MP.3.122

Control Acronym

MP

Family

Media Protection

CMMC Level

3

800-171 Control #

3.8.4

CMMC Description

Mark media with necessary CUI markings and distribution limitations.

CMMC Clarification

All media (e.g., USB drives, CDs, DVDs, diskettes, hard drives, and paper) must be properly marked to alert individuals to the presence of Controlled Unclassified Information (CUI) stored on the media. Since the media itself may be small and provide limited space to mark it you should at a minimum mark it as “Controlled” or CUI” and the designating agency. If the media is hard to mark alternate methods may be approved to indicate the presence of CUI. For example, a company may place a CUI banner on the desktop background image or monitor attached to the system. They could also require the user to accept a banner message stating CUI may be present on the system. Example You were recently contacted by the project manager for a new Department of Defense program at your company. The project manager said she wanted the CUI with the program properly protected. After speaking with her, most of the protections will be provided as part of the organization’s cybersecurity capabilities infrastructure. She also mentions that the project team will use several USB drives to share certain data sets. You tell her that the USB drives the organization provides have encryption built into the device. You explain while this protects the confidentiality of the data the team must ensure the USB drives are externally marked to indicate the presence of CUI. The project manager thanks you for the reminder and has her team label the outside of each USB drive with an appropriate CUI label.

800-171 Description

Mark media with necessary CUI markings and distribution limitations.

800-171 Discussion

The term security marking refers to the application or use of human-readable security attributes. System media includes digital and non-digital media. Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations. See [NARA MARK].

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 MP-3

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.8.4

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.PT-2

CERT RMM Reference

CERT RMM v1.2 MON:SG2.SP4

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

MP.3.122.[a] media containing CUI is marked with applicable CUI markings; and

Assessment Sub-Criteria 2

MP.3.122.[b] media containing CUI is marked with distribution limitations.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15