Executive Summary
A persistent misconception in the Defense Industrial Base (DIB) is that printed CUI may never leave a controlled facility. That is not what CMMC Level 2 requires. Neither CMMC nor its underlying standard, NIST SP 800-171 Rev. 2, prohibits CUI from leaving a controlled facility. The compliance objective is the continued protection of CUI during transport, use, and storage — not the geographic confinement of CUI. An organization can hold CMMC Level 2 certification and lawfully transport printed CUI outside its controlled facility, provided documented, audit-defensible procedures are implemented, trained, and evidenced.
For executives, the issue is not academic. Mishandled CUI is a direct threat to contract eligibility, financial exposure, and legal liability. Under the DFARS and the CMMC final rule (32 CFR Part 170, effective December 16, 2024; the DFARS acquisition rule, 48 CFR, effective in 2025), the ability to win and keep DoD work depends on a defensible CUI program. A false or inaccurate compliance attestation can trigger False Claims Act exposure for the company and its officers. This article verifies the underlying compliance position, maps an audit-defensible hardcopy CUI process to the specific control objectives across every major framework your organization operates under, and frames the decision leadership actually needs to make: keep governing paper manually, or move CUI to secure electronic access.
Why This Matters to Leadership
Compliance is the through-line for revenue. Assessors and prime contractors do not evaluate vague “good security.” They evaluate whether the organization has documented, repeatable, evidenced controls. A weak hardcopy CUI process produces assessment findings, POA&M items, and — at Level 2 — can block certification and therefore contract award.
The liability is personal and financial. CMMC requires a senior official affirmation of compliance. Inaccurate affirmations have driven multimillion-dollar False Claims Act settlements in the DIB. A lost or unmarked CUI document is not just an IT issue; it is a reportable incident with contractual, financial, and reputational consequences that reach the C-suite and the board.
Paper is the control you cannot see. Every other control plane — identity, endpoint, network — generates telemetry. Hardcopy does not. The single most effective executive decision is to minimize the population of CUI that exists on paper and govern the remainder with a documented, trained, evidenced procedure.
The Compliance Question: Can Printed CUI Leave a Controlled Facility?
Verified answer: yes — with proper safeguards. CMMC Level 2 is built on the 110 requirements of NIST SP 800-171 Rev. 2, and two requirements directly contemplate CUI existing and moving outside the controlled facility:
MP.L2-3.8.5 requires controlling access to media containing CUI and maintaining accountability for media during transport outside of controlled areas. The control presumes CUI media — including paper — will be transported outside controlled areas and prescribes how to do it safely.
PE.L2-3.10.6 requires organizations to enforce safeguarding measures for CUI at alternate work sites — explicitly acknowledging CUI is handled at residences, client sites, and government facilities.
This is reinforced by the DoD CUI Program (32 CFR Part 2002 and DoDI 5200.48), which permits the transport and transmission of CUI when proper marking, handling, and safeguarding controls are applied. Verification result: the position that printed CUI may leave a controlled facility under proper procedures is accurate and well-founded. The remainder of this article defines the procedures that make the practice defensible.
The Audit-Defensible Procedure for Printed CUI Offsite
A written procedure must describe how the organization manages printed CUI outside the controlled facility; every authorized handler must be trained on it (AT.L2-3.2.1, AT.L2-3.2.2); and it should be documented in the System Security Plan (CA.L2-3.12.4). Each component below states the practice, the executive rationale, and the precise control objectives it satisfies.
1. Authorized Possession Only
Practice: Only personnel explicitly authorized — by role and need-to-know — may possess hardcopy CUI. Maintain an access authorization list as evidence. Executive rationale: limits the population who can create liability, and gives the assessor a single artifact to test.
Compliance alignment: CMMC 2.0 MP.L2-3.8.2, PE.L2-3.10.1; NIST SP 800-171 §3.8.2, §3.10.1; NIST SP 800-53 Rev. 5 MP-2, PE-2, PE-3; ISO/IEC 27001:2022 A.5.15, A.5.18; DoDI 5200.48 (lawful access to CUI).
