Reference: CMMC v2.13
Family: MP
Level Introduced: 2
Title: Media Markings
Practice:
Mark media with necessary CUI markings and distribution limitations.
Further Discussion:
All media, hardcopy and digital, must be properly marked to alert individuals to the presence of CUI stored on the media. The National Archives and Records Administration (NARA) has published guidelines for labeling media of different sizes.
MP.L2-3.8.8 requires that media have an identifiable owner, so organizations may find it desirable to include ownership information on the device label as well.
Example
You were recently contacted by the project team for a new DoD program. The team said they wanted the CUI in use for the program to be properly protected. When speaking with them, you realize that most of the protections will be provided as part of existing enterprise cybersecurity capabilities. They also mentioned that the project team will use several USB drives to share specific data. You explain that the team must ensure the USB drives are externally marked to indicate the presence of CUI [a]. The project team labels the outside of each USB drive with an appropriate CUI label following NARA guidance [a]. Further, the labels indicate that distribution is limited to those employees supporting the DoD program [a].
Potential Assessment Considerations
• Are all media containing CUI identified [a,b]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.