CMMC Level 2 Practice 3.8.5: Control access to media containing CUI and maintain accountability for media during transport

Media handling is where good security programs fail in small, ordinary ways: a laptop mailed for repair, a USB used for a data transfer, backup drives moved between sites, printed drawings shipped to a third party for machining. CMMC Level 2 Practice 3.8.5 focuses on that reality. It expects you to prevent unauthorized access to media containing CUI while it is in motion, and to prove you maintained accountability the whole time. (NIST SP 800-171 Rev. 2)

For a Compliance Officer, CCO, or GRC lead, the fastest path is to define what “media” means in your environment, narrow and control the approved transport paths, and implement a simple accountability mechanism that is used every time. Your goal is repeatability: the same steps, the same artifacts, the same approvals, and a closed loop that reconciles what left, what arrived, and what is now stored or destroyed.

This page gives requirement-level implementation guidance you can hand to IT, Security, Facilities, and program teams to execute quickly and defend during a CMMC assessment aligned to NIST SP 800-171 Rev. 2. (DoD CMMC Program Guidance)

Regulatory text

Requirement (excerpt / mapping): “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.8.5 (Control access to media containing CUI and maintain accountability for media during transport).” (NIST SP 800-171 Rev. 2)

What the operator must do:
You must (1) restrict access to any media containing CUI while it is being transported and (2) keep track of that media from the moment it leaves one authorized custodian until it is received and reconciled by another authorized custodian. The assessment expectation under CMMC is that you can show the control operates in practice, not only on paper. (DoD CMMC Program Guidance)

Plain-English interpretation

If CUI is stored on something that can move, you need a controlled method to move it. “Media” includes removable digital storage (USB drives, external SSDs/HDDs, backup tapes), devices that contain storage (laptops, servers shipped for repair), and physical outputs (printed documents, drawings). If it leaves a controlled space or changes hands, you must prevent casual or unauthorized access and keep a record that answers: what moved, who had it, where it went, when it arrived, and what happened next. (NIST SP 800-171 Rev. 2)

Who it applies to

Entities: Organizations seeking or maintaining CMMC Level 2 that handle CUI for DoD programs, including defense contractors and other federal contractors with CUI in scope. (32 CFR Part 170)

Operational contexts where 3.8.5 shows up:

• Shipping laptops/desktops to remote staff or between facilities.
• Sending storage devices to an IR team, eDiscovery provider, or managed service provider as a third party.
• Moving backups offsite (courier pickup, secure storage vendor).
• Mailing printed CUI (engineering packages, test results) to a program partner.
• Hand-carry transfers between secure areas.

What you actually need to do (step-by-step)

1) Define “CUI media in transport” for your scope

Create a one-page scoping note that lists:

• Media types in scope (removable storage, endpoints, paper).
• Transport paths in scope (mail/courier, hand-carry, interoffice, third-party shipments).
• Systems/areas involved (CUI enclave, program rooms, print areas, receiving dock).
  This prevents a common failure mode: teams secure USB drives but forget shipped laptops or printed CUI. (NIST SP 800-171 Rev. 2)

2) Establish approved transport methods (and prohibit everything else)

Write a short standard that answers:

• Who can authorize transport (role-based, not person-based).
• Approved carriers/methods (tracked shipment, signature required, or hand-carry rules).
• When transport is allowed (business need, program approval, minimum necessary data).
• Prohibited behaviors (personal mail, untracked shipping, personal cloud “instead of shipping”).
  Tie the standard to your access control and incident response processes so exceptions become visible. (NIST SP 800-171 Rev. 2)

3) Implement packaging and protection controls by media type

Use a simple decision matrix your teams can follow.

