CMMC practice MP.L2-3.8.5, grounded in NIST SP 800-171 Rev 2 security requirement 3.8.5, requires organizations to control access to CUI-bearing media during transport and maintain accountability for that media throughout the transport process. 'Transport' refers to movement of media outside of organizationally controlled physical spaces, such as carrying a USB drive offsite, shipping hard drives, or using a courier service for backup tapes. Access control during transport must ensure only authorized individuals handle or retrieve the media, while accountability requires tracking mechanisms such as chain-of-custody logs, tamper-evident seals, or shipment tracking that provide a verifiable record of the media's location and handlers. Organizations must implement both procedural and technical safeguards — including protective packaging, authorized courier designations, and encryption — to satisfy this requirement. This practice builds on the media inventory and access restrictions established in MP.L2-3.8.1 and feeds into the transport documentation requirements of MP.L2-3.8.6.
Where it stops · what it isn't
- —This practice does not address sanitization or destruction of media, which are covered by MP.L2-3.8.3 and MP.L2-3.8.4
- —This practice does not cover CUI transmitted electronically across networks, which falls under System and Communications Protection (SC) domain controls
- —This practice does not require specific cryptographic standards by itself — encryption during transport is a complementary control, not the sole mechanism for access control
- —This practice does not govern access controls for media stored within controlled areas; that is addressed by MP.L2-3.8.1
- —This practice does not define what constitutes a 'controlled area' — that boundary is set by organizational policy and Physical Protection (PE) domain controls
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/media-protection