3.8.4 has a weight of -1points
(Media Protection Family) 4/9
Mark media with necessary CUI markings and distribution limitations.[27]
Video:
Example of System Security Plan (SSP):
Control 3.8.4: Marking Media Containing CUI
Objective: Our primary aim is to ensure all media containing CUI are properly marked, handled, and controlled to prevent unauthorized access, distribution, or compromise.
Scope: This policy applies to all employees, contractors, and third parties who may come into contact with or handle media containing CUI within the organization.
Definition of System Media: System media encompasses both digital and non-digital platforms used for the storage, processing, or transmission of CUI. This includes digital files, paper documents, microfilm, and any other medium where CUI might be found.
Implemented Measures and CUI Marking Guidance:
- We strictly follow the government-provided CUI marking guidelines.
- Portable storage media containing CUI are identified with a “CUI Notice” sticker.
- Filing cabinets housing CUI are marked “Contains CUI” using designated stickers.
- Systems housing CUI exhibit interactive logon messages at login, informing users of the CUI’s security and privacy norms.
- We’ve activated specialized email filters that pinpoint, notify, and label emails potentially containing CUI within our secure system.
Security Marking Requirements: Security marking incorporates human-readable security attributes on system media, signaling the sensitivity and management requirements of the information. By marking system media correctly, personnel recognize the protection degree required for the CUI inside.
CUI Markings and Distribution Limitations: Media with CUI are adorned with suitable CUI labels and distribution restrictions according to guidance in [32 CFR 2002] and [NARA CUI]. These markings categorize the information based on sensitivity and clarify any access and distribution limitations.
Compliance with Federal Guidelines: Our commitment is in line with the marking guidance stipulated in [NARA MARK], guaranteeing conformity with federal rules and regulations regarding CUI management. Adherence to these guidelines is paramount to maintain a standardized and potent CUI protection approach.
Training and Awareness: Personnel handling system media undergo rigorous training on correct CUI markings and distribution limitations application. This training accentuates the importance of sticking to marking guidelines to effectively safeguard sensitive data.
Incident Reporting and Response: Should any incidents related to CUI improper marking or distribution arise, we adhere to a proactive incident reporting and resolution procedure. Quick reporting and rectification of such incidents curtail potential threats and ensure the implementation of corrective measures.
Continuous Improvement: Reflecting our commitment, we periodically reassess and enhance our marking procedures to coincide with federal guideline updates and industry best practices. This recurrent initiative assures our marking system media approach remains current and robust in securing CUI.
Policy Statement: Our organization is unwavering in its dedication to the appropriate handling and safeguarding of Controlled Unclassified Information (CUI). We’ve put into action a thorough policy for the marking of system media that houses CUI with the requisite security attributes and distribution constraints. This policy is in sync with pertinent federal laws, Executive Orders, policies, directives, and regulations, preserving the confidentiality and integrity of CUI.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action & Milestones (POA&M) for Control 3.8.4: Marking Media Containing CUI
1. Objective: Ensure all media containing CUI are properly marked, handled, and controlled.
Milestones:
1.1 Conduct an initial assessment to identify all current media (digital and non-digital) containing CUI.
1.2 Determine gaps in current marking processes against the government-provided CUI marking guidelines.
1.3 Finalize and implement an updated marking guideline that aligns with federal standards.
2. Scope: Cover all employees, contractors, and third parties handling CUI within the organization.
Milestones:
2.1 Develop a scope document detailing the roles, responsibilities, and processes for marking CUI.
2.2 Communicate scope and responsibilities to all relevant parties.
3. System Media Definition and Inventory: Catalog both digital and non-digital platforms used for CUI storage, processing, or transmission.
