NIST 800-171 • LEVEL 2 • MEDIA PROTECTION
3.8.5 — Media Transport
Protect and control system media that contain CUI during transport outside of controlled areas. Maintain accountability of system media that contain CUI during transport outside of controlled areas. Document activities associated with the transport of system media that contain CUI.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- system media that contain CUI are protected during transport outside of controlled areas.
- system media that contain CUI are controlled during transport outside of controlled areas.
- activities associated with the transport of system media that contain CUI are documented.
- accountability for system media that contain CUI is maintained during transport outside of controlled areas.
Practitioner Notes
When CUI media leaves your controlled area — whether you are mailing a backup drive or carrying a laptop to a client site — you need to protect it, track it, and document the transport.
Example 1: Ship removable media containing CUI via a trackable service like FedEx or UPS with signature-required delivery. Use tamper-evident bags or containers, and log the shipment details (tracking number, sender, recipient, date, contents) in a media transport log.
Example 2: When employees travel with laptops containing CUI, require BitLocker full-disk encryption (verify via Control Panel > BitLocker Drive Encryption or manage-bde -status in an admin command prompt). Also require employees to keep the laptop in their physical possession at all times — no leaving it in a car trunk or hotel room unattended.