Overview:
Mark media with necessary CUI markings and distribution limitations.
Action Items:
3.8.4[a]
Determine if: media containing CUI is marked with applicable CUI markings.
3.8.4[b]
Determine if: media containing CUI is marked with distribution limitations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: System media protection policy; procedures addressing media marking; physical and environmental protection policy and procedures; system security plan; list of system media marking security attributes; designated controlled areas; other relevant documents or records].
2
Interview: Personnel with system media protection and marking responsibilities; personnel with information security responsibilities].
3
Test: Organizational processes for marking information media; mechanisms supporting or implementing media marking].
Related Documents (document name and content will vary by organization):
1) System media protection policy
2) procedures addressing media marking
3) physical and environmental protection policy and procedures
4) system security plan
5) list of system media marking security attributes
6) designated controlled areas
7) other relevant documents or records
Additional Guidance:
The term security marking refers to the application or use of human-readable security attributes. System media includes digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external or removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations. See NARA Marking Handbook.
Article ID: 172
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-media-marking-3-8-4-172.html