03.08.04: Media Marking

NIST SP 800-171 Rev. 3 requirement 03.08.04 (Media Marking) requires you to mark system media that contains CUI so personnel can immediately recognize handling restrictions and apply the right protections throughout the media lifecycle. Operationalize it by defining what “media” includes in your environment, standardizing CUI markings, and enforcing marking at creation, export, and transfer points with audit-ready evidence. ¹

Key takeaways:

• Define a media marking standard for CUI (labels, file headers/footers, metadata, and physical tags) and apply it consistently. ¹
• Build marking into operations: procurement, imaging, file export, removable media issuance, print/mail, and disposal workflows. ¹
• Keep proof: procedures, training, samples, inventories, and checks that show markings are present and enforced. ²

Media marking fails in predictable places: exports to USB, printed packets for a program meeting, engineering drawings placed on shared drives without banners, or disk images shipped to a third party for troubleshooting. Requirement 03.08.04 exists to prevent those “unmarked CUI” events by forcing clear identification of CUI on the media itself so people and processes apply the right controls end-to-end. ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path to compliance is to treat marking as a design requirement for how CUI moves, not a labeling afterthought. You need three things: (1) a clear definition of which media types you will mark (physical and digital), (2) a marking specification that is easy to follow and hard to misapply, and (3) operational checkpoints where the organization can’t “forget” to mark because the workflow requires it. ¹

This page translates 03.08.04 into an implementable standard, assigns ownership, and lists the evidence assessors typically expect to see under NIST assessment practices. ²

Regulatory text

Requirement: “NIST SP 800-171 Rev. 3 requirement 03.08.04 (Media Marking).” ¹

Operator interpretation (what you must do): You must ensure media that contains CUI is marked in a way that reliably communicates the presence of CUI and the associated handling requirements to anyone who might store, transport, share, print, or dispose of that media. The mark must be applied consistently across the media types you use to process, store, or transmit CUI, and it must be backed by documented procedures and operating evidence. ¹

Assessment lens: Expect an assessor to validate both the definition of what you mark and the execution (samples and workflow proof), not only a policy statement. ²

Plain-English requirement (what “media marking” means in practice)

Media marking means you label CUI-bearing media so people can recognize it immediately and handle it correctly. “Media” includes common items such as laptops, removable drives, external disks, backup tapes, printed documents, and digital files that leave a controlled system boundary. The purpose is to reduce accidental mishandling by making CUI obvious at the point of use. ¹

A workable mental model: if CUI can be carried, copied, exported, printed, mailed, or shipped, it needs a marking rule and a workflow checkpoint. ¹

Who it applies to

Entities

• Federal contractors and subcontractors processing, storing, or transmitting CUI in nonfederal systems. ¹
• Any nonfederal organization handling CUI under a program requirement that references NIST SP 800-171 Rev. 3. ¹

Operational contexts where this shows up

• Engineering/manufacturing: drawings, specs, and test data moved between teams or suppliers.
• IT/operations: endpoint rebuilds, disk swaps, backups, forensics images.
• Program operations: printed briefing books, proposals, and customer deliverables.
• Third party interactions: shipping devices or media to a repair depot, MSP, eDiscovery provider, or lab. ¹

What you actually need to do (step-by-step)

Step 1: Define “covered media” for your CUI environment

Create a list of media types that can contain CUI in your boundary. Keep it simple and explicit:

• Digital files: office docs, PDFs, CAD files, datasets, exports.
• Removable media: USB, external SSD/HDD, SD cards.
• End-user devices: laptops/desktops that store CUI locally.
• Hardcopy: printed documents, binders, labels.
• Backups/archives: tapes, offline drives, cloud backup exports.
• Images and logs: disk images, diagnostic bundles, packet captures when they include CUI. ¹

Decision rule you can publish: “If it contains CUI or is derived from CUI, treat it as CUI media and mark it per the standard.” ¹

Step 2: Create a marking standard your teams can follow without interpretation fights

Write one “Media Marking Standard” that answers these questions:

