NIST 800-171 • LEVEL 2 • MEDIA PROTECTION
3.8.4 — Media Marking
System media include digital and non-digital media. Marking refers to the use or application of human-readable security attributes. Labeling refers to the use of security attributes for internal system data structures. Digital media include diskettes, magnetic tapes, external or removable solid state or magnetic drives, flash drives, compact discs, and digital versatile discs. Non-digital media include paper and microfilm. CUI is defined by NARA along with marking, safeguarding, and dissemination requirements for such information.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- system media that contain CUI are marked to indicate distribution limitations.
- system media that contain CUI are marked to indicate handling caveats.
- system media that contain CUI are marked to indicate applicable CUI markings.
Practitioner Notes
CUI media needs to be clearly marked so anyone handling it knows what they are dealing with. This applies to both digital media (labels on USB drives, backup tapes) and non-digital media (cover sheets, headers and footers on printed documents).
Example 1: Apply physical labels to all removable media containing CUI. Use pre-printed labels or a label maker to print "CUI" along with the CUI category and any dissemination markings (e.g., "CUI//SP-CTI" for Controlled Technical Information). Stick the label directly on the USB drive, tape cartridge, or external drive.
Example 2: For printed CUI documents, include CUI markings in the header and footer of every page using your document template. In Microsoft Word, go to Insert > Header & Footer and add "CUI" or the appropriate category marking. You can also create a company Word template (.dotx) with CUI markings pre-configured so employees do not forget.