CMMC Practice Requirement:

Mark media with necessary “Controlled Unclassified Information” (CUI) markings and distribution limitations.

CMMC Requirement Explanation:

The term marking refers to applying notices on digital and non-digital media indicating that they contain controlled information. By marking media employees are aware of the security processes and policies associated with handling the data.

Example CMMC Implementation:

Mark any digital media containing CUI with a label reading "controlled". This includes thumb drives, CD's, and hard drives. Mention CUI in your system usage notification notifications (see practice AC.2.005). Mark non-digital media such as papers containing CUI. Post a notice outside of rooms where CUI is stored. Mark containers that hold CUI. Use the "Marking Controlled Unclassified Information" guide released by the national archives as a reference when marking and labeling CUI.


- Scenario 1:


You have several hard drives and thumb rives containing CUI. To indicate that they require additional care when handled you print out a marking reading "controlled" and tape it to the drives.
CMMC Practice: MP.3.122 Scenario 1 image

- Scenario 2:


You have several file cabinets that you want to use to store paperwork containing CUI. To indicate that it contains CUI you mark it with a printout reading " Contains Controlled Unclassified Information".
CMMC Practice: MP.3.122 Scenario 2 image

- Scenario 3:


You are creating a document that will contain CUI. To indicate that it contains CUI you type "Controlled" at the top and bottom of the document.
CMMC Practice: MP.3.122 Scenario 3 image

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance