3.8.4—Media Protection - Derived
Derived Requirement
>Control Description
Mark media with necessary CUI markings and distribution limitations.[27]
>Discussion
The term security marking refers to the application or use of human-readable security attributes. System media includes digital and non-digital media. Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations.
See [NARA MARK]. [27] The implementation of this requirement is per marking guidance in [32 CFR 2002] and [NARA CUI]. Standard Form (SF) 902 (approximate size 2.125" x 1.25") and SF 903 (approximate size 2.125" x .625") can be used on media that contains CUI such as hard drives, or USB devices. Both forms are available from https://www.gsaadvantage.gov.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern marking media with CUI markings?
- •What procedures ensure proper marking of CUI media?
- •Who is responsible for applying CUI markings to media?
- •How do you handle media with mixed sensitivity levels?
- •What governance ensures media markings are accurate?
Technical Implementation:
- •How do you technically enforce media marking requirements?
- •What tools or labels are used to mark physical media?
- •How do you mark digital media or files with CUI indicators?
- •What automated systems apply CUI markings?
- •How do you verify media markings are present and correct?
Evidence & Documentation:
- •Can you show examples of properly marked CUI media?
- •What procedures document media marking requirements?
- •Can you demonstrate digital and physical marking methods?
- •What audit results verify media marking compliance?
- •What evidence shows all CUI media is appropriately marked?
Ask AI
Configure your API key to use AI features.