3.8.5 — Track Media in Transit

The One-Liner

A backup drive shipped without tracking is CUI floating in the postal system with zero accountability.

What It Says

Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

What It Actually Means

When CUI media moves outside your controlled environment — shipped to a client, transported to a backup facility, hand-carried to another office — two things must be in place:

1. Access is controlled. Only authorized people handle the media during transport. It’s not left with a receptionist, dropped on a loading dock, or handed to a random courier. The sender, carrier, and recipient are all known and authorized.

2. Accountability is maintained. You know where the media is at every point in the transport chain. This means: tracked shipping (signature required), tamper-evident packaging, chain of custody documentation, and receipt confirmation. For hand-carried media: a custody form documenting who has it at every handoff.

The assessor will ask about your most recent media transport — whether it was a backup drive going off-site, a USB drive hand-carried to a client, or a laptop shipped to a remote employee. They’ll want to see the tracking and custody records.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is access to CUI media controlled during transport?	Only authorized personnel handle media; no uncontrolled handoffs
2	Is accountability maintained during transport?	Tracked shipping with signature; chain of custody form; receipt confirmation documented

---

What to Have Ready on Assessment Day

Documents they’ll review: Media protection policy; transport procedures; chain of custody forms; shipping records with tracking numbers; receipt confirmations; system security plan

People they’ll talk to: Personnel who transport CUI media; information security personnel; recipients of transported media

Live demos they’ll ask for: “Show me a chain of custody form from a recent transport.” “Show me the tracking confirmation and receipt for the last shipment.” “Walk me through your procedure for shipping CUI media.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “When was the last time CUI media was transported outside your facility?”
• “Show me the chain of custody form.”
• “How do you ship CUI media — which carrier, what packaging?”
• “How do you confirm the recipient received it?”
• “Is the media encrypted before transport (see 3.8.6)?”
• “What happens if a shipment goes missing?”

Real-World Example

A defense contractor ships encrypted backup drives to a secure off-site storage facility monthly. The procedure: the IT Security Lead encrypts the drive (BitLocker To Go, FIPS mode), places it in tamper-evident packaging with a chain of custody form inside, ships via FedEx Priority with signature required, and emails the tracking number to the receiving facility manager. The receiving facility manager signs the custody form and returns a scanned copy. The IT Security Lead files the tracking confirmation + signed custody form together. If the package doesn’t arrive within 48 hours, the incident response process is activated. The assessor reviews: the transport procedure document, a recent custody form with signatures from both parties, the FedEx tracking confirmation, and the tamper-evident packaging supply in the server room.

---

Where Companies Trip Up

No tracking. CUI media shipped via regular mail without tracking or signature requirement. Always use tracked shipping with signature required for CUI media.

No receipt confirmation. Media shipped but the sender never confirms it arrived. Always get a signed receipt or delivery confirmation.

Uncontrolled handoffs. Media passed informally between colleagues without documentation. Every time CUI media changes hands, document it — even for hand-carried transfers.

No tamper evidence. Media shipped in a regular envelope or box. Use tamper-evident packaging so the recipient can verify it wasn’t opened in transit.

No incident procedure. Media goes missing and nobody knows what to do. Define what happens when a CUI media shipment is lost — it’s a potential CUI incident.

---

How to Talk About This

To a CEO or Board

CUI media in transit is tracked end-to-end with chain of custody documentation, tamper-evident packaging, tracked shipping, and confirmed receipt. If a shipment goes missing, our incident response procedure activates immediately.

To an Engineering Team

Transport procedure: encrypt (3.8.6) → tamper-evident packaging → custody form → tracked shipping (FedEx/UPS, signature required) → recipient signs custody form → confirmation filed. Hand-carry: custody form at every handoff. Missing shipment: activate IR process. Records retained with media inventory.

---

Connected Requirements

Requirement	Why it matters here
3.8.6 — Encrypt Media in Transit	Media should be encrypted before transport — in addition to physical controls
3.8.1 — Lock Up CUI	Secure storage at origin and destination
3.8.4 — Mark Your CUI	Markings help identify CUI media during transport
3.6.1 — Have a Plan	Missing CUI media triggers incident response

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: MP.L2-3.8.5 | SPRS Weight: 1 point | POA&M Eligible: Yes