Requirement text: MP.3.122: Mark media with necessary CUI markings and distribution limitations.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
The term security marking refers to the application or use of human-readable security
attributes. System media includes digital and non-digital media. Marking of system media
reflects applicable federal laws, Executive Orders, directives, policies, and regulations.
CMMC CLARIFICATION
All media (e.g., USB drives, CDs, DVDs, diskettes, hard drives, and paper) must be properly
marked to alert individuals to the presence of Controlled Unclassified Information (CUI)
stored on the media. Since the media itself may be small and provide limited space to mark
it you should at a minimum mark it as “Controlled” or CUI” and the designating agency. If
the media is hard to mark alternate methods may be approved to indicate the presence of
CUI. For example, a company may place a CUI banner on the desktop background image or
monitor attached to the system. They could also require the user to accept a banner message
stating CUI may be present on the system.
Example
You were recently contacted by the project manager for a new Department of Defense
program at your company. The project manager said she wanted the CUI with the program
properly protected. After speaking with her, most of the protections will be provided as part
of the organization’s cybersecurity capabilities infrastructure. She also mentions that the
project team will use several USB drives to share certain data sets. You tell her that the USB
drives the organization provides have encryption built into the device. You explain while
this protects the confidentiality of the data the team must ensure the USB drives are
externally marked to indicate the presence of CUI. The project manager thanks you for the
reminder and has her team label the outside of each USB drive with an appropriate CUI label.
References
• NIST SP 800-171 Rev 1 3.8.4
• NIST CSF v1.1 PR.PT-2
• CERT RMM v1.2 MON:SG2.SP4
• NIST SP 800-53 Rev 4 MP-3