Controlled areas are areas or spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting systems and information. Controls to maintain accountability for media during transport include locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. 

Priority: High  

Category: Asset Management 

Services Associated with AWS:   


Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: supporting documentation of role-based security training being performed 

Possible Technology Considerations : 


What needs to be answered :  

Do only approved individuals have access to media from CUI systems? Is accountability for system media maintained during transport outside controlled areas? Are all CUI data on media encrypted or physically locked prior to transport outside of the company’s secure locations? 

  • Control and Accountability of Media during Transport
    Description: This check ensures that organizations have controls in place to control access to media containing Controlled Unclassified Information (CUI) and maintain accountability for the media during transport outside of controlled areas. Controlled areas are designated spaces or areas with physical or procedural controls to protect systems and information. The controls for media transport include using locked containers and cryptographic mechanisms for confidentiality and integrity protection. Authorized transport personnel, including external individuals, should be designated for transporting the media, and explicit records of transport activities should be maintained to track the movement of the media and prevent loss, destruction, or tampering.

More Details:   

CUI is not stored on removable media.