03.08.04: Media Marking

Control Familly: Media Protection

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • N/A

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.08.04

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • MP-03

Mark system media that contain CUI to indicate distribution limitations, handling caveats, and applicable CUI markings.

Discussion:

System media include digital and non-digital media. Marking refers to the use or application of human-readable security attributes. Labeling refers to the use of security attributes for internal system data structures. Digital media include diskettes, magnetic tapes, external or removable solid state or magnetic drives, flash drives, compact discs, and digital versatile discs. Non-digital media include paper and microfilm. CUI is defined by NARA along with marking, safeguarding, and dissemination requirements for such information.

Assessment Methods and Objectives

Examine [SELECT FROM: physical protection policy and procedures; media protection policy and procedures; procedures for media marking; list of system media marking security attributes; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with system media protection and marking responsibilities; personnel with information security responsibilities]

Test [SELECT FROM: processes for marking information media; mechanisms for supporting or implementing media marking]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.08.04[01]: system media that contain CUI are marked to indicate distribution limitations.

A.03.08.04[02]: system media that contain CUI are marked to indicate handling caveats.

A.03.08.04[03]: system media that contain CUI are marked to indicate applicable CUI markings.