updates and tamper alerts for high-value shipments. On arrival, require recipient signatures and immediate transfer to a locked container or approved secure area; log the storage location and access list. For media that will return, document return procedures and sanitization requirements consistent with NIST SP 800-88 (Clear, Purge, Destroy) before reuse.
Small-Business Scenarios — Practical Examples
Example 1 — Field Engineer with a USB: A subcontractor engineer must take design files to an onsite review. Procedure: request approval via the change control form, copy files to a company‑issued hardware-encrypted USB (SED), encrypt container with company PKI keys or BitLocker, apply tamper-evident seal, use a locked courier bag, log handoff to the engineer with manifest, and require the engineer to return the device to the office safe within 24 hours for audit and sanitization. Example 2 — Offsite backups to tape: Weekly backups sent to an offsite storage facility are stored in SED tape cartridges inside a secured, access-controlled vault; each shipment uses an approved carrier, manifests, and CCTV verification at the storage provider. Example 3 — Printed CUI taken to client site: Remove unnecessary identifiers from printouts, redact when possible, seal in labeled envelope, staff must sign the log on departure and return, and any copies left behind must be documented and shredded or collected by an authorized person.
Compliance Tips and Best Practices
Maintain an inventory of all media types and unique IDs (USB serials, SED IDs, tape barcodes), and reconcile inventories monthly. Create a short, role-based SOP for field staff with a one-page checklist: authorization, encryption, labeling, manifest, courier, receipt, return/sanitization. Train staff quarterly on procedures and loss-reporting timelines (define “immediate” and SLAs). Include vendor requirements in procurement contracts: background checks, incident reporting, evidence retention, and right-to-audit clauses. Periodically test your process with table-top exercises and a sample shipment that validates end-to-end controls and evidence collection.
Technical Controls and Tools (specific details)
Encryption: Use AES-256 via FIPS 140-2/3 validated modules. For Windows endpoints, use BitLocker with TPM+PIN or a corporate key escrow in AD/Intune. For removable media, buy hardware-encrypted USBs (SED) that support PIN or token authentication. Key management: maintain keys in an HSM or KMS and rotate keys per policy; avoid using passwords on sticky notes. Transport: prefer encrypted tunnels (SFTP, SCP, or TLS 1.2+/SSH) for digital transfers instead of physical movement when practical. Logging and monitoring: capture manifest entries into a CMDB or asset inventory, forward logs to your SIEM, and keep digital receipts and courier telemetry as auditor evidence.
Risks of Not Implementing MP.L2-3.8.5
Failure to properly protect offsite media risks unauthorized disclosure or loss of CUI, which can result in contract penalties, loss of DoD or government business, regulatory fines, reputational damage, and mandatory incident reporting (e.g., DFARS-related obligations). Operational risks include extended downtime, forensic costs, and potential requirement for customer notification. From a security perspective, unencrypted or poorly tracked media can be an easy vector for supply-chain compromise or targeted data exfiltration.
Summary: Implementing MP.L2-3.8.5 requires a combination of clear policy, approved technical controls (FIPS-validated encryption, SEDs, TPM), robust chain-of-custody procedures, vetted carriers, and regular training and testing; small businesses can achieve compliance by standardizing checklists, using affordable hardware-encrypted devices, and documenting every transfer end-to-end so auditors and contracting officers see defensible controls and evidence.
