MP.L2-3.8.6 — Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

What this control requires

Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

Source: CMMC L2 v2.13 MP.L2-3.8.6 / NIST SP 800-171 R2 3.8.6 (official control text).

Why this matters

When digital media containing CUI leaves your facility — whether a USB drive in a courier pouch, a laptop checked as baggage, or an external hard drive mailed to a data center — it enters environments you cannot monitor. Physical loss or theft becomes a data breach unless the contents are encrypted. This control mandates that any portable storage device carrying CUI must use cryptographic mechanisms (AES-256, BitLocker, FileVault, encrypted USB drives) so that unauthorized physical access yields only unreadable ciphertext. Alternative physical safeguards (armored transport with armed guards, sealed evidence bags with chain-of-custody) may substitute, but encryption is the standard defense. Without it, a lost flash drive becomes a regulatory incident and potential compromise of customer, employee, or operational data.

What evidence assessors expect

Assessors typically look for: screenshot, PDF, photo. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls