The term security marking refers to the application or use of human-readable security attributes. System media includes digital and non-digital media. Marking of system media reflects applicable federal laws, Executive Orders, directives, policies, and regulations. See [NARA MARK].

[27] The implementation of this requirement is per marking guidance in [32 CFR 2002] and [NARA CUI]. Standard Form (SF) 902 (approximate size 2.25” x .25”) and SF 90(approximate size 2.25” x .625”) can be used on media that contains CUI such as hard drives, or USB devices. Both forms are available from

Priority: Medium

Category: Asset Management 

Services Associated with AWS:   


Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: documented data classification scheme
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation to demonstrate how Data Loss Prevention (DLP) is implemented, if applicable
  • Technical: screenshot of DLP technology, if applicable 

Possible Technology Considerations : 

  • Data Classification Solution 

What needs to be answered :  

Are all CUI systems identified with an asset control identifier, for example, does each company laptop have an asset id tag with a unique number? Are removable system media and system output marked? 

  • Marking of System Media with CUI
    Description: This check ensures that system media containing Controlled Unclassified Information (CUI) is appropriately marked with necessary CUI markings and distribution limitations. The marking of system media aligns with applicable federal laws, Executive Orders, directives, policies, and regulations. The purpose of marking is to provide clear identification of the security attributes associated with the media and to communicate any restrictions on its distribution.

More Details:   

CUI is not stored on removable media.