2. Direct Control While In Use
Practice: Documents remain under the authorized individual’s direct control while in use and are never left unattended in mixed-access or public areas (clear-desk discipline). Executive rationale: the most common loss event is an unattended document in a shared space — cheap to prevent, expensive to report.
Compliance alignment: CMMC 2.0 MP.L2-3.8.1, PE.L2-3.10.6; NIST SP 800-171 §3.8.1, §3.10.6; NIST SP 800-53 Rev. 5 MP-4, PE-17; ISO/IEC 27001:2022 A.7.7 (clear desk), A.7.9 (assets off-premises).
3. Secure Transport
Practice: Transport in an opaque, sealed, or lockable container kept in the individual’s direct possession — never checked baggage or an unattended vehicle. Executive rationale: this is the core transport-protection objective an assessor will probe first for any offsite CUI claim.
Compliance alignment: CMMC 2.0 MP.L2-3.8.5; NIST SP 800-171 §3.8.5; NIST SP 800-53 Rev. 5 MP-5 (media transport); ISO/IEC 27001:2022 A.7.10 (storage media), A.5.14 (information transfer); DoDI 5200.48 (CUI transport).
4. Secure Storage When Not in Use
Practice: Store in a locked container, locked office, or other approved secure location when not in use. Executive rationale: demonstrable secure storage is the difference between a near-miss and a reportable spillage.
Compliance alignment: CMMC 2.0 MP.L2-3.8.1, PE.L2-3.10.1; NIST SP 800-171 §3.8.1, §3.10.1; NIST SP 800-53 Rev. 5 MP-4, PE-3; ISO/IEC 27001:2022 A.7.10; FTC Safeguards Rule 16 CFR 314.4(c)(1) and PCI DSS v4.0 Req. 9.4 (parallel handling for protected paper records).
5. Controlled Copying, Marking, and Destruction
Practice: Create copies only for a documented business need; every copy must carry the same CUI markings as the original and be protected and destroyed to the same standard — cross-cut shredding (or an NSA/CSS-listed high-security shredder for the most sensitive material) consistent with NIST SP 800-88. Executive rationale: uncontrolled copies multiply exposure invisibly; marking and destruction are two of the most frequently failed assessment objectives.
Compliance alignment: CMMC 2.0 MP.L2-3.8.3 (destruction), MP.L2-3.8.4 (marking), MP.L2-3.8.1 (protection); NIST SP 800-171 §3.8.3, §3.8.4; NIST SP 800-53 Rev. 5 MP-3 (marking), MP-6 (sanitization); NIST SP 800-88 Rev. 1; 32 CFR Part 2002 / DoDI 5200.48 (CUI marking); ISO/IEC 27001:2022 A.5.13 (labelling), A.7.14 (secure disposal); FTC Safeguards 16 CFR 314.4(c)(6) and PCI DSS v4.0 Req. 9.4.6 (secure disposal of paper records).
6. Prevent Unauthorized Review, Copying, or Photography
Practice: Unauthorized persons — including household members, visitors, and shoulder-surfers at alternate sites — may not review, copy, photograph, or retain CUI. Executive rationale: alternate-work-site exposure is now a standing condition, not an exception, and must be addressed explicitly.
Compliance alignment: CMMC 2.0 MP.L2-3.8.2, PE.L2-3.10.1, PE.L2-3.10.6; NIST SP 800-171 §3.8.2, §3.10.1, §3.10.6; NIST SP 800-53 Rev. 5 PE-3, PE-17, MP-2; ISO/IEC 27001:2022 A.7.7, A.7.9.
7. End-of-Day Return or Secure Storage
Practice: Return documents to the controlled facility or secure them in approved storage at the end of each workday. Executive rationale: bounded custody windows shrink the timeframe in which loss can occur and simplify accountability.
Compliance alignment: CMMC 2.0 PE.L2-3.10.6, MP.L2-3.8.1; NIST SP 800-171 §3.10.6, §3.8.1; NIST SP 800-53 Rev. 5 PE-17, MP-4; ISO/IEC 27001:2022 A.7.9, A.7.10.
8. Accountability Record for Transported CUI
Practice: Maintain a check-out/check-in record for hardcopy CUI taken offsite — identifying the document, the responsible individual, date out, destination, and date returned or destroyed — and apply it to all transport events, not only extended-duration retention. Executive rationale: this is the accountability heart of MP.L2-3.8.5 and the single artifact most likely to be requested in assessment.
