3.8.6 — Encrypt Media in Transit

The One-Liner

An unencrypted drive lost in shipping is a reportable CUI incident. An encrypted one is lost hardware.

What It Says

Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.

What It Actually Means

Before any digital CUI media leaves your controlled environment, encrypt it using FIPS 140-2 (or 140-3) validated cryptography. This is the complement to 3.8.5 (tracking) — encryption protects confidentiality even if physical controls fail.

Encryption options:

• USB drives: BitLocker To Go with FIPS mode enabled. Hardware-encrypted USB drives (FIPS 140-2 certified) are even better.
• External hard drives: BitLocker or VeraCrypt (FIPS mode).
• Backup tapes: Encryption enabled in the backup software (most enterprise backup tools support AES-256 with FIPS mode).
• Laptops being shipped: Full disk encryption via BitLocker with FIPS mode — which should already be enabled under 3.13.11.

The alternative: If encryption isn’t feasible for a specific media type, you can use “alternative physical safeguards” — but the bar is high: locked courier case, armed courier, hand-carry with chain of custody, or physically controlled transport where the media is never out of an authorized person’s possession. Encryption is almost always simpler than arranging physical alternatives.

FIPS validation matters. Standard BitLocker without FIPS mode is technically non-compliant. Enable the “System cryptography: Use FIPS compliant algorithms” Group Policy setting or configure it via Intune.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is CUI on digital media encrypted during transport, or protected by alternative physical safeguards?	Encryption configuration shown (FIPS mode enabled); or documented alternative physical safeguards with justification

---

What to Have Ready on Assessment Day

Documents they’ll review: Media protection policy; encryption procedures for portable media; FIPS mode configuration evidence; system security plan; transport records showing encryption was applied

People they’ll talk to: Personnel who transport CUI media; information security personnel; system administrators who configure encryption

Live demos they’ll ask for: “Show me a USB drive being encrypted with BitLocker To Go.” “Show me the FIPS mode setting.” “Is every drive encrypted before it leaves the building? How do you verify?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “How do you encrypt CUI media before transport? Show me the tool and configuration.”
• “Is the encryption FIPS 140-2 validated? Show me the FIPS mode setting.”
• “Show me a USB drive that’s been encrypted for transport.”
• “Do you ever transport CUI media without encryption? If so, what physical safeguards do you use?”
• “How do you verify encryption is applied before media leaves the building?”
• “What about backup tapes — are they encrypted?”

Real-World Example

A defense contractor’s policy requires encryption on all CUI media before transport — no exceptions. USB drives are encrypted with BitLocker To Go (FIPS mode enabled via Intune policy). The two approved CUI USB drives are hardware-encrypted (FIPS 140-2 Level 3 certified). Backup drives going off-site are encrypted via the Veeam backup encryption feature (AES-256, FIPS mode). Before any media leaves the building, the IT Security Lead verifies encryption status — for USB drives, by confirming BitLocker status; for backup drives, by checking the encryption flag in the Veeam console. The verification is logged on the chain of custody form alongside the transport details. The assessor checks: the Intune policy showing FIPS mode enabled for BitLocker, the hardware-encrypted USB drive’s FIPS certification, and the Veeam encryption configuration.

---

Where Companies Trip Up

Unencrypted media shipped. Backup drives or USB drives shipped without encryption because “we’re in a hurry.” The few minutes to encrypt are worth it — an unencrypted lost drive is a reportable CUI incident.

Encryption not FIPS-validated. BitLocker is enabled but FIPS mode isn’t turned on. Or a non-FIPS tool like standard VeraCrypt (without FIPS mode) is used. Enable FIPS compliance settings — it’s a Group Policy or Intune setting.

No verification before transport. The policy says “encrypt before shipping” but nobody verifies. The IT Security Lead should confirm encryption status before media leaves the building, documented on the custody form.

Alternative safeguards not documented. In rare cases where encryption isn’t feasible, the alternative physical safeguards need to be documented and justified — not just “we hand-carried it.” Describe the specific physical controls used and why encryption wasn’t possible.

---

How to Talk About This

To a CEO or Board

All digital CUI media is encrypted with FIPS-validated cryptography before leaving our facility. A lost drive in transit is a hardware loss, not a data breach. Encryption is verified before every transport.

To an Engineering Team

BitLocker To Go with FIPS mode for USB (Intune policy). Hardware-encrypted USB drives preferred (FIPS 140-2 Level 3). Backup encryption via Veeam AES-256 FIPS mode. FIPS Group Policy setting enabled. Encryption verified by IT Security Lead before transport, noted on custody form. No exceptions without documented alternative physical safeguards.

---

Connected Requirements

Requirement	Why it matters here
3.8.5 — Track Media in Transit	Physical tracking complements encryption during transport
3.13.11 — Encrypt CUI at Rest	Encryption-at-rest principles applied to portable media
3.13.8 — Encrypt in Transit	Encryption-in-transit for network communications; this is the physical media equivalent

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: MP.L2-3.8.6 | SPRS Weight: 1 point | POA&M Eligible: Yes