3.8.6—Media Protection - Derived
Derived Requirement
>Control Description
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
>Discussion
This requirement applies to portable storage devices (e.g., USB memory sticks, digital video disks, compact disks, external or removable hard disk drives). See [NIST CRYPTO]. [SP 800-111] provides guidance on storage encryption technologies for end user devices.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern controlling media during transport?
- •What procedures ensure secure media transport internally and externally?
- •Who approves media transport outside controlled areas?
- •What courier or delivery services are approved for CUI media?
- •What governance ensures media security during transport?
Technical Implementation:
- •What encryption protects media during transport?
- •How do you implement tamper-evident packaging for media?
- •What tracking systems monitor media in transit?
- •How do you secure media transport vehicles or containers?
- •What controls verify media arrives intact and secure?
Evidence & Documentation:
- •Can you provide media transport procedures and approvals?
- •What chain of custody records track media during transport?
- •Can you demonstrate encryption and packaging for transported media?
- •What shipping logs and receipts verify secure media delivery?
- •What audit evidence proves secure media transport practices?
Ask AI
Configure your API key to use AI features.