Compliance alignment: CMMC 2.0 MP.L2-3.8.5; NIST SP 800-171 §3.8.5; NIST SP 800-53 Rev. 5 MP-5 (transport accountability), AU-2; ISO/IEC 27001:2022 A.5.14, A.7.10; PCI DSS v4.0 Req. 9.4.1–9.4.3 (media inventory and transport logs, parallel).
9. Immediate Reporting of Loss or Compromise
Practice: Report lost, stolen, or compromised documents immediately through the incident response process; a lost hardcopy CUI document is a reportable CUI incident (spillage), and reporting obligations may flow to the prime and the Government per contract. Executive rationale: timely, documented reporting is both a control objective and a legal risk-mitigator; failure to report compounds liability.
Compliance alignment: CMMC 2.0 IR.L2-3.6.1, IR.L2-3.6.2; NIST SP 800-171 §3.6.1, §3.6.2; NIST SP 800-53 Rev. 5 IR-4, IR-6; DFARS 252.204-7012 (72-hour cyber-incident reporting; contractual terms govern physical CUI loss); ISO/IEC 27001:2022 A.5.24–A.5.26; FTC Safeguards 16 CFR 314.4(h) and PCI DSS v4.0 Req. 12.10 (incident response, parallel).
Cross-Framework Compliance Matrix
The matrix below shows how each safeguard area for printed CUI satisfies control objectives across the frameworks Northern Data Solutions customers most commonly operate under. The overlap is the point: one well-run hardcopy CUI procedure produces evidence for many frameworks at once.
Safeguard Area | CMMC 2.0 / NIST 800-171 | NIST 800-53 Rev. 5 | DoD CUI Program | ISO 27001:2022 | FTC Safeguards / PCI DSS v4.0 |
|---|---|---|---|---|---|
Authorized access / possession | MP.L2-3.8.2; PE.L2-3.10.1 | MP-2; PE-2; PE-3 | DoDI 5200.48 lawful access | A.5.15, A.5.18 | 314.4(c)(1) / Req. 7, 9.4 |
Storage & in-use control | MP.L2-3.8.1; PE.L2-3.10.6 | MP-4; PE-17 | Safeguarding standards | A.7.7, A.7.9, A.7.10 | 314.4(c)(1) / Req. 9.4.1 |
Transport & accountability | MP.L2-3.8.5 | MP-5; AU-2 | CUI transport rules | A.5.14, A.7.10 | — / Req. 9.4.1–9.4.3 |
Marking | MP.L2-3.8.4 | MP-3 | 32 CFR 2002 marking | A.5.13 | — / Req. 9.4.1 |
Destruction | MP.L2-3.8.3 | MP-6 (800-88) | CUI destruction standards | A.7.14 | 314.4(c)(6) / Req. 9.4.6 |
Alternate work site | PE.L2-3.10.6 | PE-17 | Safeguarding at alt. sites | A.7.9 | 314.4(c) / Req. 9 |
Incident reporting | IR.L2-3.6.1/3.6.2 | IR-4; IR-6 | CUI spillage reporting | A.5.24–A.5.26 | 314.4(h) / Req. 12.10 |
Training & awareness | AT.L2-3.2.1/3.2.2 | AT-2; AT-3 | CUI training mandate | A.6.3 | 314.4(e) / Req. 12.6 |
Two Frequently Overlooked Safeguards
Many hardcopy CUI procedures cover transport and storage well but omit two controls assessors routinely check — and both are easy executive wins:
CUI Marking (MP.L2-3.8.4). Every printed CUI document and every copy must carry the CUI banner marking, portion markings where applicable, and dissemination/distribution controls per 32 CFR Part 2002 and DoDI 5200.48. Unmarked hardcopy CUI is a common, avoidable finding. Build marking verification into the print and copy workflow.
Destruction Standard (MP.L2-3.8.3). Make “destroy in the same manner as the original” concrete: cross-cut shred (or an NSA/CSS-listed high-security shredder for the most sensitive material), consistent with NIST SP 800-88 for non-digital media. Document the method and retain destruction logs.
