Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MP.L2-3.8.4 – Mark media with necessary “Controlled Unclassified Information” (CUI) markings and distribution limitations.
Understanding the Requirement
This control requires that any physical or digital media that contains Controlled Unclassified Information be clearly labeled so handlers know it requires special protection and any limits on who may receive it. Under NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 the goal is to make CUI visible through consistent markings and distribution notes so personnel follow the correct handling, storage, and distribution procedures.
Technical Implementation
-
Create and adopt a labeling standard:
Define a short, consistent set of labels (for example, "Controlled" for general CUI and a companion line for distribution limits, e.g., "Distribution: Internal Only"). Put the standard in your information protection policy and produce printable label templates for small media, containers, and documents.
-
Mark physical media and containers durably:
Use adhesive, weather-resistant labels or engraved asset tags for thumb drives, external hard drives, CDs, and storage containers. For file cabinets, boxes, and envelopes, place a visible printed marking such as "Contains Controlled Unclassified Information" on the exterior and include a brief distribution restriction (e.g., "Do not release to external parties without authorization").
-
Mark digital media and documents:
Apply a "Controlled" banner or header/footer to documents and add metadata tags on electronic files. For removable media, set the volume label or a README file at the root named "CUI_CONTROLLED" that states handling and distribution rules. Ensure automated backup and archival tools preserve these markings and metadata.
-
Recordkeeping and inventory:
Maintain an asset inventory that lists all CUI-bearing media, its marking, owner, and distribution restrictions. Track handoffs with simple transfer logs (digital or paper) that note who received the media, date/time, and purpose. Use the inventory to support periodic audits and to find media quickly for sanitization or return.
-
Operational controls and sanitization:
Include handling and distribution rules in standard operating procedures: who may receive CUI, required approvals, and methods for sanitizing or destroying media. Specify approved tools and steps for wiping drives (e.g., NIST SP 800-88 guidance processes) and record destruction actions in the inventory.
-
Training and enforcement:
Train staff on what CUI markings mean and how to act on distribution limits. Make marking rules part of onboarding and periodic refresher training, and give system/network administrators and security delegates authority to refuse or quarantine improperly marked media.
Example in a Small or Medium Business
Acme Engineering, a 45-person firm, designates a security coordinator to implement CUI marking. They adopt a labeling template that reads "Controlled — Contains CUI" with a second line for distribution such as "Internal Only" or "DoD Recipients Only" when applicable. All USB drives and loaner laptops are issued with small engraved asset tags and entered into an inventory spreadsheet that records owner, issue date, and permitted recipients. Paper drawings that contain CUI are printed with "Controlled" at the top and bottom of each page and the file cabinet doors are marked "Contains Controlled Unclassified Information — Authorized Personnel Only." When an engineer needs to ship a report externally, they follow a request-and-approval workflow that checks the distribution limitation and documents authorization in the transfer log before packaging. Drives slated for disposal are sanitized using an approved wiping tool and then physically destroyed; the action is logged against the asset record. The security coordinator runs quarterly spot checks to ensure all stored media remain marked and that inventory records match physical items.
Summary
Consistent labeling, inventory controls, and simple operational procedures let SMBs meet MP.L2-3.8.4: clearly mark all media and note any distribution limits, record and track media handoffs, and enforce sanitization and disposal rules. Coupling durable physical labels with digital metadata, staff training, and routine audits ensures personnel recognize CUI, follow distribution restrictions, and reduce the risk of accidental exposure.