A. What marking text do we use?
Define exact wording. Many organizations align to a “CUI” banner plus any program-required dissemination controls, but the key is internal consistency and clarity. If your customer mandates specific legends, incorporate that into your standard. ¹

B. How do we mark each media type?
Use a table like this in your procedure:

Media type	Required mark	Where it appears	Example artifact
Printed pages	CUI legend	Header/footer and cover page stamp	Scanned sample packet
PDF/Office files	CUI legend	First page + footer; file properties if supported	Screenshot of banner + metadata
Removable drives	Physical label	Drive body + issued sleeve/envelope	Photo of labeled drive
Laptops w/ CUI	Asset tag attribute	Asset record + device label if feasible	CMDB record screenshot
Backup media	Physical label + inventory attribute	Tape label + backup catalog	Inventory report

Keep the standard “binary”: either marked correctly or not. That makes self-checks and audits easier. ²

C. What are the exceptions?
Document narrow exceptions and compensating controls, for example:

• Media too small to label: require labeled container plus inventory linkage.
• Operational safety constraints: mark packaging and tracking record.
• System-generated files: enforce marking via templates, DLP labeling, or approved export tools. ¹

Step 3: Insert marking checkpoints into workflows (where marking actually fails)

Add explicit marking steps to the procedures people already use:

1. File creation and templates

   • Standard templates for proposals, reports, engineering docs with default CUI headers/footers.
   • Approved repositories enforce classification/label selection at upload or export. ¹

2. Removable media issuance

   • Only issue organization-provided encrypted media (if your program requires encryption elsewhere, keep requirements aligned).
   • Label at issuance, record custodian, purpose, and return/destruction date in an inventory log. ¹

3. Printing and mailing/shipping

   • Print workflow includes cover sheet and required legend.
   • Mailing/shipping includes labeled envelope/package and shipping log entry tied to recipient authorization. ¹

4. Device RMA/repair and third party support

   • Before shipping a device or drive, confirm marking on the device/media and label the shipping container.
   • Ensure the third party’s handling expectations are documented in the engagement terms and in your internal work order. ¹

Step 4: Assign owners and make it enforceable

Media marking breaks when “everyone” owns it. Set clear accountability:

• Control owner: Information Security or GRC owns the marking standard and periodic checks. ²
• Process owners: IT Asset Management (device/removable media), Records/Program Ops (hardcopy), Backup/Infra (backup media), Engineering/PMO (deliverables). ¹

Define measurable implementation criteria you can test:

• Samples of each media type show required markings.
• Issuance and inventory records match physical labels.
• Training includes marking rules and exceptions.
• Periodic reviews document findings and remediation actions. ²

Step 5: Validate with recurring checks and close gaps through POA&M

Build a simple operating rhythm:

• Spot-check labeled media in storage areas and program spaces.
• Sample digital files in repositories for correct banners/legends.
• Sample shipped items (from shipping logs) for packaging/labels. Track failures as findings with owners and target dates, and validate closure before marking items “done” in your compliance tracking. ²

If you manage controls in Daydream, this maps cleanly to: documented control statements in the SSP, defined evidence cadences, and POA&M items with closure validation tied to artifacts. ¹

Required evidence and artifacts to retain

Aim for evidence that proves both design and operation:

Policy and standards

• Media Marking Standard (versioned, approved).
• CUI handling procedure sections that reference marking rules. ¹

Operational records

• Removable media inventory log (issuance, custodian, purpose, status).
• Asset inventory attributes showing which endpoints are approved to store CUI and how they are identified.
• Shipping/mail logs for CUI packages (where applicable). ¹

Proof of implementation

• Photos of labeled removable media and labeled storage containers.
• Scanned examples of marked hardcopy packets.
• Screenshots of marked digital documents (headers/footers, cover pages, metadata fields where used).
• Evidence of workflow checkpoints: ticket templates, work instructions, checklists. ²

Training and verification

• Training content covering marking rules + attendance/completion records.
• Periodic review results, sampling approach, findings, and remediation evidence. ²

Common exam/audit questions and hangups

Assessors and auditors tend to press on:

