CMMC Practice Requirement:

Control access to media containing “Controlled Unclassified Information” (CUI) and maintain accountability for media during transport outside of controlled areas.

CMMC Requirement Explanation:

Safeguards to protect media during transport include locked containers, and encryption. For the actual transport, authorized transport and courier personnel may include individuals from outside your company (e.g.,U.S.PostalService or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking records of transport activities as the media moves through the transportation system.

Example CMMC Implementation:

If you are transporting digital storage devices (e.g., hard drives etc.) containing CUI outside of your facilities they need to be encrypted. If you are transporting paper work containing CUI outside of your facilities they should be in a locked container. Maintain accountability for CUI transported outside of your organization by documenting who is authorized to transport it. This can include company employees and postal services. If you need to ship CUI in the mail make sure that you receive a tracking number and specify the intended recipient.


- Scenario 1:

You have several hard drives containing CUI that you need to transport to your company's other facility. To ensure that the CUI on the drives is safe you encrypt the drives. You also document who will be carrying the drives and to which location.

- Scenario 2:

You have a folder containing papers with CUI. You need to take these to a government facility. To ensure that they do not get in the wrong hands you transport them in a locked brief case.

- Scenario 3:

You need to ship a hard drive containing CUI to your company's facility on the other side of the country. You encrypt the drive and securely package it. When you take it to the postal service you get a tracking number for the package.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance