MP.L2-3.8.6: Portable Storage Encryption for CUI Protection
CMMC Level 2 control MP.L2-3.8.6 requires encryption of Controlled Unclassified Information (CUI) when stored on portable devices during transport. Without strong encryption mechanisms, your organization risks data breaches during transit. GRCWatch helps you document and maintain this critical media protection control across your supply chain.
What this means
This control mandates that any portable storage devices (USB drives, external hard drives, laptops, mobile devices) containing CUI must be encrypted using approved cryptographic standards. The encryption protects data confidentiality if devices are lost, stolen, or intercepted during transport. Your organization can satisfy this requirement through encryption technology unless you implement alternative physical safeguards such as secure couriers or controlled transportation environments.
How to comply
- 1.Identify all portable storage devices used within your organization that may contain CUI
- 2.Select NIST-approved encryption algorithms (AES-256 or equivalent) for data at rest on portable media
- 3.Implement full-disk or volume-level encryption on all laptops, tablets, and removable storage devices
- 4.Enforce encryption through Mobile Device Management (MDM) or Endpoint Detection and Response (EDR) tools
- 5.Document which devices are encrypted and maintain encryption keys with secure key management practices
- 6.Train employees on the requirement to transport only encrypted devices containing CUI
- 7.Establish a baseline inventory of portable storage and conduct periodic audits to verify encryption compliance
- 8.Create a policy prohibiting unencrypted CUI on portable devices during transport
Evidence auditors look for
- Full-disk encryption settings enabled on all laptops (e.g., BitLocker, FileVault, LUKS)
- USB device encryption status reports from MDM solution
- Encryption policy documentation showing approved algorithms and standards
- Device inventory spreadsheet with encryption status column marked as compliant
- Screenshots of encrypted volume confirmation from file explorer or system settings
- Key management procedures documenting secure storage and recovery processes
- Audit logs showing encryption enforcement on all portable devices from past 12 months
- Security awareness training records confirming employee education on portable storage requirements
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates portable device encryption monitoring by integrating with your MDM platform to track encryption status in real-time, generate compliance reports, and alert you immediately when devices fall out of compliance.
See how GRCWatch handles this control automatically
Start free trial