CMMC Practice MP.L2-3.8.6 – Portable Storage Encryption: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Links to Publicly Available Resources
Discussion [NIST SP 800-171 R2]
This requirement applies to portable storage devices (e.g., USB memory sticks, digital video disks, compact disks, external or removable hard disk drives).
NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.
CUI can be stored and transported on a variety of portable media, which increases the chance that the CUI can be lost. When identifying the paths CUI flows through your company, identify devices to include in this practice.
To mitigate the risk of losing or exposing CUI, implement an encryption scheme to protect the data. Even if the media are lost, proper encryption renders the data inaccessible. When encryption is not an option, apply alternative physical safeguards during transport.
This practice, MP.L2-3.8.6, provides additional protections to those provided by MP.L2-3.8.5. This practice is intended to protect against situations where control of media access fails, such as through the loss of the media.