NIST 800-53 REV 5 • MEDIA PROTECTION
MP-3 — Media Marking
Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}.
Supplemental Guidance
Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
Practitioner Notes
Media containing organizational data needs to be clearly marked with distribution limitations and handling instructions. If someone picks up a drive or document, they should immediately know how sensitive it is and how to handle it.
Example 1: Create a media labeling standard: apply CUI marking labels to USB drives, backup tapes, and external hard drives that contain controlled information. Use pre-printed labels or a label maker with your organization's CUI banner marking (e.g., 'CUI//SP-CTI').
Example 2: For printed documents, configure your printers to automatically add header and footer banners showing the sensitivity level. In Microsoft 365, use sensitivity labels in Microsoft Purview to automatically apply headers, footers, and watermarks to documents based on their classification.