Digital removable media (USB/external drives):

• Require encryption before transport (document the approved encryption approach).
• Use tamper-evident packaging and a unique media ID label.
• Ship separately from any passwords/keys (separate channel for credentials). (NIST SP 800-171 Rev. 2)

Devices shipped for use or repair (laptops, servers):

• Ensure full-disk encryption is enabled and verified before shipment.
• Remove CUI when feasible; otherwise document why it is required.
• Use asset tags and shipment tracking tied to your inventory record. (NIST SP 800-171 Rev. 2)

Paper media:

• Mark CUI appropriately per your CUI handling rules.
• Use sealed envelopes/containers, tracked shipment, and signature on delivery.
• Restrict printing to controlled printers; avoid open-area output bins for CUI packages. (NIST SP 800-171 Rev. 2)

4) Create a chain-of-custody workflow that closes the loop

Your workflow must capture accountability end-to-end. Minimum fields:

• Media ID (asset tag or unique shipment ID).
• CUI indicator (yes/no) and handling category if you use them.
• Sender custodian (name/role) and approver (name/role).
• Date/time released, carrier/tracking number, destination custodian.
• Date/time received and condition (intact/tampered/damaged).
• Post-receipt action (stored, copied to system, sanitized, returned, destroyed). (NIST SP 800-171 Rev. 2)

Practical note: assessors will ask you to “walk one through” from request to receipt. If your process ends at “we shipped it,” you have not met accountability. (DoD CMMC Program Guidance)

5) Control access during “staging” and “receiving” (the overlooked gap)

Transport begins before the package leaves and ends after it is opened and reconciled.

• Staging: limit who can prepare packages; lock staging areas; prevent after-hours access.
• Receiving: route CUI shipments to trained staff; log receipt immediately; store securely until handed to the authorized custodian.
• Exception handling: define what to do when tracking shows a delay or a “delivered” status without internal receipt. (NIST SP 800-171 Rev. 2)

6) Train the roles that actually touch shipments

Train shipping/receiving, IT asset management, Facilities, and program admins, not only security staff. Provide:

• A “can I ship this?” checklist.
• A one-page chain-of-custody form (or system workflow).
• An escalation path for suspected tampering or loss. (DoD CMMC Program Guidance)

7) Operationalize recurring evidence capture (assessment readiness)

Build a repeatable habit:

• Capture chain-of-custody records automatically or in a controlled repository.
• Reconcile shipments against inventory (media IDs, device assets).
• Review exceptions and document corrective actions. Daydream can help by mapping CMMC Level 2 Practice 3.8.5 to a documented control, assigning control owners, and scheduling recurring evidence capture so “proof of operation” exists when assessors ask. (DoD CMMC Program Guidance)

Required evidence and artifacts to retain

Keep evidence that shows both control design (your rules) and control operation (real shipments).

Design artifacts

• Media Transport & Accountability SOP (approved, versioned).
• Approved transport methods list (carriers, signature requirements, hand-carry rules).
• Encryption standard for portable media/devices that may contain CUI. (NIST SP 800-171 Rev. 2)

Operational artifacts

• Chain-of-custody logs for representative shipments (digital and paper).
• Shipping records: tracking numbers, delivery confirmation, signature records where applicable.
• Inventory/asset records tying the media/device ID to the shipment event.
• Exception tickets: lost/delayed shipments, tamper evidence, corrective actions and closure notes.
• Training completion records for shipping/receiving and IT asset staff. (DoD CMMC Program Guidance)

Common exam/audit questions and hangups

Assessors commonly test whether your story is consistent across teams and evidence. Expect questions like:

• “Show me how you know who had this USB drive from creation to receipt.”
• “How do you prevent unauthorized access while this laptop is being shipped?”
• “Where is the record that the destination custodian received it and verified condition?”
• “What happens if the carrier shows ‘delivered’ but the custodian didn’t get it?”
• “Do you ever move CUI on paper, and how do you control that?” (NIST SP 800-171 Rev. 2)

Hangup to plan for: shipping/receiving often sits outside IT/security. If they do not follow your process, you will have a control gap even with strong technical controls. (DoD CMMC Program Guidance)

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails 3.8.5	How to fix it
Policy says “use tracked shipping” but no chain-of-custody record exists	Accountability is not provable	Require a transport request + receipt confirmation record tied to tracking
Focusing only on USB drives	Media includes devices and paper	Expand scope statement; add device and paper workflows
Assuming encryption alone satisfies transport accountability	Encryption reduces exposure, but doesn’t prove custody	Pair encryption with custody logs and reconciliations
No defined exception process for delays/loss	Accountability breaks when things go wrong	Create an escalation runbook and ticketing requirement
Receiving dock signs for packages without identifying authorized custodian	You lose the custody trail	Require internal transfer log from receiving to custodian

Enforcement context and risk implications

No public enforcement cases specific to this practice were provided in the source catalog for this page. Your practical risk is still clear: lost or tampered media is a common path to CUI compromise, and weak evidence trails create assessment findings because you cannot demonstrate accountability. Under the CMMC program framework, you should plan for assessors to expect implemented, repeatable practices aligned to NIST SP 800-171 Rev. 2. (32 CFR Part 170) (DoD CMMC Program Guidance)

A practical 30/60/90-day execution plan

Day 1–30: Stabilize and stop uncontrolled transport

• Publish an interim rule: no CUI media transport without approval and tracking.
• Inventory current transport paths (IT shipping, program admin shipments, backups, repairs).
• Stand up a chain-of-custody template and require it for every new shipment.
• Confirm encryption is enabled for portable devices that may be shipped; document the verification method. (NIST SP 800-171 Rev. 2)

Day 31–60: Standardize and integrate

• Finalize the SOP and approved methods list; align with asset management and access control.
• Implement receiving controls: trained receivers, locked storage, immediate logging.
• Add exception workflow in your ticketing system for loss, tamper suspicion, or failed delivery confirmation.
• Run tabletop drills with shipping/receiving and IT for one “lost package” scenario. (DoD CMMC Program Guidance)

Day 61–90: Prove operation and readiness

• Sample completed custody records across media types; correct missing fields and retrain.
• Reconcile a set of shipments against inventory/asset records; document the reconciliation.
• Prepare an assessor packet: SOP, training records, sample custody logs, exception tickets, and screenshots of encryption verification evidence.
• Use Daydream to map 3.8.5 to control owners and automate evidence reminders so the control stays “always on,” not “audit-time only.” (DoD CMMC Program Guidance)

Frequently Asked Questions

Does 3.8.5 apply if we “never use USB drives”?

Yes if you transport other media that can contain CUI, including laptops shipped to staff, servers sent for repair, or printed CUI mailed to partners. Define media broadly and then restrict allowed paths. (NIST SP 800-171 Rev. 2)

Is encryption required for transported media?

3.8.5 requires controlled access and accountability during transport; encryption is a common way to control access for digital media. If you choose a non-encryption approach for a specific use case, document how it prevents unauthorized access and how you maintain custody. (NIST SP 800-171 Rev. 2)

What does “accountability” mean in practice?

You need a record that shows custody from sender to recipient, including who released it, shipment tracking, who received it, and condition upon receipt. “We have a tracking number” usually is not enough without internal custody acknowledgment. (NIST SP 800-171 Rev. 2)

Do we need signature-on-delivery for every CUI shipment?

The requirement does not prescribe a specific carrier feature, but you must control access and maintain accountability. Many teams use tracked shipping with signature for higher-risk transfers and documented alternatives for lower-risk scenarios, backed by custody logs. (NIST SP 800-171 Rev. 2)

How do we handle third parties that receive CUI media (repair depots, labs, MSPs)?

Treat the third party as part of the custody chain: pre-approve the recipient, document the business need, and require receipt confirmation and handling expectations. Keep the custody record and any third-party confirmation as evidence. (NIST SP 800-171 Rev. 2)

What evidence will a CMMC assessor ask for first?

Expect requests for your written SOP plus a small set of real examples showing the process end-to-end, including receipt confirmation and exceptions. Prepare a few representative shipments across different media types. (DoD CMMC Program Guidance)