Mapped to NIST 800-171 Requirement: 3.8.5
CMMC Assessment Objective: MP.L2-3.8.5[a]
What This Control Means
CUI must remain protected at all times—including when it’s in transit. This includes:
• Physical transport of media (USB drives, laptops, paper records)
• Digital transmission (email, file transfer, cloud sync)
• Temporary or off-network movement (e.g., remote work environments)
You must identify the methods and technologies used to keep CUI secure during these scenarios.
Why It Matters
Data in transit is vulnerable to:
• Interception (e.g., man-in-the-middle attacks)
• Loss or theft of devices during transport
• Accidental disclosure (e.g., email sent to the wrong recipient)
• Mishandling by unauthorized personnel
Failing to protect CUI during transport puts sensitive data—and compliance—at risk.
How to Implement It
1. Define Physical Transport Controls
• Use locked containers or tamper-evident bags
• Require check-in/out procedures for removable media
• Use authorized couriers only
• Prohibit personal transport of CUI unless pre-approved
2. Define Digital Transport Controls
• Require encryption for all CUI in transit (TLS, VPN, encrypted email)
• Use secure file-sharing platforms (e.g., OneDrive with sensitivity labels, SFTP)
• Prohibit sending CUI over unsecured channels (e.g., standard email, public drives)
3. Document Methods in Policy
• Media Protection Policy
• Acceptable Use Policy
• Remote Work or Telecommuting Guidelines
4. Educate Users
• Train staff on secure data transfer procedures
• Include examples of approved vs. prohibited transport methods
Evidence the Assessor Will Look For
• Policies describing how CUI is protected in transit
• Encryption standards for digital transfers
• Procedures for physical transport of CUI media
• Checklists or logs for transported media
• Training records addressing data in transit
Common Gaps
• No controls defined for transporting CUI
• Staff email sensitive documents without encryption
• Portable drives are transported without tracking or protection
• VPN or file transfer policies are not enforced or documented
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Defining and enforcing approved methods for CUI transport
• Integrating encryption requirements for both physical and digital media
• Providing secure document transfer platforms within the enclave
• Logging CUI file movements and access by location and device
• Helping document transport policies aligned with CMMC and NIST guidance
With Cuick Trac, your CUI stays protected—whether it’s in the office, in the cloud, or in a courier’s hands.
Final CTA
CUI on the move is CUI at risk—until you define how to protect it.
Schedule a Cuick Trac demo to build and enforce your secure CUI transport process.