CMMC Practice MP.L2-3.8.4

Mark media with necessary CUI markings and distribution limitations.

Bold Coast Security Guidance

Labeling is second nature to larger organizations, but a new and occasionally challenging task for smaller organizations to stay on top of. To make it easiest for users, adopt as few labels as possible reflecting the data in your environment. At a minimum, system media containing CUI must be labeled as such. The labeling should include distribution limitations, following the guidance from NARA (National Archives and Records Administration). Note that there are exception for small devices, such as removable media devices, which must still be marked, but cannot accommodate a complete marking. Remember to Include labeling requirements in your security training and on any data handling posters or signs you create.

Discussion From Source

DRAFT NIST SP 800-171 R2 The term security marking refers to the application or use of human-readable security attributes. System media includes digital and non-digital media. Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations.