NIST SP 800-171
Control 3.8.5
Control Access to CUI Media and Maintain Accountability
CMMC-RP Certified Team
24+ Years Experience
CMMC-AB RPO #1449
Official Requirement
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
What This Means in Plain English
When CUI media is being transported (physically or via courier), you must track it and maintain a chain of custody. You need to know who has the media at all times during transport.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Chain of custody forms for all CUI media transported outside controlled areas
- Encrypted media required for all CUI transport (FIPS 140-2 validated encryption)
- Tamper-evident packaging for physical CUI media shipments
- Registered courier services required for external CUI media transport
- ComplianceArmor tracking media transport events with sender, receiver, and chain of custody records
Assessment Guidance
Assessors will review media transport procedures, check chain of custody records, verify that transported media is encrypted, and confirm that tamper-evident packaging and secure courier services are used.
Common Implementation Gaps
- No chain of custody for transported media
- Unencrypted media sent via regular mail
- No tamper-evident packaging for sensitive shipments
- No tracking of media in transit
- CUI media carried in personal vehicles without controls
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | MP-5 |
| HIPAA | 164.310(d)(1) - Device and Media Controls |
| PCI DSS | Req 9.6 - Control physical distribution of media |
Need Help Implementing 3.8.5?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment Calculate your SPRS score