Example of an Official CUI Marking
Every printed CUI document and copy must be marked per the ISOO CUI Marking Handbook and DoDI 5200.48. A properly marked page has four elements: a banner marking at the top and bottom of every page, an optional portion marking on each paragraph, and a designation indicator block (lower-left) identifying who controlled the CUI and how to reach them. The example below shows a CUI Specified document.
CUI//SP-CTI//FED ONLY
MEMORANDUM FOR RECORD
SUBJECT: Component Interface Specification
(CUI) This paragraph contains controlled technical information describing the component interface and is marked as controlled.
(U) This paragraph contains general, non-controlled information and is marked as uncontrolled.
(CUI) This paragraph again contains controlled technical information requiring protection.
Controlled by: Northern Data Solutions, PMO
Controlled by: Engineering Division
CUI Category: CTI (Controlled Technical Information)
Limited Dissemination Control: FED ONLY
POC: J. Smith, (555) 555-0123
CUI//SP-CTI//FED ONLY
Figure 1. Annotated CUI Specified marking. CUI Basic uses a simple “CUI” banner; CUI Specified adds category and dissemination controls (e.g., CUI//SP-CTI//FED ONLY).
The four marking components:
# | Component | Description |
|---|---|---|
1 | Banner marking (top & bottom) | Centered on every page. Format: CUI//Category//Limited Dissemination Control. “SP-” denotes CUI Specified (here, CTI). The banner reflects the most restrictive marking required by any portion in the document. |
2 | Portion markings | Optional unless the designating agency requires them: (CUI) for controlled portions, (U) for uncontrolled. |
3 | Designation indicator | Lower-left block naming the controlling office, CUI category, limited dissemination control, and point of contact. |
4 | Bottom banner | Identical to the top banner; appears on every page. |
CUI Basic vs. CUI Specified: CUI Basic is marked simply as “CUI.” CUI Specified adds the category and dissemination controls shown above. Always verify category and dissemination markings against your contract and the DoD CUI Registry.
CUI Training Requirements
Everyone who handles CUI must receive CUI-specific, role-based training (AT.L2-3.2.1, AT.L2-3.2.2; DoD CUI Program 32 CFR Part 2002 / DoDI 5200.48). A standard security awareness platform — including the Proactive Advanced Security - Cybersecurity Awareness Training platform — does not include a CUI course. The authoritative DoD CUI course, however, is published by the U.S. Government and is free: assign it to every CUI handler, add a short internal module on the procedure above, and retain the completion certificates as evidence.
For the complete program — required topics, no-cost course links (CDSE, DCSA, and NARA), role-based responsibilities for Owners, CEOs, CFOs, CIOs, and Managers, and how to make the program audit-defensible — see the dedicated guide: Controlled Unclassified Information (CUI) Training: An Executive & Manager Guide.
Recommended Improvement: Migrate Toward Secure Electronic Access
For highly sensitive material — critical infrastructure drawings, detailed DoD facility plans, technical weapon-system information, or sensitive network diagrams — leadership should move away from hardcopy entirely and access CUI from a secure, managed device. Electronic access provides safeguards paper structurally cannot, and it converts manual accountability into automated, assessor-ready evidence:
Screen lock and session control — AC.L2-3.1.10 (session lock with pattern-hiding display).
Device control and access enforcement with adaptive MFA and least privilege — AC.L2-3.1.18 (control connection of mobile devices).
Encryption at rest — AC.L2-3.1.19 (encrypt CUI on mobile devices), SC.L2-3.13.16 (protect CUI at rest), SC.L2-3.13.11 (FIPS-validated cryptography).
Automated logging and accountability — AU.L2-3.3.1 and AU.L2-3.3.2 deliver a complete, exportable record of who accessed what and when — evidence a paper log cannot match.
This is the executive ROI case: lower liability, lower audit-preparation cost, and a smaller physical risk surface, delivered as a predictable subscription through Cyberwatch Advanced.
Hardened Electronic Device (Tablet): A Proof-of-Concept to Replace Printed CUI
The most tangible way to retire printed CUI is to give the people who carry it a hardened electronic device — typically a managed, encrypted tablet — from which they access CUI instead of printing it. Unlike paper, a hardened tablet is access-controlled, encrypted, logged, and remotely recoverable. It is the natural endpoint for a field engineer, an executive traveling to a program review, or staff working from an alternate site who previously relied on a folder of documents.
