CMMC Practice Number: MP.L2-3.8.4
CMMC Level: 2 CMMC Domain: Media Protection (MP)
Practice Summary:
Mark media with necessary CUI markings and distribution limitations.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] media containing CUI is marked with applicable CUI markings; and
[b] media containing CUI is marked with distribution limitations.
Practice Clarification (DOD, CMU)
All media, hardcopy and digital, must be properly marked to alert individuals to the presence of CUI stored on the media [a]. The National Archives and Records Administration (NARA) has published guidelines for labeling media of different sizes.51
MP.L2-3.8.8 requires that media have an identifiable owner, so organizations may find it desirable to include ownership information on the device label as well.
Example
You were recently contacted by the project team for a new DoD program. The team said they wanted the CUI in use for the program to be properly protected. When speaking with them, you realize that most of the protections will be provided as part of existing enterprise cybersecurity capabilities. They also mentioned that the project team will use several USB drives to share specific data. You explain that the team must ensure the USB drives are externally marked to indicate the presence of CUI [a]. The project team labels the outside of each USB drive with an appropriate CUI label following NARA guidance [a]. Further, the labels indicate that distribution is limited to those employees supporting the DoD program [a].
Potential Assessment Considerations
• Are all media containing CUI identified [a,b]?
Where To Look
- System media protection policy;
- procedures addressing media marking;
- physical and environmental protection policy and procedures;
- system security plan;
- list of system media marking security attributes;
- designated controlled areas;
- other relevant documents or records.
Who To Talk To
- Personnel with system media protection and marking responsibilities;
- personnel with information security responsibilities.
Perform Test On
- Organizational processes for marking information media;
- mechanisms supporting or implementing media marking.
Additional Information
The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes regarding internal data structures within information systems. Security marking is generally not required for media containing information determined by companies to be in the public domain or to be publicly releasable. However, some companies may require markings for public information indicating that the information is publicly releasable.
This security requirement is meant to be applied by using physical controls to access physical media, but other mechanisms for logical access are acceptable. It applies to information system media, which includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/ removable hard disk drives, flash drives, compact disks, and digital video disks. Non- digital media includes, for example, paper and microfilm. It does not include cell or smartphones.
The requirements of the DFARS clause only apply to covered defense information, i.e., information provided or developed by the contractor for DOD which is Controlled Technical Information or other information requiring protection by law, regulation, or government-wide policy. It does not apply to information provided by or developed for non- DOD organizations. Guidance on marking media, along with other materials, should be addressed separately in the contract and is derived from DOD Manual 5200.01, Volume 4, “DOD Information Security Program: Controlled Unclassified Information (CUI).
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: NIST SP 800-171 R2
The term security marking refers to the application or use of human-readable security attributes. System media includes digital and non-digital media. Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations.
CMMC References:
· NIST SP 800-171 Rev 1 3.8.4
· NIST CSF v1.1 PR.PT-2
· CERT RMM v1.2 MON:SG2.SP4
· NIST SP 800-53 Rev 4 MP-3