Milestones:
3.1 Create a comprehensive inventory list of all system media.
3.2 Periodically review and update the inventory for accuracy.
4. Marking Guidelines Implementation:
Milestones:
4.1 Procure “CUI Notice” stickers and designated “Contains CUI” stickers.
4.2 Implement interactive logon messages for systems containing CUI.
4.3 Activate and test specialized email filters for CUI detection.
5. Security Marking Requirements:
Milestones:
5.1 Develop a standard operating procedure (SOP) for security marking.
5.2 Train personnel in the SOP.
5.3 Regularly review and update the SOP to ensure it meets current guidelines.
6. Compliance with Federal Guidelines:
Milestones:
6.1 Review current processes against [NARA MARK] guidance.
6.2 Implement required changes to achieve full compliance.
6.3 Establish a periodic review mechanism to ensure ongoing compliance.
7. Training and Awareness:
Milestones:
7.1 Develop a CUI marking training program.
7.2 Schedule and conduct initial training sessions.
7.3 Implement periodic refresher courses and update training materials as required.
8. Incident Reporting and Response:
Milestones:
8.1 Establish a CUI incident reporting system.
8.2 Train personnel on incident reporting procedures.
8.3 Conduct periodic drills to test the system’s effectiveness.
9. Continuous Improvement:
Milestones:
9.1 Set up a task force to regularly review marking procedures.
9.2 Identify areas of improvement based on reviews and feedback.
9.3 Implement changes and updates as identified.
10. Policy Statement Update:
Milestones:
10.1 Review the current policy statement for relevance and accuracy.
10.2 Make required changes or updates to the policy.
10.3 Communicate updated policy to all relevant personnel.
Target Completion Date: [Specific Date]
Responsible Party: [Designated Department/Individual]
Resources Allocated: [Specify budget, personnel, and other resources]
Review Date: [Specify periodic review dates for POA&M]
This POA&M provides a structured approach to ensuring that the organization’s media containing CUI is properly marked and handled in compliance with federal guidelines. It is essential that each milestone is tracked and updated regularly to ensure timely completion and ongoing compliance.
NARA (National Archives and Records Administration) Standards):
NARA provides detailed guidance on marking CUI, which is laid out in 32 CFR Part 2002. Below is a summarized version of some of the key marking elements:
-
CUI Banner Marking: At the top of the document, you should have a banner marking. The simplest form is “CONTROLLED” or “CUI”, but can be more specific based on the category or sub-category of the CUI.
-
Specified CUI Categories: If the CUI falls under a “specified” category (meaning it has additional laws, regulations, or government-wide policies that dictate its handling), then the CUI marking should also include the category, e.g., “CUI//Category Name”.
-
Portion Marking: Individual paragraphs or sections can be marked to indicate which specific parts of the document contain CUI. For example, a paragraph can start with “(CUI)” to indicate that it contains controlled unclassified information.
-
Decontrolling and Expiry: If there’s a date or event when the information can be decontrolled, that should be marked as well.
-
Handling and Dissemination Controls: Any additional handling or dissemination instructions should be clearly marked. For instance, if the CUI should not be shared with foreign nationals, it might be marked “NOFORN” (No Foreign Nationals).
-
Legacy Markings: Documents marked under the previous system before CUI was standardized might still be in circulation. Those handling such documents should be trained to understand and respect those markings, and when feasible, re-mark documents to the new standard.
-
Transmittal Document Markings: When sending CUI in a package or envelope, the transmittal document should be clearly marked that it contains CUI, but the exterior of the package should not give any indication of the presence of CUI to prevent undue attention.
RELEVANT INFORMATION:
The term security marking refers to the application or use of human-readable security attributes. System media includes digital and non-digital media. Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations. See [NARA MARK].[27] The implementation of this requirement is per marking guidance in [32 CFR 2002] and [NARA CUI]. Standard Form (SF) 902 (approximate size 2.125” x 1.25”) and SF 903 (approximate size 2.125” x .625”) can be used on media that contains CUI such as hard drives, or USB devices. Both forms are available from https://www.gsaadvantage.gov.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.