NIST 800-53 REV 5 • PHYSICAL AND ENVIRONMENTAL PROTECTION
PE-22 — Component Marking
Mark {{ insert: param, pe-22_odp }} indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.
Supplemental Guidance
Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices. Permissions controlling output to the output devices are addressed in [AC-3](#ac-3) or [AC-4](#ac-4) . Components are marked to indicate the impact level or classification level of the system to which the devices are connected, or the impact level or classification level of the information permitted to be output. Security marking refers to the use of human-readable security attributes. Security labeling refers to the use of security attributes for internal system data structures. Security marking is generally not required for hardware components that process, store, or transmit information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components that process, store, or transmit public information in order to indicate that such information is publicly releasable. Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards.
Practitioner Notes
Hardware components should be visually marked to indicate the sensitivity level of information they are authorized to process. This prevents someone from accidentally connecting a classified drive to an unclassified system.
Example 1: Apply color-coded labels to all hardware: green stickers for unclassified systems, yellow for CUI, red for classified. Apply labels to monitors, keyboards, system units, cables, and peripherals. Make the markings large enough to be easily visible from a normal working distance.
Example 2: Use engraved asset tags or tamper-evident labels that include the system name, classification level, and asset number. For cables, use color-coded cable ties or labels at both ends. Include marking requirements in your configuration management procedures so new equipment is marked before deployment.