What a Hardened Tablet Provides
A properly configured tablet enforces, in software, the protections that paper depends on people to remember:
FIPS-validated encryption at rest so a lost device does not become a spillage — AC.L2-3.1.19, SC.L2-3.13.16, SC.L2-3.13.11.
Managed enrollment and device trust (MDM/UEM) controlling which devices may connect — AC.L2-3.1.18.
Adaptive, phishing-resistant MFA and least-privilege conditional access — IA.L2-3.5.3, AC.L2-3.1.1, AC.L2-3.1.5.
Automatic screen lock with a pattern-hiding display and session termination — AC.L2-3.1.10, AC.L2-3.1.11.
Containerized access with no local persistence (view CUI without downloading it) and copy/screenshot/peripheral restrictions — AC.L2-3.1.3, AC.L2-3.1.21.
Remote lock and wipe if the device is lost or stolen — turning a potential incident into a non-event.
Encrypted, monitored remote access — AC.L2-3.1.12, AC.L2-3.1.13, AC.L2-3.1.14.
Complete audit logging of who accessed what and when — AU.L2-3.3.1, AU.L2-3.3.2 — the automated accountability a paper check-out log cannot match (MP.L2-3.8.5).
A privacy screen filter to defeat shoulder-surfing at alternate work sites — reinforcing PE.L2-3.10.6.
Recommended Proof-of-Concept (POC) Trial
Rather than commit to an enterprise rollout up front, leadership should authorize a focused, time-boxed Proof-of-Concept that proves a hardened tablet can replace printed CUI for a real use case before scaling. A practical POC runs as follows:
Define a narrow pilot. Select one representative use case and a small group of users (for example, two to five field engineers or program staff who currently carry printed CUI offsite).
Set success criteria and evidence. Decide what “success” means up front — e.g., the user completes their work with zero printed CUI, every access is logged, screen lock and encryption are enforced, and no spillage occurs — and identify the evidence to capture (access logs, configuration reports, user attestations).
Provision the POC device with the full IAM control set. Through Cyberwatch Advanced, enroll the tablet in MDM, enable FIPS-validated encryption, adaptive MFA, least-privilege conditional access, automatic screen lock, remote wipe, containerized access, and logging.
Run the trial (typically 30–60 days). Pilot users access CUI electronically instead of on paper, supported by a short role-based briefing on the new workflow.
Measure and review. Compare results against the success criteria, gather user feedback, and assemble the evidence package as if for an assessor.
Make a go/no-go decision and roadmap. If the POC succeeds, plan the scoped production rollout; if not, capture the gaps and iterate.
Important: POC Hardening Is Not the Final Scoped Hardening
One point must be clear to leadership before the POC begins. The POC tablet will carry the full set of Identity and Access Management controls — adaptive MFA, least privilege, Zero Trust access, device trust, encryption, and logging — and that is enough to prove the concept and demonstrate the user experience and accountability benefits. It is not, however, the final scoped hardened build required for CMMC certification. Final hardening can only be completed after the CMMC assessment scope and CUI boundary are formally defined. The production configuration will additionally require items such as a complete configuration baseline (e.g., DISA STIG / CIS Benchmark application), confirmation of FIPS-validated cryptographic modules in the assessed configuration, OS and application allow-listing, enclave/boundary placement, and full documentation in the System Security Plan.
In short: the POC proves the concept and the IAM controls today; the production device is hardened to the defined scope and boundary next. Northern Data Solutions’ Cyberwatch risk identification and vCSO offering define that scope and boundary, Cyberwatch Advanced delivers and manages the device controls, and Compliance-as-a-Service documents the hardened baseline as assessor-ready evidence.
How These Controls Work Together
Authorized access + accountability ensure that only the right people hold CUI and that every movement is recorded — the administrative backbone of the Media Protection family.
Marking + destruction close the lifecycle: CUI is identifiable while it exists and unrecoverable when retired, satisfying the objectives most often failed in assessment.
