Media accountability is about one thing: knowing where your CUI is at all times, especially when it’s being moved. A laptop travels from the office to a field site. A backup drive is shipped to a client. A hard drive moves from one server to another. You need to know who had it, when they had it, and that no one accessed it without authorization.
MP.L2-3.8.5 At a Glance
- Document all transfers of media containing CUI
- Require signed hand-off between sender and receiver
- Encrypt or seal media for transport
- Use tracked shipping for media sent outside the organization
- Maintain a transfer log or chain of custody
- Verify receipt and integrity upon arrival
What the assessor is actually evaluating
The assessor is looking for a clear chain of custody. If a backup drive is sent from your office to a data center, you need a record showing: who transferred it, when, how it was protected, who received it, and when they received it. The receiving party should confirm nothing was damaged or accessed during transport.
This is less about paranoia and more about liability. If a hard drive goes missing during transport, you need documentation showing you did everything reasonable to protect it. You encrypted it, you shipped it overnight with tracking, you got a signature on delivery. If someone opens it during transport, it’s encrypted so they see nothing. If it arrives and is damaged, you have evidence the sender took reasonable care.
For internal transport (laptop moving between offices), you need less ceremony but still a record. The employee takes the laptop from one location to another. Ideally they have a check-in form saying “I’m taking laptop XYZ from office A to office B on this date.” When they arrive, they confirm it’s still locked and secure. Simple. Media accountability connects to MP.L2-3.8.1 (overall media protection) and relates to PE.L2-3.10.6 (alternative work sites).
For external transport (sending media to a vendor or customer), you formalize it. You use a shipping carrier with tracking. You encrypt the media. You require signature on delivery. You get a receipt. If the media is sensitive enough to be CUI, it deserves this protection.
What a realistic SSP definition looks like
Example SSP Language
"Organization maintains accountability for media containing CUI during transport and transfer through documented procedures.
Internal Transport: When media is transferred between locations within the organization, the transferring party completes a Hand-Off Form documenting the media identifier (laptop serial number, drive serial number), the reason for transfer, the source location, the destination location, and the date and time. The receiving party signs the form confirming receipt and that the media is intact and secure. The form is maintained in the inventory log for the media.
External Transport: Media shipped outside the organization (to vendors, customers, or remote offices) must be encrypted. Shipment is made through a tracked carrier (FedEx, UPS, DHL) with signature required on delivery. A packing log documents what is being shipped, the encryption method, and the expected delivery date. The receiver provides a delivery confirmation email or document including the date and time of receipt. Any damage or security concerns are reported to IT immediately.
Media In Transit: During transport, media is never left unattended. If an employee is traveling with a laptop, it remains in their physical possession or is locked in a vehicle. Media shipped overnight is in a protective container or shipping container. Media in hand-carry is encrypted.
Loss Procedures: If media is lost in transit, the incident is reported to management and the CISO within 24 hours. If the media was encrypted, data exposure is unlikely. If the media was not encrypted, a security incident is declared and potentially impacted parties are notified."
How to present your evidence
Evidence Checklist for MP.L2-3.8.5
- Hand-Off Form: Template used for internal media transfers
- Transfer Log: Historical record of media transfers with dates and signatures
- Shipping Receipts: Tracking numbers and delivery confirmations for external shipments
- Chain of Custody Documentation: For highly sensitive media, a formal log showing every handoff
- Encryption Evidence: Documentation showing media was encrypted before external transport
- Transport Procedures: Written policy specifying how media is protected during movement
- Incident Reports: Any lost or mishandled media and how it was resolved
- Receipt Confirmations: Email or signed delivery confirmations from receiving parties
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
What You'll Hear in the Assessment Room
Assessor: "Tell me about a time you transferred media containing CUI. How did you track it?"
What works: "Last month we sent a backup drive to our data center. We encrypted it, shipped it overnight with tracking, and got a signature on delivery. Here's the receipt." [Pull up shipping documentation]
Assessor: "An employee needs to take a laptop to a client site for three days. What's your procedure?"
What works: "They fill out a transfer form documenting the laptop serial number, the location, and the duration. The drive is already encrypted so it's protected if lost. When they return, they check the form back in with IT. Here's the form." [Pull up template]
Assessor: "Has media ever been lost in transit?"
What works: "Yes, once. A courier lost a package. However, the external drive was encrypted, so even if someone opened it, the data was unrecoverable. We have an incident report documenting this." [Pull up incident documentation]
Assessor: "How do you verify media arrives intact?"
What works: "Shipments require signature. The receiver inspects the packaging and confirms nothing was damaged. They email back confirmation. We keep all confirmations on file." [Pull up sample confirmation emails]
Assessor: "What if someone wants to take media off-site without using your process?"
What works: "They cannot. Our policy requires documented transfer before media leaves the facility. This is in the employee handbook and is reinforced during onboarding." [Pull up policy]
Common failures
Why Companies Fail MP.L2-3.8.5
- No documentation of transfers. A drive is shipped to a vendor with no shipping receipt, no packing list, and no confirmation of receipt.
- Media is transported unencrypted. A laptop goes to a field office in a backpack with no encryption. If the backpack is lost, CUI is exposed.
- No hand-off procedures. An employee checks out a media device but there's no form, no confirmation, no record. If it's lost, the company doesn't even realize it's gone immediately.
- Receiving parties don't confirm. Media is shipped but no one documents that it arrived safely or who took possession of it.
- "We use cloud so we don't move media." Missing the point that laptops, phones, and other devices containing CUI are moved between locations daily.
- Lost media is not reported. A media device disappears and no one tells the CISO or management. No incident investigation occurs.
How to Pass MP.L2-3.8.5
- Create a simple hand-off form. Name of media, serial number, source, destination, date, signature of sender and receiver. That's it.
- Use shipping carriers for anything leaving the facility. UPS, FedEx, DHL. Get tracking and signature. Cost is small compared to liability.
- Encrypt everything that moves. Laptop, external drive, USB stick. If it's lost during transport, encryption makes it useless to whoever finds it.
- Keep a log. Maintain a running record of who took what media where and when. Spot audits can confirm compliance.
- Confirm receipt. When media arrives externally, get written confirmation from the receiving party. "Arrived 3/28 at 2pm, no damage observed. -John"
- Report incidents. If media is ever lost or mishandled, report it and document how it was resolved.
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
If you use an MSP/MSSP
Media Accountability with Managed Service Providers
If your MSP transports media (backups to cloud, data center transfers), require documented procedures. Your service agreement should specify: how media is transported, encryption during transit, chain of custody documentation, and incident reporting. Request monthly reports of all media transfers. For sensitive operations, request tracking numbers and delivery confirmations. You are ultimately responsible for knowing where your CUI is at all times, so verify your MSP has procedures in place and executes them. Do not assume they handle this automatically.
Disclaimer: This guide is for educational purposes. CMMC Level 2 assessments are conducted by Authorized C3PAO partners. Consult the official NIST SP 800-171 standard and your assessor for definitive requirements.