3.8.6 — Implement Cryptographic Mechanisms to Protect the Confidentiality of CUI Stored on Digital Media During Transport

This is the encryption-specific requirement for CUI on digital media during transport. If you are moving a USB drive, external hard drive, or laptop with CUI outside your controlled area, the data needs to be encrypted.

Example 1: Enable BitLocker To Go on all USB drives used to transport CUI. You can enforce this via Group Policy at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives — set "Deny write access to removable drives not protected by BitLocker." This forces encryption before any data can be written to the drive.

Example 2: For file-level encryption during transport, use 7-Zip with AES-256 encryption to create encrypted archives of CUI files before copying them to removable media. Transmit the decryption password through a separate channel (e.g., phone call or separate email). This provides a FIPS-validated encryption layer on top of the transport.