Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
b. Exempts [FedRAMP Assignment: (M)(H) no removable media types] from marking as long as the media remain within [FedRAMP Assignment: (M)(H) organization-defined security safeguards not applicable].
NIST 800-53 (r4) Supplemental Guidance:
The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3.
References: FIPS Publication 199.
NIST 800-53 (r5) Discussion:
Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002. Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
38North Guidance:
Meets Minimum Requirement:
Identify the company's information security classification (i.e. Public, Confidential, Secret) based on the information sensitivity
Ensure that all digital and non-digital media is marked, in human-readable manner, based on the classification of the most sensitive level of information stored on that media. For example, if the media contains Public data and Confidential data, it must be marked as Confidential
Include other relevant information on the marking, such as distribution limitations and handling instructions
For low systems, the organization maintains a list of removable media types that are exempt from marking requirements (Note: Exemption lists are not allowed for Moderate or High systems)
For low systems, removable media that is exempt from marking requirements are always maintained in a specific controlled area
For low systems, there are procedures in place to ensure removable media without marking are not removed from the specific controlled areas without having markings added
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
The company's media classification policy
A list of various data classification levels used throughout the company
Evidence of media marked in accordance to the company policy and data classifications. Provide evidence for both, digital and non-digital media
For low systems, list of removable media that is exempt from media markings
For low systems, procedures to ensure removable media without marking are not removed from the specific controlled areas without having markings added
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited. Furthermore, information system media labeling is not placed directly on system hard drives or TOR (Top-of-Rack) Switch device’s memory cards in the AWS environment
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited
Page updated
Report abuse