CMMC practice MP.L2-3.8.4, derived from NIST SP 800-171 Rev 2 security requirement 3.8.4, requires organizations to mark system media containing CUI with applicable CUI markings and distribution limitations before the media leaves organizational control or is transferred between individuals. This includes both digital media (USB drives, optical discs, portable hard drives, backup tapes) and physical/non-digital media (printed documents, microfiche, film) that contain CUI. Markings must comply with the CUI Registry maintained by the National Archives and Records Administration (NARA) and any applicable agency or contract-specific instructions. The marking must indicate both the CUI category or subcategory and any handling caveats or distribution limitations that restrict who may access the information. This practice is a foundational control ensuring that the sensitivity of information on removable or transportable media is immediately visible and unambiguous to all handlers.
Where it stops · what it isn't
- —This practice does not govern the sanitization, destruction, or disposal of media — those are covered by MP.L2-3.8.3 and MP.L2-3.8.7.
- —This practice does not address access controls restricting who can read or write to media — those are covered by MP.L2-3.8.1.
- —This practice does not cover encryption of data in transit or at rest on media — that is addressed by SC.L2-3.13.8 and SC.L2-3.13.16.
- —This practice does not apply to media that has been fully sanitized and contains no residual CUI, as there is no longer a requirement to maintain CUI markings on such media.
- —This practice does not define the specific CUI categories or subcategories themselves — those are defined by the CUI Registry and applicable government contracts or program guidance.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/media-protection