1. Scope clarity: “What media types do you consider in scope, and why?” ²
2. Consistency: “Show me ten examples across teams. Do they look the same?” ²
3. Exceptions: “Where can marking fail due to constraints, and what compensating controls exist?” ¹
4. Removable media governance: “How do you control issuance, labeling, and return/destruction?” ²
5. Third party movement: “When media leaves your facility, how do you ensure it is marked and tracked?” ¹

Frequent implementation mistakes (and how to avoid them)

Mistake 1: Treating “media marking” as “document marking only”

Fix: include endpoints, removable drives, backups, and shipping containers in your marking table and procedures. If it can carry CUI, it needs a marking rule. ¹

Mistake 2: A policy that says “mark CUI,” with no examples and no enforcement points

Fix: publish exact legends, show examples, and add checkpoints in tickets and workflows (issuance, print, export, ship). ²

Mistake 3: Relying on individuals to remember

Fix: standard templates, pre-labeled media stocked by IT, and required fields in work orders reduce memory-based compliance. ¹

Mistake 4: No evidence cadence

Fix: schedule recurring samples and store artifacts in an assessor-ready folder structure mapped to the SSP control statement. ²

Risk implications (why auditors care)

Unmarked media is a failure amplifier. It increases the chance that CUI gets stored in the wrong place, shared to unauthorized recipients, or disposed of without required protections. In assessments, weak marking usually correlates with weak control over removable media and weak boundary discipline. Treat marking as an upstream control that supports handling, transport, sanitization, and incident response. ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Define in-scope media types and owners; document in your SSP control statement mapping. ¹
• Draft and approve a Media Marking Standard with a marking matrix and exception handling. ¹
• Inventory current labeling supplies, templates, and tool support; open POA&M items for gaps. ²

Days 31–60 (implement in workflows)

• Roll out templates for common CUI documents and deliverables; publish quick-reference examples. ¹
• Stand up removable media issuance workflow with labeling + inventory logging; train IT service desk and program admins. ²
• Update print/mail/ship procedures to require marked covers and labeled containers, with log retention. ¹

Days 61–90 (prove operation and harden)

• Run sampling checks across departments for each media type; document results and remediation. ²
• Tune exception process: approval authority, documentation requirements, and compensating controls. ¹
• Centralize evidence: store versioned standards, samples, inventories, and review records in your compliance system (Daydream or equivalent) tied to the SSP and POA&M. ²

Frequently Asked Questions

Does 03.08.04 require labeling every file inside a system that already enforces access control?

You still need a marking approach that works for how your teams actually handle CUI, especially when files are exported, shared, or printed. Many teams focus marking on files and outputs that can move outside controlled repositories, but define that boundary explicitly and enforce it. ¹

What counts as “media” for media marking?

Treat “media” as any physical or digital container that can store CUI: documents, removable drives, endpoints with local storage, and backup media. Write your covered-media list and use it consistently in procedures and evidence. ¹

How do we handle media too small to label (e.g., tiny USB devices or adapters)?

Use a labeled container (bag, sleeve, case) plus an inventory record that uniquely ties the device to the label. Document this as an approved exception in the marking standard so it is defensible in assessment. ¹

Do we need a removable media inventory to satisfy media marking?

Media marking and removable media control reinforce each other; assessors commonly expect governance for issuance and custody where removable media is allowed. If you permit removable media for CUI, keep an inventory log that shows labeling and custody. ²

How should we treat laptops that may contain CUI?

Ensure the device’s asset record indicates it is approved for CUI and identify it as such for handling (for example, device labeling and CMDB attributes). Pair this with operational procedures for repair/shipping so devices do not leave custody without appropriate identification and tracking. ¹

What evidence is most persuasive to an assessor for 03.08.04?

A versioned marking standard plus real samples: photos of labeled media, scans of marked hardcopy, screenshots of marked digital files, and logs showing issuance/shipping. Add periodic sampling results and remediation records to prove the control operates over time. ²

Footnotes

1. NIST SP 800-171 Rev. 3

2. NIST SP 800-171A