This post gives a practical, implementable blueprint for building a Controlled Unclassified Information (CUI) media access and transport policy that meets NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 Control MP.L2-3.8.5 — including ready-to-adapt templates, concrete procedures, technical controls, and enforcement measures targeted at small and medium-sized businesses handling government contract data.
Scope and objectives
The policy must define what media and transport actions are covered (removable media, USBs, CDs, external SSDs, laptops, printed paper, email attachments, cloud transfers, and couriered physical devices), who may access CUI, under what circumstances, and the technical and administrative controls required for safe transport. Key objectives: reduce exposure surface, ensure cryptographic protection in transit and at rest, maintain chain-of-custody and logs, enforce least privilege for media access, and provide documented evidence for auditors and assessors.
Policy templates and required clauses
Create short, modular templates you can adapt by role and context. Minimum clauses to include: definition of CUI and examples; approved media types; pre-approval and authorization requirements; encryption and hashing standards; labeling and marking requirements; chain-of-custody and transfer receipt; sanitization/clearing/destruction procedures; incident reporting; exceptions and waiver process; disciplinary actions and audit rights. Store templates in your compliance repository and version-control them (e.g., Git or a document management system).
Example template snippets (practical fields)
Media Transfer Authorization Form fields: Requestor name, Requestor role, Date, CUI classification, Description of media type, Destination (person/organization), Transport method (courier/SFTP/physical hand-carry), Pre-shared encryption key or certificate ID, Expected return date, Approving authority signature, Chain-of-custody tracking ID. Chain-of-custody template: Item ID, Serial number, Condition, Sign-out timestamp, Sign-in timestamp, Signatures (sender, carrier, recipient), GPS or courier tracking number if applicable.
Procedures — step-by-step for small businesses
1) Authorization: Require written pre-approval from the contracting officer or an assigned CUI custodian for any outbound media transfer. 2) Preparation: Sanitize all non-required data (follow NIST SP 800-88 for media sanitization), encrypt the media using FIPS 140-2/140-3 validated crypto (AES-256 recommended for storage), and create a transfer manifest. 3) Transport: Prefer encrypted network transfers (SFTP over TLS 1.2+/SSH with strong ciphers) to physical shipping; if physical handoff is required, ensure full-disk encryption on devices (e.g., BitLocker with TPM+PIN or FileVault with a secure escrow process), carrier vetting, and a signed chain-of-custody. 4) Receipt and verification: Recipient must verify integrity (SHA-256 hash) and authenticate identity (ID check + out-of-band confirmation). 5) Logging and retention: Log every transfer in a media inventory (who, what, when, how). Retain transfer logs and signed forms for the retention period the contract or agency requires for audit evidence.
Technical controls and configurations
Implement technical controls that automate enforcement: device control via Group Policy or MDM (e.g., Microsoft Intune) to restrict USB usage and enforce encryption, Data Loss Prevention (DLP) rules to block exfiltration of CUI, NAC (Network Access Control) to prevent unknown devices from connecting to sensitive networks, and SIEM/Syslog aggregation for transfer and access events. Configure cryptography to use FIPS-validated modules, require TLS 1.2+ with strong ciphers for transport, and use SFTP/SCP or encrypted containers (e.g., 7-zip with AES-256) where direct enterprise file sync is unavailable. Disable autorun for removable media and require endpoint antivirus/EDR with up-to-date signatures before any media is allowed to connect.
Real-world scenarios for small businesses
Scenario A — Laptop hand-carry to a client: The policy requires pre-approval, BitLocker enabled with TPM+PIN, endpoint AV current, a signed chain-of-custody form, and the laptop transported in a secured bag by an approved employee. Scenario B — Sending CUI to a subcontractor: Use a vendor approval checklist, exchange certificates for SFTP, send files over SFTP with server-side logging, and require the subcontractor to return or sanitize copies within 30 days with proof. Scenario C — Using a courier: Only use vetted couriers with package tracking and tamper-evident packaging; require dual control where two employees verify handoff and receipt.
Enforcement, monitoring, and audit evidence
Enforcement should combine administrative and technical measures: periodic audits of the media inventory, random checks of chain-of-custody forms, automated alerts for unapproved transfer attempts from DLP, and disciplinary policy for violations. For auditors, produce policy documents, authorization records, signed transfer manifests, logs showing encryption/configuration (BitLocker reports, MDM compliance reports), SIEM alerts related to transfers, and training records that demonstrate personnel understood media handling procedures.
Risks of non-compliance and best practices
Failing to implement this control risks unauthorized disclosure of CUI, contract termination, loss of future government work, regulatory penalties, and reputational damage. Practically, uncontrolled media is one of the most common vectors for data breaches. Best practices: keep the policy simple and enforceable, automate enforcement where possible (MDM, DLP), require pre-approval for exceptions, train staff with scenario-based exercises, and document every transfer as evidence. Use NIST SP 800-88 for sanitization guidance and retain logs consistent with contract requirements.
In summary, build a concise CUI media access and transport policy by combining clear templates (authorization, chain-of-custody), prescriptive procedures (prepare, encrypt, transport, verify), specific technical controls (MDM, DLP, FIPS-validated crypto, BitLocker/FileVault), and enforceable audit processes. For small businesses, prioritize automation and simple checklists so staff can reliably follow the rules, and collect the evidentiary artifacts assessors will expect during a NIST/CMMC review.
