3.8.6 — Encrypt CUI on media in transit | NIST 800-171 Control

CUI on digital media that travels must be encrypted (unless physically safeguarded).

What it actually means

Implement cryptographic mechanisms to protect CUI on digital media during transport, unless an alternative physical safeguard protects it. In practice: encrypt the USB drive, disk, or backup that's leaving a controlled area. Pair with FIPS-validated cryptography (3.13.11).

Pass or fail — an assessor needs a "yes" to each

Is CUI on transported digital media encrypted (or protected by an alternative physical safeguard)?

What to have ready

Configuration showing encryption on removable media / backups
Policy requiring encryption for media in transit

Where teams trip up

Unencrypted USB drives or backup disks shipped offsite
Relying on a 'we trust the courier' assumption

See where this control puts your score

Run all 110 requirements free in about 10 minutes.

Calculate your SPRS score →

Connected requirements

3.13.16 — Encrypting CUI at rest 3.13.11 — FIPS-validated cryptography 3.8.5 — Controlling media in transit

← Back to the Control Library