>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PE-22Component Marking

IL5
IL6

>Control Description

Mark organization-defined system hardware components indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices.

Permissions controlling output to the output devices are addressed in AC-3 or AC-4. Components are marked to indicate the impact level or classification level of the system to which the devices are connected, or the impact level or classification level of the information permitted to be output. Security marking refers to the use of human-readable security attributes.

Security labeling refers to the use of security attributes for internal system data structures. Security marking is generally not required for hardware components that process, store, or transmit information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components that process, store, or transmit public information in order to indicate that such information is publicly releasable.

Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards.

>Related Controls

AC-3
AC-4
AC-16
MP-3

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies and procedures govern the implementation of component marking for the organization's facilities?
  • Who is responsible for overseeing and maintaining component marking controls?
  • How frequently are component marking controls reviewed and updated?
  • What process exists for granting exceptions to component marking requirements?
  • How does the organization ensure accountability for component marking across all facility locations?

Technical Implementation:

  • What technologies or systems technically implement component marking?
  • How are these systems configured to meet the control requirements?
  • What monitoring or alerting capabilities exist for component marking?
  • How do component marking systems integrate with other physical security infrastructure?
  • What redundancy or backup mechanisms support component marking?

Evidence & Documentation:

  • Provide documented policies and procedures for component marking.
  • Provide evidence of component marking implementation and configuration.
  • Provide logs, records, or reports demonstrating component marking activities over the past 90 days.
  • Provide testing, maintenance, or inspection records for component marking from the past year.
  • Provide evidence of component marking reviews, audits, or assessments.

Ask AI

Configure your API key to use AI features.