CMMC Practice Requirement:

Implement cryptographic mechanisms to protect the confidentiality of “Controlled Unclassified Information” (CUI) stored on digital media during transport unless otherwise protected by alternative physical safeguards.

CMMC Requirement Explanation:

This requirement generally applies to portable storage devices such as USB thumb drives, CDs, DVDs, and external hard drives. Any digital media containing FCI or CUI that is transported outside of your facility must be encrypted or stored in a locked container.

Example CMMC Implementation:

Encrypt any digital media containing FCI or CUI that you intend to transport outside of your facilities. In general it is a good idea to encrypt all digital media when feasible.


- Scenario 1:

Your company wants to store its backups with a third party off-site. To protect the CUI on the backup drives it encrypts them. The third party is thus unable to access the CUI on the drives.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance