MP.L2-3.8.5 — Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

What this control requires

Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

Source: CMMC L2 v2.13 MP.L2-3.8.5 / NIST SP 800-171 R2 3.8.5 (official control text).

Why this matters

Organizations regularly transport CUI on physical media—backup tapes shipped to off-site storage, laptops carried to customer sites, USB drives mailed for incident response, or hard drives sent for secure destruction. Without access controls and chain-of-custody tracking during transport, media can be lost, stolen, or tampered with by unauthorized parties. This control ensures CUI remains protected when media leaves the organization's physical premises by requiring locked containers, transport manifests, tamper-evident packaging, and cryptographic protections. It prevents data breaches that occur not from sophisticated hacking, but from a lost package or unencrypted drive left in a vehicle.

What evidence assessors expect

Assessors typically look for: PDF, photo, CSV export, screenshot, training certificate. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls