CMMC Level 2 Practice 3.8.4: Mark media with necessary CUI markings and distribution limitations

10 min readLast verified: February 2026By

To meet CMMC Level 2 Practice 3.8.4, you must ensure all media containing CUI is clearly marked with required CUI markings and distribution limitations, and that staff consistently apply those markings across physical and digital media. Operationalize it by standardizing your marking scheme, embedding it into workflows and tools, and retaining evidence that marking happens before distribution.

Key takeaways:

  • Marking must follow a defined, repeatable standard for media that contains CUI, not just documents.
  • “Distribution limitations” must be explicit so recipients understand handling and sharing constraints.
  • Assessors will look for both procedures and proof of execution (samples, screenshots, records).

CMMC Level 2 aligns to NIST SP 800-171 Rev. 2, and Practice 3.8.4 targets a common failure mode: teams protect CUI in systems but lose control at the “edge,” where CUI gets copied to removable drives, exported to PDFs, burned to backups, printed, or shipped. This requirement is straightforward, but it breaks down in operations because “media” is broad and because organizations often treat marking as a discretionary admin task rather than a controlled step in content and asset handling.

Your goal is to make CUI markings and distribution limitations predictable and hard to bypass. That means you define what “necessary CUI markings” look like for your environment (labels, headers/footers, file name conventions, external labels, metadata), specify where each must appear (on-device, on-container, on-file), and train users to apply them consistently before sharing or moving CUI.

This page gives requirement-level implementation guidance you can execute quickly: applicability, step-by-step actions, evidence to retain, audit questions, and the pitfalls that cause findings during a CMMC Level 2 assessment. Primary references include the CMMC Program rule and guidance and the mapped NIST practice text. 1

Regulatory text

Requirement (mapped): “CMMC Level 2 practice mapped to NIST SP 800-171 Rev. 2 requirement 3.8.4 (Mark media with necessary CUI markings and distribution limitations).” 2

Operator meaning: If CUI is stored on or transported by media, you must mark that media (or its container, and often the content itself) so that anyone handling it can immediately recognize:

  1. it contains CUI, and
  2. what limits apply to sharing/distribution (for example, “CUI//SP-XYZ” style category markings your program uses, plus any required dissemination controls you adopt from contract or customer direction).

Your assessor will expect a defined marking approach and evidence that it is applied in daily work, not a one-time policy statement. 3

Plain-English interpretation of the requirement

You must label CUI-bearing media so CUI is recognizable and sharing boundaries are clear. “Media” includes removable storage (USB drives), external HDD/SSD, optical media, tapes, printed output, and other storage/transfer artifacts. In many environments it also includes digital “media-like” exports such as ISO images, encrypted containers, and backup sets.

“Necessary CUI markings” means: your marking scheme must be sufficient for a handler to identify CUI quickly without guessing. “Distribution limitations” means: your markings must communicate any constraints on release or dissemination that apply to that CUI in your context (contractual/customer-driven). 4

Who it applies to

Applies to:

  • Defense contractors and subcontractors pursuing CMMC Level 2 who store, process, or transmit CUI. 5
  • Federal contractors handling CUI in a covered information system boundary where CMMC Level 2 is required by contract or program requirements. 6

Operational contexts where this practice matters most:

  • Engineering/manufacturing files moved via removable drives for machine tools or test equipment.
  • Program management exports (PDFs, slide decks) shared with third parties.
  • Data transfers to third parties (testing labs, contract manufacturers, consultants).
  • Backups and disaster recovery media.
  • Print-and-scan workflows where CUI becomes paper. 4

What you actually need to do (step-by-step)

1) Define what counts as “media” in your environment

Create a scoped list your teams can understand and follow. Include:

  • Removable storage (USB, SD cards)
  • Portable storage (external HDD/SSD)
  • Backup media (tapes, offline drives)
  • Printed materials and physical binders
  • Shipping containers for media (if used)
  • Encrypted containers (where your workflow creates them)

Deliverable: Media classification and marking standard (one pager plus appendix). 4

2) Define your CUI marking schema and “distribution limitations”

Document:

  • The standard text/label you apply (for example, “CUI” plus any required program/category indicators your contracts require).
  • Where markings must appear:
    • On physical media (label on drive)
    • On media container (envelope/case)
    • On printed pages (header/footer)
    • In file properties or a standardized first page for PDFs
  • What “distribution limitation” language you require (your organization should standardize the phrasing it will use, based on contract direction and internal rules).

