03.08.05 — (a) Protect and control system media that contain CUI during transport outside of controlled areas. (b) Maintain accountability of system media that contain CUI during transport outside of controlled areas. (c) Document activities associated with the transport of system media that contain CUI.

What this control requires

(a) Protect and control system media that contain CUI during transport outside of controlled areas. (b) Maintain accountability of system media that contain CUI during transport outside of controlled areas. (c) Document activities associated with the transport of system media that contain CUI.

Source: NIST SP 800-171 R3 §03.08.05 (official control text).

Why this matters

When system media containing CUI leaves secure facilities — whether USB drives shipped to partners, backup tapes sent to storage, or laptops traveling with employees — it becomes vulnerable to theft, loss, or tampering. This control ensures the organization maintains both physical protection (encryption, locked containers) and accountability (chain-of-custody records) throughout transport. Without these safeguards, a single lost package or stolen bag can expose sensitive government information to unauthorized parties, resulting in breach notifications, contract violations, and loss of trusted status with federal customers.

What evidence assessors expect

Assessors typically look for: PDF, CSV export, photo. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls