03.08.05: Media Transport

03.08.05: media transport requirement work is rarely about buying a tool. It’s about eliminating “untracked movement” of CUI on laptops, backup drives, removable media, printed binders, and prototype data packages that leave a controlled facility or move between sites. Auditors and customers look for two things: (1) that you have clear rules for when media can move and how it must be protected, and (2) that you can prove you followed those rules for actual shipments and hand-carries.

Operationally, you’re building a small logistics-and-custody program for CUI-bearing media. That means you define what counts as “media,” classify and label it, require authorization before it moves, protect it during transit (encryption, tamper-evident packaging, secure couriers), and record chain-of-custody from release to receipt. It also means you address third parties (couriers, offsite storage, data recovery firms, IT asset disposition providers) as part of the same control boundary.

This page translates NIST SP 800-171 Rev. 3 requirement 03.08.05 into an execution checklist you can hand to IT, Security Operations, Facilities, and anyone who ships or carries media.

Requirement overview (03.08.05)

Control intent: prevent unauthorized disclosure, loss, or tampering of Controlled Unclassified Information (CUI) when it is transported on media.

Working definition of “media transport”: any movement of physical or logical storage that contains CUI, including:

• Removable digital media (USB, external SSD/HDD, SD cards)
• Mobile devices and laptops used as “media” because they store CUI
• Backup tapes and archival drives
• Printed materials, engineering drawings, reports, labels, and binders
• Media sent to third parties for repair, recovery, replication, scanning, or disposal

Primary operational outcome: every movement is (a) authorized, (b) protected appropriately, and (c) recorded so you can reconstruct who had custody and when.

Regulatory text

The requirement is identified as “NIST SP 800-171 Rev. 3 requirement 03.08.05 (Media Transport)” ¹.

What the operator must do: implement controlled procedures for transporting media that contains CUI. In practice, that means you restrict who can transport it, define approved methods (courier, registered mail, hand-carry), require protection during transit (e.g., encryption for digital media; sealed packaging for physical media), and retain records that show the process was followed ¹.

Plain-English interpretation

If CUI leaves a controlled environment on any media, you must be able to answer:

1. Who approved it to leave?
2. How was it protected while moving?
3. Who had custody at each handoff?
4. When and where was it received, and by whom?
5. What did you do if it was delayed, lost, or tampered with?

Auditors often treat “transport” as a high-friction edge case. Your goal is to make it boring: a standardized request-and-ship workflow plus evidence.

Who it applies to

Entities: nonfederal organizations handling CUI for the U.S. Government, including federal contractors and subcontractors that store, process, or transmit CUI in nonfederal systems ¹.

Operational contexts where 03.08.05 shows up:

• Engineering teams shipping prototypes or drawings on encrypted drives
• IT shipping laptops between sites or to remote staff
• Backup operations moving tapes/drives to offsite storage
• Records teams mailing printed CUI to authorized recipients
• Incident response sending media to a forensics or recovery third party
• Asset disposition sending storage devices to an ITAD third party

What you actually need to do (step-by-step)

1) Define scope: what “media” is in your environment

Create a media inventory category for anything that can store or carry CUI:

• Digital: removable storage, laptops, mobile devices, backup media
• Physical: paper records and printed outputs

Operator tip: include “temporary media” (a USB drive someone bought at an office store) explicitly. Controls fail in the exceptions.

2) Establish an authorization workflow for transport

Implement a simple pre-transport approval that answers:

• What is being transported (media type, identifier/asset tag)
• Whether it contains CUI, and which program/contract it relates to
• Source and destination (site, person, third party)
• Approved method (hand-carry, bonded courier, tracked shipping)
• Required protections (encryption, sealing, tamper-evident bag)
• Required notification on receipt

This can be a ticket in your ITSM/GRC system, a form with electronic approval, or a shipping request process owned by Facilities/Security.

3) Standardize protective measures by media type

Build a protection matrix and train staff to follow it.

Example protection matrix (adapt to your risk model):

• Digital removable media with CUI: encrypt before transport; restrict keys; store separately from the media if feasible; verify encryption status before shipment.
• Laptops/mobile devices containing CUI: require full-disk encryption; require approved courier/ship method; track asset and shipment.
• Paper CUI: double-envelope; “to be opened by addressee only”; tamper-evident seal for high sensitivity; tracked delivery; minimize pages.
• Backup media: encryption plus controlled custody; approved carrier; documented release/receipt; storage vendor due diligence if outsourced.

Tie the matrix to your data classification and media handling standards so it’s enforceable.

4) Implement chain-of-custody tracking

For each transport event, capture:

• Custodian releasing the media (name, role)
• Time and location of release
• Carrier/courier identity and tracking number
• Recipient identity and receipt acknowledgment
• Condition on receipt (seal intact, package undamaged)

Chain-of-custody can be a signed form, a shipment log, or an electronic workflow with timestamps. The key is reconstructability.

5) Control third parties involved in transport

If a third party touches CUI media in transit or at rest (courier, offsite storage, ITAD, repair depot), treat it as third-party risk:

• Confirm contract terms cover CUI handling expectations
• Require tracked shipments and receipt confirmation
• Define incident notification requirements for loss/tampering

Keep the arrangement consistent with your broader third-party due diligence process; don’t let shipping become an unmanaged exception.

6) Add exception handling and incident response hooks

Define what to do when:

• A package is delayed beyond expected window
• Tracking shows delivered but not received internally
• Evidence of tampering exists
• A hand-carry cannot complete the trip

Your procedure should trigger security review, containment actions, and reporting steps aligned to your incident response process.

7) Train the humans who actually ship things

Target training to:

• IT support and asset management
• Facilities/shipping/receiving
• Program teams who mail deliverables
• Executives and engineers who hand-carry media during travel

Focus training on the approval workflow, protection matrix, and “no ad-hoc shipping” rule.

8) Prove it operates: recurring evidence collection

Pick a cadence that matches your shipping volume and risk profile, then sample transactions:

• Verify approvals exist
• Validate encryption evidence for digital media
• Confirm receipt acknowledgments
• Confirm tracking numbers map to shipments
• Confirm exceptions were handled per procedure

If you use Daydream, this is a good candidate for a mapped control with recurring evidence requests to shipping/IT so you don’t scramble at assessment time.

Required evidence and artifacts to retain

Keep evidence that an assessor can trace end-to-end:

Policies and procedures

• Media handling and transport standard (includes protection matrix)
• Shipping/hand-carry authorization procedure
• Chain-of-custody procedure and forms

Operational records

• Shipping/transport tickets or approvals
• Shipment logs (tracking number, sender, recipient, dates)
• Receipt acknowledgments (signature, timestamp, condition)
• Encryption attestations or configuration proof for transported devices/media
• Exception and incident records (lost package investigations, corrective actions)

Third-party artifacts

• Contracts/SOW clauses related to CUI media handling (as applicable)
• Third-party shipping SLAs or handling requirements (as applicable)

Common exam/audit questions and hangups

Assessors commonly ask:

• “Show me the last few times you transported CUI media and prove authorization, protection, and receipt.”
• “How do you prevent someone from mailing an unencrypted drive?”
• “How do you know the recipient was authorized and actually received it?”
• “What’s your process for shipping laptops that contain CUI?”
• “Which third parties transport or store your backup media, and what controls govern that?”

Hangups that cause findings:

• A policy exists, but no shipment records exist.
• You have tracking numbers, but no link to CUI classification or approval.
• Encryption is “expected,” but you can’t show evidence it was enabled on the specific device.

Frequent implementation mistakes and how to avoid them

1. Treating transport as “Facilities’ problem.”
   Fix: make Security/IT own the control design; Facilities executes via a defined workflow.

2. No chain-of-custody for hand-carries.
   Fix: require a hand-carry form or ticket with release and receipt acknowledgment, even for internal staff.

3. Relying on “tracked shipping” alone.
   Fix: tracking is not custody. Add named custodians, authorization, and packaging/encryption requirements.

4. Forgetting paper CUI.
   Fix: add paper handling rules, including sealing and recipient verification.

5. No exception playbook.
   Fix: predefine what triggers an incident and who investigates, then keep the records.

Enforcement context and risk implications

No public enforcement cases were provided in the available source catalog for this requirement. Treat the risk as contractual and assessment-driven: loss of CUI media in transit can trigger incident handling obligations, customer reporting expectations, and negative assessment outcomes tied to NIST SP 800-171 Rev. 3 alignment ¹.

Practical 30/60/90-day execution plan

First 30 days (Immediate)

• Assign control owner and process owner (Security/IT + Shipping/Facilities).
• Publish a one-page transport SOP: approval required, approved methods, minimum protections.
• Create a transport request form or ticket type with required fields.
• Define the protection matrix for digital media, devices, and paper.

Days 31–60 (Near-term)

• Roll out chain-of-custody logging for shipments and hand-carries.
• Add encryption verification steps for any device or removable media shipments.
• Identify third parties involved (couriers, offsite storage, ITAD, repair). Document how they fit into the process.
• Train shipping/receiving and IT asset staff; require acknowledgments.

Days 61–90 (Operationalize and prove)

• Run a sampling review of recent transport events; document gaps and fixes.
• Add exception handling workflow for delays, loss, or suspected tampering.
• Start recurring evidence capture tied to your assessment calendar (Daydream can track mappings, request artifacts, and keep an audit-ready record).

Frequently Asked Questions

Does 03.08.05 apply if we never use USB drives?

Yes if you transport CUI on any media, including laptops, mobile devices, backups, or paper. Scope “media” broadly so teams don’t create accidental exceptions.

Is shipping with a major carrier and a tracking number enough?

Tracking helps, but you still need authorization, documented custody, and protection appropriate to the media (for example, encryption for digital media). Auditors often look for proof that the specific shipment followed your process.

How do we handle employees hand-carrying CUI laptops between sites?

Treat it as transport: require approval, confirm device encryption, and record release and receipt. A simple hand-carry ticket with named custodian and timestamps covers most audit expectations.

What evidence should we keep for encrypted removable media shipments?

Keep the transport approval, the media/device identifier, and evidence the media was encrypted before shipment (for example, configuration proof or an encryption attestation tied to the asset). Also retain delivery/receipt confirmation linked to the same request.

Do we need tamper-evident packaging for every shipment?

Use a protection matrix based on media type and sensitivity. If you choose not to use tamper-evident seals for a category, document the rationale and compensating controls so the decision is defensible.

How do third parties fit into media transport controls?

If a third party ships, stores, repairs, recovers, or disposes of media containing CUI, treat them as in-scope for the workflow. Ensure contracts and procedures require the same custody, tracking, and incident notification expectations.

Footnotes

1. NIST SP 800-171 Rev. 3