Deliverable: CUI Marking & Dissemination Rules section in your CUI handling policy or SOP. 3

3) Embed marking into operational workflows (don’t rely on memory)

Pick at least three workflow control points:

  • Creation/export: templates for Office/PDF that auto-apply CUI headers/footers and distribution language.
  • Storage/transfer: require labeling before a removable device can be checked out or before data is copied to it.
  • Print: printers or print release procedures that prompt the user to confirm CUI marking expectations.

Practical patterns that work:

  • Standard folder structures and naming conventions that include CUI markers for exported deliverables.
  • A ticket/checklist requirement before media leaves a controlled area or is shipped.
  • A controlled media “checkout log” requiring confirmation that the label is applied. 4

4) Train and test the people who actually touch media

Focus training on:

  • Which media types require markings.
  • What labels look like and where to place them.
  • What to do if a label cannot be applied directly (use a container label and documented exception handling).

Then test with spot checks: ask users to show you how they would label a USB drive used to transfer a CUI file and how they would mark the exported PDF. Capture evidence. 4

5) Implement exception handling for edge cases

Define what happens when:

  • Media is too small to label (micro SD): label the container plus inventory tracking.
  • Automated processes generate media (backups): label the backup set/container and ensure the catalog indicates CUI.
  • Legacy media exists unmarked: remediate via a marking sweep and disposition plan.

Deliverable: Exception procedure and remediation log. 4

6) Create recurring evidence capture for assessment readiness

Do not wait for the assessment. Set a cadence where you collect:

  • Photos of labeled physical media
  • Redacted screenshots of file markings (headers/footers) and properties
  • Completed checkout logs
  • Samples of marked printed material
  • Training completion records and spot-check results

Daydream note (practical): Many teams lose time by scrambling for “random samples” right before assessment. Daydream can serve as the system of record to map Practice 3.8.4 to your procedure, assign control owners, and store recurring evidence so you are not reconstructing history during an assessment. 7

Required evidence and artifacts to retain

Keep evidence that proves both design (your rules) and operation (your rules are followed).

Core artifacts

  • CUI Handling Policy or SOP with a dedicated media marking section 4
  • Media marking standard (label examples, placement rules, distribution limitation language) 4
  • Media inventory and/or checkout procedure (if you allow removable media) 4
  • Training materials and completion records for roles that handle CUI on media 4

Operational proof (assessment-friendly)

  • Photos of labeled removable media and containers (redact serials if needed, but keep traceability internally)
  • Examples of marked files (PDF exports, drawings, spreadsheets) showing CUI markings and distribution language
  • Print samples or scanned copies showing page markings
  • Spot-check/audit logs documenting periodic verification and outcomes

Common exam/audit questions and hangups

Assessors commonly probe:

  • “Show me a USB drive that is approved for CUI transfer and how it is labeled.”
  • “Show me three examples of CUI files exported to PDF and the markings applied.”
  • “How do you ensure distribution limitations are applied consistently?”
  • “What happens when someone needs to share CUI with a third party? Where is the limitation indicated?”
  • “How do you handle backup media that contains CUI?”

Hangups that trigger findings:

  • Policy exists, but no consistent physical labeling in the workspace.
  • Markings exist on documents, but not on the media/container used for transport.
  • Staff can’t explain what distribution limitation language means in practice.
  • No evidence trail; you can describe the process but can’t show samples. 3

Frequent implementation mistakes and how to avoid them

Mistake Why it fails Fix
Treating marking as “document-only” 3.8.4 is explicitly about media Expand scope: removable, backup, printed, and containers 4
Inconsistent label text Recipients can’t interpret limits; teams improvise Publish a single marking schema with examples; remove ambiguity 4
No workflow control point People forget under time pressure Add a required step in checkout/shipping/print release or export templates 4
Evidence collected only at audit time You can’t prove ongoing operation Store recurring samples and logs throughout the year 6
Distribution limitations unclear Marking exists but doesn’t constrain sharing Standardize dissemination language tied to your CUI handling rules 4

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this specific practice, so you should treat enforcement risk here as assessment and contractual risk rather than case-law-driven precedent. 5

Operational risk is concrete:

  • Unmarked media increases the chance of mishandling (misdelivery, improper sharing, accidental commingling with non-CUI).
  • If a spill occurs, lack of markings complicates incident scoping because you cannot quickly identify what was CUI and what limitations applied.
  • During a CMMC Level 2 assessment, weak evidence for 3.8.4 can create a control gap that blocks certification readiness, depending on how broadly the weakness appears across workflows. 7

