Organizational Control: Media Marking

Control ID: MP-3 Media Marking	Family: Media Protection	Source: NIST 800-53r4
Control: The organization: Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas].
Supplemental Guidance: The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable state and federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related Controls: PL-2, RA-3, AC-16
Control Enhancements: N/A
References: FIPS Publication 199.
Mechanisms:
Protocol Implementation Conformance Statements: N/A