Implementing a robust chain-of-custody (CoC) process for Controlled Unclassified Information (CUI) media is a concrete, auditable practice required to meet the Compliance Framework expectationsâspecifically NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 Control MP.L2-3.8.5âand it reduces risk by ensuring every piece of media carrying CUI is tracked from creation to final disposition.
Define scope, policy, and roles (Compliance Framework Practice)
Start by defining which media types are in scope (e.g., removable media like USB drives, external SSD/HDD, optical media, paper, and whole devices such as laptops and phones) and by documenting a short CoC policy within your Compliance Framework policy set. The policy should identify roles (originator/custodian, transferor/transferee, security officer, records manager), minimum required evidence (timestamp, signatures, media ID, disposition method), and acceptance criteria for transfers. Include references to NIST SP 800-171 Rev.2 media protections and CMMC practice MP.L2-3.8.5 so auditors can map policy to the control text.
Step-by-step chain-of-custody process
1) Identification and labeling
Assign a unique identifier to each media item: a human-readable ID and a machine-readable barcode/QR if possible. Labels should include media ID, CUI marking (e.g., âCUI // SOURCEâ), owner/custodian, and date issued. For digital-only transfers, persist identifiers in file metadata and in a central register. For small businesses, inexpensive thermal labels or tamper-evident barcode labels are sufficient; for larger operations, use asset tags and an asset-management system integrated with your ticketing system.
2) Registration and logging
On creation or reception, register the item in a centralized CoC log (can be a CSV, hardened spreadsheet, or a specialized CoC application). Required fields: media ID, media type, originator, current custodian, transfer reason, timestamp (ISO 8601), verification (digital signature or physical signature), and cryptographic hash for digital media (use SHA-256). For example, when issuing a USB with CUI to an engineer, compute and store the SHA-256 hash of the filesystem image or the archive written to the drive to provide tamper evidence during later verification.
3) Transfer and transport
Define explicit transfer steps: request, authorization, packaging, transport, handoff, and receipt. Use tamper-evident packaging and, for high-value transfers, hardware-encrypted drives with FIPS 140-2 validated modules. When transferring offsite, require an authorized courier and pre-authorized routing; document both partiesâ signatures, time/date, and any seal/serial numbers. If you must send media via mail, use tracked shipping and note tracking numbers in the CoC log; avoid clear-labeling of contentsâlabel only that the package contains âSensitive Materialsâ when appropriate and allowed by contract.
4) Storage, access control, and technical controls
When media are at rest, store them in locked, access-controlled containers (e.g., safes or locked cabinets) and log access events. For digital devices, enforce encryption at rest (full-disk encryption, BitLocker with TPM, or hardware-encrypted self-encrypting drives) and centralized key management. Implement least-privilege access to the CoC register and use multi-factor authentication for any system that updates custody records. Integrate change logs with your SIEM so suspicious access or unexpected transfers generate alerts.
Sanitization, disposition, and audit evidence
Define and document approved sanitization and disposition methods that meet NIST SP 800-88 Rev.1 (e.g., cryptographic erasure for self-encrypting drives, DoD 5220.22-M style overwrites where required, or physical destruction for media that cannot be reliably sanitized). Record the sanitization method, date, actor, and outcome in the CoC register and retain receipts or certificates of destruction. Maintain CoC logs and associated artifacts (hashes, signatures, transport receipts, photos of tamper seals) for the retention period defined by contract or company records policyâthese artifacts are primary audit evidence for MP.L2-3.8.5.
Small-business examples and practical tools
Example 1: A 12-person engineering supplier needs to deliver CUI drawings on a USB to a prime contractor. Process: (1) engineer requests checked-out encrypted USB from security; (2) security logs media ID and computes SHA-256 of the archive written to it; (3) engineer signs CoC receipt (digital or physical) and records intended recipient; (4) when delivered, recipient signs and logs receipt; (5) upon return, security verifies SHA-256, sanitizes or re-images the USB, and updates the register. Example 2: A small IT services company uses a simple Google Form that auto-populates a spreadsheet to capture CoC events and prints barcoded labels. Over time they migrate to an entry-level asset management tool that integrates barcode scanning and PDF receipts for stronger audit trails.
Compliance tips, technical specifics, and best practices
Use cryptographic primitives and standards: compute SHA-256 hashes for integrity checks and use AES-256 (FIPS-validated) for encryption on removable media. Use secure erase procedures defined in NIST SP 800-88 for disposition. Enforce separation of duties: the person who authorizes a transfer should not be the same person who performs the sanitization. Train staff quarterly on the CoC workflow and run monthly reconciliation reports comparing physical inventory to the CoC register. Periodically test transfer processes with tabletop exercises and include evidence capture (time-stamped photos of seals and signed receipts) to demonstrate process effectiveness to assessors.
Risk of not implementing: without a verifiable CoC process you increase the likelihood of CUI compromise through lost or mishandled media, fail contractually required controls which can lead to decertification or contract loss, and face increased incident response costs, regulatory exposure, and reputational damage. Auditors will look for consistent, auditable records showing who handled media and how media were protected and disposed ofâan absent or inconsistent CoC is a clear deficiency against MP.L2-3.8.5.
In summary, build a simple but auditable CoC process by scoping media, formalizing policy and roles under your Compliance Framework, labeling and logging every item, applying technical controls (hashes, encryption, tamper-evident packaging), and retaining sanitization and transfer evidence. For small businesses, start with low-cost controls (labels, spreadsheets, secure envelopes, documented steps) and iterate to stronger tooling as maturity growsâdocument everything so you can demonstrate compliance to NIST SP 800-171 Rev.2 and CMMC 2.0 assessors.
