03.08.05: Media Transport

NIST SP 800-171 Rev. 3 requirement 03.08.05 (Media Transport) expects you to control how physical and digital media containing CUI is transported so it is protected from loss, theft, tampering, and unauthorized access. Operationalize it by defining approved transport methods, encrypting and tracking media, restricting who can move it, and keeping auditable records end-to-end. ¹

Key takeaways:

• Treat “transport” as a controlled chain of custody for any media that can store CUI, including portable drives and paper.
• Build a small set of approved transport pathways (encrypted, tracked, authorized) and block everything else by policy and technical controls.
• Auditors look for proof: logs, shipping/chain-of-custody records, approvals, and evidence that exceptions are rare and governed. ²

“Media transport” sounds narrow until you map it to how CUI actually moves: laptops taken offsite, backup drives sent to a secure storage facility, prototypes shipped to a test lab, paper documents carried to a program meeting, or removable media used for system maintenance. 03.08.05 forces you to decide which of those movements are allowed, under what conditions, and how you prove the media remained protected from origin to destination. ¹

For most federal contractors and other nonfederal organizations handling CUI, the fastest path is to treat media transport like a repeatable workflow with standard packaging, encryption requirements, approved couriers, and custody records. Then align it to your System Security Plan (SSP) and track any gaps in a POA&M so an assessor can see you have a defined boundary, accountable owners, and operating evidence. ¹

This page gives requirement-level implementation guidance you can apply immediately: scope what counts as “media,” set the rule set for transport, implement practical controls (technical and procedural), and retain the artifacts assessors ask for. ²

Regulatory text

Requirement: “NIST SP 800-171 Rev. 3 requirement 03.08.05 (Media Transport).” ¹

Operator meaning: You must protect media containing CUI during transport. That means you define and enforce how media can be moved between people, facilities, systems, and third parties so that confidentiality is maintained and the organization can reconstruct what happened if media is lost or suspected compromised. ¹

Plain-English interpretation (what the requirement is really asking)

If media contains CUI (or can reasonably be expected to contain CUI), you need controls that answer five questions every time it moves:

1. Who is authorized to move it?
2. What exactly is being moved (identifier, classification, content type)?
3. How is it protected in transit (encryption, tamper evidence, secure courier)?
4. Where is it going, and who receives it?
5. What evidence proves the transfer was controlled and completed?

Treat this as “chain-of-custody for CUI media.” If you cannot show chain-of-custody, the control will be assessed as weak even if your policy statement reads well. ²

Scope: who it applies to and when

Entity scope

Applies to federal contractors and any nonfederal organization handling CUI in systems subject to NIST SP 800-171 Rev. 3 requirements. ¹

Operational scope (what “media” and “transport” cover in practice)

Include, at minimum, these media categories when they contain CUI:

• Removable storage (USB drives, external SSD/HDD, memory cards)
• Mobile endpoints that store data locally (laptops, tablets, rugged devices)
• Backup media (tape, removable backup drives)
• Paper media (printed CUI, engineering drawings)
• Output devices and artifacts (CD/DVD, removable diagnostic media, firmware images)

“Transport” includes any movement:

• Between facilities (HQ to plant; plant to lab)
• To or from a third party (repair depot, destruction vendor, test lab)
• Offsite by staff (travel, remote work)
• Via shipping, courier, mail, or hand-carry

A clean scoping statement in your SSP reduces audit friction: define which systems/processes handle CUI media, where media originates, and which teams are responsible. ¹

What you actually need to do (step-by-step)

Step 1 — Assign ownership and write the SSP control statement

• Name a control owner (often IT/security for encryption + Facilities/Program Ops for shipping workflows).
• In the SSP, document:
  • Media types in scope
  • Approved transport methods
  • Required protections (encryption/tamper controls)
  • Recordkeeping and review cadence
• Cross-reference related procedures (media protection, labeling, incident response) so the assessor can follow the thread. ¹

Practical tip: In Daydream, model this as a single control objective with linked “evidence tasks” so transport artifacts don’t get scattered across inboxes and shipping tools.

