Media Markings
Mark media with necessary CUI markings and distribution limitations.
What an assessor scores, the objectives
MP.L2-3.8.4 is met only when every one of these 2 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.media containing CUI is marked with applicable CUI markings
- b.media containing CUI is marked with distribution limitations
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For MP.L2-3.8.4, an assessor uses these:
System media protection policy; procedures addressing media marking; physical and environmental protection policy and procedures; system security plan; list of system media marking security attributes; designated controlled areas; other relevant documents or records
Personnel with system media protection and marking responsibilities; personnel with information security responsibilities
Organizational processes for marking information media; mechanisms supporting or implementing media marking
What it means, in context
The term security marking refers to the application or use of human- readable security attributes. System media includes digital and non- digital media. Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations.
All media, hardcopy and digital, must be properly marked to alert individuals to the presence of CUI stored on the media. The National Archives and Records Administration (NARA) has published guidelines for labeling media of different sizes.146 MP.L2-3.8.8 requires that media have an identifiable owner, so organizations may find it desirable to include ownership information on the device label as well. 146 NARA, CUI Notice 2019-01: Controlled Unclassified Information (CUI) Coversheets and Labels Example You were recently contacted by the project team for a new DoD program. The team said they wanted the CUI in use for the program to be properly protected. When speaking with them, you realize that most of the protections will be provided as part of existing enterprise cybersecurity capabilities. They also mentioned that the project team will use several USB drives to share specific data. You explain that the team must ensure the USB drives are externally marked to indicate the presence of CUI [a]. The project team labels the outside of each USB drive with an appropriate CUI label following NARA guidance [a] . Further, the labels indicate that distribution is limited to those employees supporting the DoD program [a]. Potential Assessment Considerations • Are all media containing CUI identified [a,b]?
What passing evidence looks like
CUI media marked: labels on drives, folders, and printouts carrying the CUI marking and distribution limits, shown with a photo.
Common ways contractors fail MP.L2-3.8.4
- !This is about YOUR media containing CUI, mark the backup drive and the printed binder. A label maker and ten minutes closes it; capture the photo.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove MP.L2-3.8.4, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
MP.L2-3.8.4 questions, answered
How many points is CMMC requirement MP.L2-3.8.4 worth?+
MP.L2-3.8.4 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.
Can MP.L2-3.8.4 be placed on a POA&M?+
Yes. A gap on MP.L2-3.8.4 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.
What family does MP.L2-3.8.4 belong to?+
MP.L2-3.8.4 is in the Media Protection (MP) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.8.4