Transporting Controlled Unclassified Information (CUI) outside of your organization's controlled areas introduces significant risk — MP.L2-3.8.5 (NIST SP 800‑171 Rev.2 / CMMC 2.0 Level 2) requires you to protect and control media during transport; this post gives practical, compliance‑focused steps, a ready policy template, and operational procedures a small business can implement immediately.
Control overview and key objectives
MP.L2-3.8.5 calls for controls that ensure media containing CUI (removable drives, printed documents, backup tapes, etc.) remain protected during physical and electronic transport. Key objectives are: identify and classify media containing CUI, apply appropriate encryption and tamper‑evidence for physical transport, maintain chain‑of‑custody and logging, restrict transport to authorized methods and personnel, and retain evidence for audits and incident investigation.
Practical implementation steps (Compliance Framework specific)
Start by updating your Compliance Framework artifacts: add a media transport control family mapped to MP.L2-3.8.5 in your System Security Plan (SSP) and Plan of Action & Milestones (POA&M). Technically, require AES‑256 encryption for data-at-rest on removable media using FIPS‑validated modules (or hardware Self‑Encrypting Drives with OPAL/SED support); for network-based transport enforce TLS 1.2+ with certificate validation or SFTP with key-based authentication. Define approved transport methods (e.g., government‑approved courier, locked USPS Registered Mail, or encrypted file transfer) and ban insecure options (unencrypted USB drives carried in checked luggage, untracked consumer courier services). Implement tamper‑evident packaging and require chain‑of‑custody records (who, when, purpose, receipt). Finally, log transport events in a central repository (SIEM or even a spreadsheet for very small shops) and retain evidence per contract requirements or organizational policy.
Small business real-world scenarios
Scenario A: A 12‑person engineering subcontractor must send a prototype SSD with CUI to a prime contractor. Practical controls: image the SSD and encrypt the image with AES‑256 before loading it onto a hardware‑encrypted USB with a tamper‑evident seal; create a chain‑of‑custody form signed by the shipper and receiver; use an approved secure courier with GPS tracking and require signature on delivery. Scenario B: A two‑person consulting shop must send CUI reports. Use encrypted PDF (AES‑256) delivered via the company SFTP server with one‑time download links and MFA for the recipient; retain access logs and require the recipient to confirm deletion after ingestion.
Compliance tips and best practices
Enforce least privilege: only authorized staff may package or sign for transported media and their authorization should be documented. Use two‑person integrity for high‑impact transfers (one prepares, another verifies). Maintain proof: keep shipping receipts, courier tracking, signed chain‑of‑custody, encryption logs, and checksum verification (SHA‑256) screenshots. Periodically test your transport process with mock transfers and audit the logs. Train personnel on marking CUI and using tamper‑evident packaging — human error is the most common failure point. Map each step to your SSP and evidence file so assessors can verify chain‑of‑evidence quickly.
Risk of not implementing MP.L2-3.8.5
Failing to adequately protect media in transit risks unauthorized disclosure, supply‑chain compromise, contract termination, loss of future government work, and significant remediation costs. A lost or intercepted external drive with unencrypted CUI can lead to a breach notification, investigation, and possible financial penalties or reputational damage that small businesses often cannot absorb. Additionally, inadequate processes will surface during audits or CMMC assessments as findings that block certification or contract award.
Policy template and sample procedures
Use this ready policy excerpt and procedure steps as a starting point — insert your organization name and align retention periods with contract terms:
Policy: "XYZ Company shall protect and control media containing CUI during transport in accordance with MP.L2‑3.8.5. Only authorized personnel may package, approve, and transfer CUI media. All removable media containing CUI must be encrypted with AES‑256 using a FIPS‑validated module or shipped using organization‑approved hardware‑encrypted devices. Physical shipments must use tamper‑evident packaging, an approved courier, and a signed chain‑of‑custody form. Electronic transfers of CUI must use SFTP or TLS 1.2+ with mutual authentication. All transport events shall be logged and retained per contract requirements for audit."
Procedures (step‑by‑step): 1) Identify media and classification: Verify media contains CUI and mark it per CUI markings. 2) Prepare media: Create an encrypted container or use a hardware‑encrypted device; record SHA‑256 checksum of the logical file/image. 3) Package: Place device in tamper‑evident bag, label with CUI markings, attach chain‑of‑custody form. 4) Approve: Manager with transport authorization signs the COU form and selects an approved carrier. 5) Ship: Use approved courier with tracking and signature required; monitor delivery. 6) Receipt: Receiver verifies tamper seals, validates checksum, signs COU, and reports completion to originator. 7) Log and retain: Upload COU, courier receipt, checksum verification, and encryption logs to the evidence library; retain per policy. 8) Incident: If tamper or loss is detected, follow incident response: notify security officer, suspend further shipments, and initiate breach assessment per IR controls."
Summary
Implementing MP.L2‑3.8.5 is a mix of policy, technical controls, and operational discipline: classify and encrypt media, standardize approved transport methods, require chain‑of‑custody and tamper evidence, log every transfer, and train staff. For small businesses, pragmatic choices (hardware‑encrypted drives, approved couriers, simple COU forms and SFTP) deliver strong protections without major cost. Map every control into your SSP and keep practical evidence handy to demonstrate compliance during audits and assessments.