Step 2 — Define “approved transport pathways” (keep the list short)

Create a transport matrix and publish it as a procedure:

Scenario	Allowed?	Minimum safeguards	Evidence required
Hand-carry encrypted removable drive between controlled sites	Yes	Strong encryption; authorized courier; destination confirmation	Checkout log; authorization; receipt acknowledgement
Ship encrypted drive to third-party lab	Conditional	Encryption; tamper-evident packaging; tracked shipping; named recipient	Shipment record; tracking; chain-of-custody form; third-party acceptance
Email files instead of shipping media	Depends (out of scope for “media,” but often used)	Use approved secure transfer method	Transfer logs; approvals
Ship unencrypted removable media	No	Prohibited	Exception record if ever allowed

This “pathways” approach is how you turn a vague requirement into decisions operators can follow. ¹

Step 3 — Implement technical controls for portable media

Focus on controls that withstand examiner scrutiny:

• Encrypt removable media used to store/transport CUI. If you allow removable media at all, encryption is the default expectation for confidentiality protection. ¹
• Restrict use of removable media to approved roles and managed endpoints (device control/EDR policies where possible).
• Disable autorun and enforce malware scanning on insertion, especially for media that crosses facility boundaries.

Even if your transport workflow is strong, unencrypted media that is lost in transit is a predictable audit failure and creates a reportable incident scenario for many programs.

Step 4 — Implement procedural controls for physical transport (chain of custody)

Build a standard workflow for any physical movement of CUI media:

1. Pre-authorization: requestor states business need, media type, destination, recipient, and date needed.
2. Media identification: assign a unique identifier (asset tag or shipment ID) to the item or package.
3. Packaging standard: tamper-evident seal for small media; double-envelope for paper; label the package to avoid revealing sensitivity.
4. Courier/shipping rules: approved carriers only; tracking required; signature required for receipt; no drop boxes.
5. Receipt and verification: recipient confirms identity, intact seal, and receipt; record timestamp and method.
6. Exception handling: if tracking shows delay, loss, or tamper evidence, trigger incident intake and containment steps.

Where teams get stuck: they do steps 1–3 and forget steps 5–6. Assessors will ask how you know the package arrived intact. ²

Step 5 — Control third parties involved in transport or receipt

If a third party touches transport (courier, storage vendor, repair center, lab):

• Contractually require protection of CUI media in transit and on receipt.
• Require notification timelines for loss/tamper events.
• Confirm the third party can support your evidence needs (proof of delivery, chain-of-custody logs).

If you run third-party due diligence in Daydream, tie the third party record to this specific requirement so you can show assessors that “media transport risk” is addressed in the relationship, not only in internal IT policies.

Step 6 — Evidence collection and recurring oversight

Define measurable criteria and collect recurring evidence so you can prove operation over time. ¹

Minimum oversight practices:

• Periodic review of a sample of transport events for completeness (authorization, tracking, receipt).
• Review of exceptions, lost shipments, and corrective actions.
• POA&M entries for gaps, with closure validation before you mark them complete. ¹

Required evidence and artifacts to retain

Auditors and assessors typically want artifacts in four buckets:

1. Policy + procedure

   • Media transport standard operating procedure
   • Approved transport pathways matrix
   • Roles/responsibilities and authorization rules ¹

2. Operational records (chain of custody)

   • Transport request/approval tickets
   • Shipment tracking numbers and proof of delivery
   • Signed receipt acknowledgements or receiving logs
   • Tamper-evident seal logs (seal number, applied by, verified by)

3. Technical evidence

   • Configuration evidence for encryption controls on removable media
   • Endpoint/device control policy screenshots or exports
   • Logs showing removable media events where available ²

4. Governance

   • SSP control statement mapping to responsible components and owners ¹
   • POA&M entries for gaps and remediation validation ¹
   • Review meeting notes or attestation of periodic checks

Common exam/audit questions and hangups

Expect these questions from assessors using NIST SP 800-171A-style methods:

• “Show me your last few media transport events and the chain-of-custody proof.” ²
• “How do you ensure portable media is encrypted before it leaves the facility?”
• “Who can approve media transport, and how do you verify the recipient?”
• “What happens if tracking shows a shipment is delayed or missing?”
• “How do you govern third parties that receive or transport CUI media?”

