Portable Storage Encryption
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
What an assessor scores, the objectives
MP.L2-3.8.6 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For MP.L2-3.8.6, an assessor uses these:
System media protection policy; procedures addressing media transport; system design documentation; system security plan; system configuration settings and associated documentation; system media transport records; system audit logs and records; other relevant documents or records
Personnel with system media transport responsibilities; personnel with information security responsibilities
Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas
What it means, in context
This requirement applies to portable storage devices (e.g., USB memory sticks, digital video disks, compact disks, external or removable hard disk drives). NIST SP 800-111 provides guidance on storage encryption technologies for end user devices.
CUI can be stored and transported on a variety of portable media, which increases the chance that the CUI can be lost. When identifying the paths CUI flows through your company, identify devices to include in this requirement. To mitigate the risk of losing or exposing CUI, implement an encryption scheme to protect the data. Even if the media are lost, proper encryption renders the data inaccessible. When encryption is not an option, apply alternative physical safeguards during transport. Because the use of cryptography in this requirement is to protect the confidentiality of CUI , the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. This requirement, MP.L2-3.8.6, provides additional protections to those provided by MP.L2- 3.8.5. This requirement is intended to protect against situations where control of media access fails, such as through the loss of the media. Example You manage the backups for file servers in your datacenter. You know that in addition to the company’s sensitive information, CUI is stored on the file servers. As part of a broader plan to protect data, you send the backup tapes off site to a vendor. You are aware that your backup software provides the option to encrypt data onto tape. You develop a plan to test and enable backup encryption for the data sent off site. This encryption provides additional protections for the data on the backup tapes during transport and offsite storage [a]. Potential Assessment Considerations • Are all CUI data on media encrypted or physically protected prior to transport outside of controlled areas [a]? • Are cryptographic mechanisms used to protect digital media during transport outside of controlled areas [a]? • Do cryptographic mechanisms comply with FIPS 140-2 [a]?
What passing evidence looks like
Encryption on CUI media in transport: encrypted USB drives or encrypted archives for anything carried or shipped, with the mechanism named.
Common ways contractors fail MP.L2-3.8.6
- !Pair with 3.8.5: if media never leaves, inherit that answer. If it does, hardware encrypted drives (or BitLocker To Go) are the practical mechanism.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove MP.L2-3.8.6, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
MP.L2-3.8.6 questions, answered
How many points is CMMC requirement MP.L2-3.8.6 worth?+
MP.L2-3.8.6 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.
Can MP.L2-3.8.6 be placed on a POA&M?+
Yes. A gap on MP.L2-3.8.6 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.
What family does MP.L2-3.8.6 belong to?+
MP.L2-3.8.6 is in the Media Protection (MP) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.8.6