A practical 30/60/90-day execution plan

First 30 days (stand up the standard)

  • Identify all media types and workflows where CUI touches media.
  • Publish the marking schema (text, placement, examples) and distribution limitation language.
  • Update your CUI handling SOP to require marking before distribution and transfer. 4

Next 60 days (embed into operations)

  • Roll out templates for common exports (Office/PDF) that include CUI and distribution markings.
  • Implement media checkout/shipping steps that require confirmation of labeling.
  • Train the roles that handle CUI on media; run live spot-checks and document results. 4

Next 90 days (prove repeatability)

  • Conduct a targeted internal review: sample removable media, backup media, and printed outputs for correct marking.
  • Fix exceptions and document remediation (legacy media sweep, container labeling rules).
  • Centralize evidence (procedures, samples, logs) so it is ready for assessors; Daydream can help keep the mapping, ownership, and recurring evidence organized. 7

Frequently Asked Questions

Does 3.8.4 apply if we never allow USB drives?

Yes, if you have any other media pathways (printed output, backup media, portable drives, shipped media). If you truly have no media use cases, document that constraint and show how you enforce it. 4

Do we need to mark both the file and the physical device?

Many programs do both because files get separated from devices and devices get reused. The requirement is about marking media, but strong implementation marks the content and the container where feasible. 4

What are “distribution limitations” in practice?

They are the handling and sharing constraints you must communicate to recipients (internal or third party) when CUI is on media. Standardize the language you will apply based on contract/customer direction and your CUI rules. 4

How do we handle backup tapes or offline backups that contain CUI?

Label the backup media and/or its container and ensure the inventory or catalog indicates it contains CUI and the applicable limitation language. Keep records that show the labeling process is performed consistently. 4

What evidence is most persuasive to assessors?

Real operational samples: photos of labeled media, screenshots of marked exports, checkout/shipping logs, and documented spot-checks. Pair that with a clear SOP that tells users exactly what to do. 7

We receive CUI already marked by the government. Do we still need our own markings?

You still need a process that ensures media in your environment remains properly marked when copied, exported, printed, or transferred. Receiving markings help, but they do not control what happens after you create new instances on your media. 4

Footnotes

  1. 32 CFR Part 170; DoD CMMC Program Guidance; NIST SP 800-171 Rev. 2

  2. NIST SP 800-171 Rev. 2; DoD CMMC Program Guidance; 32 CFR Part 170

  3. NIST SP 800-171 Rev. 2; DoD CMMC Program Guidance

  4. NIST SP 800-171 Rev. 2

  5. 32 CFR Part 170; DoD CMMC Program Guidance

  6. DoD CMMC Program Guidance

  7. DoD CMMC Program Guidance; NIST SP 800-171 Rev. 2

Frequently Asked Questions

Does 3.8.4 apply if we never allow USB drives?

Yes, if you have any other media pathways (printed output, backup media, portable drives, shipped media). If you truly have no media use cases, document that constraint and show how you enforce it. (Source: NIST SP 800-171 Rev. 2)

Do we need to mark both the file and the physical device?

Many programs do both because files get separated from devices and devices get reused. The requirement is about marking media, but strong implementation marks the content and the container where feasible. (Source: NIST SP 800-171 Rev. 2)

What are “distribution limitations” in practice?

They are the handling and sharing constraints you must communicate to recipients (internal or third party) when CUI is on media. Standardize the language you will apply based on contract/customer direction and your CUI rules. (Source: NIST SP 800-171 Rev. 2)

How do we handle backup tapes or offline backups that contain CUI?

Label the backup media and/or its container and ensure the inventory or catalog indicates it contains CUI and the applicable limitation language. Keep records that show the labeling process is performed consistently. (Source: NIST SP 800-171 Rev. 2)

What evidence is most persuasive to assessors?

Real operational samples: photos of labeled media, screenshots of marked exports, checkout/shipping logs, and documented spot-checks. Pair that with a clear SOP that tells users exactly what to do. (Source: DoD CMMC Program Guidance; NIST SP 800-171 Rev. 2)

We receive CUI already marked by the government. Do we still need our own markings?

You still need a process that ensures media in your environment remains properly marked when copied, exported, printed, or transferred. Receiving markings help, but they do not control what happens after you create new instances on your media. (Source: NIST SP 800-171 Rev. 2)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream