MP.L2-3.8.5 (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2) requires organizations to protect CUI when it is transported outside controlled environments—this post gives a practical, compliance-focused playbook for small businesses to encrypt, label, and track CUI media in transit as part of a Compliance Framework implementation.
Why this control matters and the risk of not implementing it
Transporting unprotected CUI or failing to prove chain-of-custody exposes organizations to data breaches, contract loss, regulatory penalties, and reputational damage; for small businesses this often means losing a customer contract with the DoD or prime contractor and facing expensive remediation. Attackers frequently target removable media, email, and couriered physical shipments—lack of encryption, missing labels, and absent tracking make compromised media difficult to detect and recover, and it undermines auditor confidence during compliance assessments.
Step 1 — Classify and label CUI before it moves
Start at the source: ensure each item of media is classified and clearly labeled according to your organization's CUI handling policy (aligned to the CUI Registry and agency-specific guidance). For digital files, embed metadata and filename prefixes (e.g., "CUI_Contract_ABC_v1.pdf") and apply document banners/headers/footers indicating handling restrictions. For physical items and removable media, apply durable labels that include: "CUI", handling instructions (e.g., "Encrypt / Authorized Signatory Only"), originator, date, and an asset ID/serial number. Example for a small business: a subcontractor sending design drawings on a USB creates a manifest line — AssetID: USB-024, Owner: EngTeam, Description: CUI-Designs, Encrypted: Yes, Sent to: PrimeCO, TrackingID: TRK-12345.
Label formats and automation
Automate labeling where possible. Use DLP or document management tools to apply digital metadata and watermarks when documents are marked CUI. For removable devices, use pre-printed tamper-evident labels or QR-coded asset tags linked to your asset inventory. Keep a sample label template in your SOPs so staff know exactly how to mark CUI consistently under your Compliance Framework.
Step 2 — Encrypt media with approved cryptography
Encryption is non-negotiable. Use FIPS 140-2/140-3 validated cryptographic modules and NIST-recommended algorithms (AES-256) for file, container, and full-disk encryption. Practical options for small businesses: BitLocker (Windows) with TPM + PIN or BitLocker To Go for removable media, FileVault2 for macOS, LUKS/dm-crypt for Linux, or verified hardware-encrypted USB drives. For file-level transfer, use GPG (public-key) or an approved secure transfer service that supports TLS1.2+/TLS1.3 and encryption-at-rest in a FedRAMP Moderate environment when hosting CUI in the cloud.
Technical examples
Example commands and configurations you can adopt immediately: encrypt a file for a recipient using GPG: gpg --encrypt --recipient recipient@example.com file.pdf; create an AES-256 encrypted archive with 7-Zip: 7z a -t7z -mhe=on -pStrongPass archive.7z file.pdf; enable BitLocker with TPM + PIN (Windows Server/Win10+) via group policy and manage recovery keys in Active Directory or Azure AD. For SFTP: require SFTP-only access, disable password auth in favor of key-based auth and restrict incoming IPs in your firewall.
Step 3 — Track media and maintain chain-of-custody
Tracking requires inventory, handoff logs, and verifiable handshakes. Maintain an asset inventory with unique IDs for each media item and a chain-of-custody log that records every transfer event: who, when, where, why, and the transport method. Use barcodes or QR codes on physical media and scan them during each handoff. For digital transfers use automated logging: SFTP/HTTPS servers should retain secure transfer logs with hashes and timestamps so you can prove the exact file and its checksum left your environment. For shipments, use courier services with signature proof, GPS tracking, and tamper-evident packaging.
Small business scenario
Scenario: A 20-person engineering firm must send CUI drawings to a prime contractor. Implementation: (1) Apply CUI marking and filename convention; (2) create a password-protected, AES-256-encrypted archive with company-approved key management; (3) upload to a FedRAMP Moderate secure file portal with link expiration and IP restrictions; (4) record the transfer in the asset inventory and log the recipient's acceptance; (5) require recipient to confirm file checksum over a separate channel (phone/email) to complete the chain-of-custody.
Operational controls, SOPs, and verification
Put these controls into policy and operationalize them: define who is authorized to prepare, label, and send CUI; create SOPs for each transport method (email, courier, removable media, cloud share); enforce technical controls (DLP, CASB, MDM for mobile devices) to prevent accidental leaks; and require staff training and signed acknowledgements. Monitor and audit transfer logs regularly, keep proof-of-encryption artifacts (checksums, signed manifests), and schedule periodic reenactment drills so staff can execute the chain-of-custody under audit.
Compliance tips and best practices
Keep these practical tips: centralize key management (use KMS/HSM or cloud KMS with strict IAM policies), rotate keys on a schedule and document your key lifecycle; retain transfer logs for the period required by contracts/auditors; prefer transport modes with enforced encryption (SFTP, secure portals) over ad-hoc email attachments; maintain a recovery plan for lost media including remote wipe options or immediate revocation of keys; include proof points in your Compliance Framework evidence collection (policy, SOPs, logs, screenshots, manifest copies, training records) to simplify assessments for NIST SP 800-171 / CMMC 2.0 Level 2.
In summary, meeting MP.L2-3.8.5 is a combination of clear labeling, vetted encryption, robust tracking, and repeatable procedures—small businesses can achieve compliance without heavy lift by applying approved cryptography (AES-256/FIPS modules), automating labels and logs where possible, using secure transfer services, and documenting chain-of-custody steps in SOPs and training; failing to implement these controls risks data loss, contract penalties, and failed compliance audits.