Transport + alternate-site safeguards + incident reporting govern CUI precisely where it is most exposed — in motion and offsite — and ensure a fast, documented response if something goes wrong.
Electronic access operationalizes all of the above automatically. When CUI is governed through Cyberwatch Advanced, each control generates the artifacts your assessors require: access certifications, conditional-access policies, encryption inventories, audit logs, training attestations, and destruction records.
Why Cyberwatch Advanced
Cyberwatch Advanced is Northern Data Solutions’ flagship managed cybersecurity subscription, purpose-built to turn fragile, paper-based information handling into auditor-ready, electronically governed control of Controlled Unclassified Information (CUI). Printed CUI carried outside a controlled facility is one of the highest-liability, lowest-visibility risks an executive owns: there is no log, no screen lock, no remote wipe, and no automated accountability — only a person, a folder, and trust. Cyberwatch Advanced replaces that trust with evidence.
For leadership, Cyberwatch Advanced delivers:
Secure electronic access to CUI that can replace hardcopy entirely — Identity and Access Management with adaptive MFA, Principle of Least Privilege, and Zero Trust Architecture, so sensitive material is accessed from a managed device with screen lock, encryption, and full audit logging rather than printed and carried.
Continuous accountability and evidence — every access to CUI generates an exportable record mapped to CMMC 2.0 / NIST SP 800-171 Rev. 2, satisfying the very objectives (MP.L2-3.8.5 accountability, AU.L2-3.3.1/3.3.2 logging) that a paper check-out log struggles to prove.
Workforce awareness and attestation tracking — a security awareness training platform that records training completion and attestation. Proactive Advanced Security - Cybersecurity Awareness Training platform does not include a CUI-specific course; CUI role-based training is delivered through no-cost U.S. Government courses (see CUI Training Requirements above), and Cyberwatch Advanced together with Compliance-as-a-Service tracks assignment, completion, and certificates as evidence for AT.L2-3.2.1/3.2.2.
Attack surface visibility, password management and rotation, and least-privilege enforcement across the identities and systems that touch CUI.
Combined with Cyberwatch (third-party penetration testing, validation, and vulnerability identification), our Compliance-as-a-Service platform (which documents your CUI handling procedure in the System Security Plan, tracks POA&M items, and assembles assessor-ready evidence), and our vCSO executive offering (governance, board reporting, and assessor liaison), Cyberwatch Advanced makes CUI protection a predictable line item rather than an audit fire drill.
The bottom line: you can remain compliant while printed CUI leaves your facility — but the defensible, lower-cost, lower-liability path is to govern that CUI electronically. Talk to your account team to schedule a Cyberwatch Advanced readiness review.
Key Takeaways
The premise is correct. CMMC Level 2 does not prohibit printed CUI from leaving a controlled facility; it requires the CUI to remain protected, accountable, and evidenced.
The risk is an executive risk. Hardcopy CUI handling affects contract eligibility, False Claims Act exposure, and board-level reputational risk — not just IT operations.
Two gaps are common and avoidable. Add CUI marking verification and a concrete destruction standard to your procedure now.
Compliance is a by-product of operating these controls. One well-run hardcopy CUI procedure produces evidence across CMMC, NIST 800-53, ISO 27001, the DoD CUI Program, and (for parallel paper-records obligations) FTC Safeguards and PCI DSS.
The defensible end-state is electronic. Minimize paper and govern the remainder through Cyberwatch Advanced for automated accountability and lower total cost — proven first through a hardened-tablet Proof-of-Concept.
Next Steps
Document and train. Formalize the procedure above, reference it in your SSP, and train every authorized CUI handler with documented attestation.
Close the marking and destruction gaps immediately — the lowest-cost, highest-visibility assessment wins.
Engage a Cyberwatch Risk Identification assessment to baseline how CUI (hardcopy and digital) flows through your environment and where exposure concentrates.
Run a hardened-tablet Proof-of-Concept for a representative offsite use case, then adopt secure electronic access through Cyberwatch Advanced for your most sensitive CUI, with Compliance-as-a-Service maintaining the evidence and vCSO providing executive governance.
Contact Northern Data Solutions to schedule a CMMC Level 2 readiness consultation and an executive review of your CUI handling procedures.