Hangup: teams present a policy but cannot produce real transport records. Fix this by routing all transports through a ticketing workflow and making shipping/receiving evidence a required attachment.

Frequent implementation mistakes (and how to avoid them)

1. Treating “media transport” as only USB drives

   • Fix: include paper, laptops with local CUI, backup media, and prototypes where relevant.

2. Allowing “one-off” shipments outside the process

   • Fix: define “no ticket, no transport.” Require after-the-fact incident intake for any bypass.

3. Relying on carrier tracking as your only custody evidence

   • Fix: tracking proves location scans, not recipient identity or package integrity. Add receipt verification and tamper-evident controls.

4. No linkage to SSP/POA&M

   • Fix: map the workflow and owners in the SSP and track gaps in POA&M until validated closed. ¹

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific case outcomes.

Risk-wise, media transport failures are high-impact because they create a simple loss/theft pathway for CUI. The operational goal is to make “lost in transit” both rare and provable: you either demonstrate the media was protected (for example, encrypted) or you demonstrate full custody controls that narrow exposure and support incident response decision-making. ¹

Practical execution plan (30/60/90-day)

First 30 days (stabilize and define)

• Draft/refresh the media transport procedure and approved pathways matrix. ¹
• Identify in-scope media types and transport scenarios; document in SSP control statement with owners. ¹
• Stand up a single request-and-approval workflow (ticketing) for any transport of CUI media.
• Identify third parties involved in transport/receipt and list contract gaps for POA&M entry. ¹

Days 31–60 (implement controls and start producing evidence)

• Enforce encryption and device control rules for removable media on managed endpoints.
• Roll out packaging, sealing, and receipt verification steps to shipping/receiving and program teams.
• Begin retaining transport artifacts in a central evidence repository (Daydream or your GRC system) by transport event.

Days 61–90 (prove operation and tighten exceptions)

• Run an internal mini-assessment using NIST SP 800-171A-style questions; sample completed transport events for completeness. ²
• Close POA&M items that are ready; validate closure with evidence and owner sign-off. ¹
• Add recurring oversight: periodic sampling, exception trend review, and third-party performance checks.

Frequently Asked Questions

Does 03.08.05 apply if we “never use USB drives”?

Often yes. Media includes paper, laptops with local storage, backup media, and any removable storage used by IT or engineering. Document your scoping decision in the SSP and keep evidence that the prohibited paths are actually blocked. ¹

Is shipping via FedEx/UPS allowed?

The requirement does not name carriers, but assessors will expect an “approved carrier + tracking + receipt verification” standard for CUI media. Define approved carriers and required shipping options in your procedure and retain proof of delivery. ¹

What evidence is most persuasive in an assessment?

A complete chain-of-custody packet for multiple real transports: approval, media identifier, shipment tracking, recipient receipt confirmation, and any exception handling. Pair that with encryption configuration evidence for the media/endpoints. ²

How should we handle emergency transport (e.g., system outage requiring a drive)?

Predefine an emergency pathway with who can authorize it, what minimum protections apply, and what after-action documentation is required. If an emergency bypass happens, treat it as an exception and review it for corrective actions. ¹

Do we need a POA&M item if we have a policy but the process isn’t consistent yet?

Yes. If operation is inconsistent, document the gap, assign an owner, and track remediation to validated closure. Assessors care about operating effectiveness, not only written intent. ¹

How does this tie into third-party risk management?

Any third party that transports, stores, repairs, or receives media containing CUI introduces a custody and incident-notification dependency. Capture those requirements in contracts, confirm the third party can produce evidence, and track gaps through your TPDD workflow. ¹

Footnotes

1. NIST SP 800-171 Rev. 3

2. NIST SP 800-171A