NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
Control Family: Maintenance
Control Type: Derived
SPRS Value: 1
SPRS Supplemental Guidance:
N/A
CMMC Level(s): MP.L2-3.8.4
Top Ten Failed Requirement:
No
3.8.4: Mark media with necessary CUI markings and distribution limitations.
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
MP-3
NIST Supplemental Guidance:
[NARA MARK]
Discussion:
The term security marking refers to the application or use of human-readable security attributes. System media includes digital and non-digital media. Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations. See [NARA MARK].
Upon assessment, assessors must determine if-
3.8.4[a] media containing CUI is marked with applicable CUI markings.
3.8.4[b] media containing CUI is marked with distribution limitations.
Assessors are instructed to-
Examine: [SELECT FROM: System media protection policy; procedures addressing media marking; physical and environmental protection policy and procedures; system security plan; list of system media marking security attributes; designated controlled areas; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system media protection and marking responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for marking information media; mechanisms supporting or implementing media marking].
FURTHER DISCUSSION
N All media, hardcopy and digital, must be properly marked to alert individuals to the presence of CUI stored on the media. The National Archives and Records Administration (NARA) has published guidelines for labeling media of different sizes.146 MP.L2-3.8.8 requires that media have an identifiable owner, so organizations may find it desirable to include ownership information on the device label as well.
Example
You were recently contacted by the project team for a new DoD program. The team said they wanted the CUI in use for the program to be properly protected. When speaking with them, you realize that most of the protections will be provided as part of existing enterprise cybersecurity capabilities. They also mentioned that the project team will use several USB drives to share specific data. You explain that the team must ensure the USB drives are externally marked to indicate the presence of CUI [a]. The project team labels the outside of each USB drive with an appropriate CUI label following NARA guidance [a]. Further, the labels indicate that distribution is limited to those employees supporting the DoD program [a].
Potential Assessment Considerations
Are all media containing CUI identified [a,b]?
Frameworks & Controls
3.8.2: Limit access to CUI on system media to authorized users.
3.8.3: Sanitize or destroy system media containing
CUI before disposal or release for reuse.3.8.4: Mark media with necessary CUI markings and distribution limitations.
3.8.7: Control the use of removable media on system components.
3.8.8: Prohibit the use of portable storage devices when such devices have no identifiable owner.
3.8.9: Protect the confidentiality of backup CUI at storage locations.