Do laptops need to be physically marked/labeled if they process CUI?

Usual disclaimers, this article and the opinions within are my own and not those of any of my employers. I also will not be attempting to sell you anything. Article is meant to open dialogue and nothing in here is legal advice. Hope you enjoy and find a benefit from the article.

CMMC Practice MP.3.122: Mark media with necessary CUI markings and distribution limitations.

Let's start with the obvious, yes, technically embedded hard drives on a laptop or a PC tower are a form of media from a semantics perspective. Does that mean MP.3.122 applies to laptops and PC towers and they require stickers?

Let's dig deeper and look at the assessment objectives for help.

"Determine if:

[a] media containing CUI is marked with applicable CUI markings; and

[b] media containing CUI is marked with distribution limitations.

All media, hardcopy and digital, must be properly marked to alert individuals to the presence of CUI stored on the media [a]. The National Archives and Records Administration (NARA) has published guidelines for labeling media of different sizes."

Ok, so the further discussion in the AG brings us to https://www.archives.gov/files/cui/documents/20190222-cui-notice-2019-01-coversheet-label.pdf

This looks like it covers coversheets and stickers, and for our discussion, "c. usage of the SF 902 standard size affix able identification and protection media label" would be most applicable.

Let's look at another resource from NARA: https://www.archives.gov/files/cui/20161206-cui-marking-handbook-v1-1.pdf

Page 23: Marking Electronic Media Storing or Processing CUI

"Media such as USB sticks, hard drives, and CD ROMs must be marked to alert holders to the presence of CUI stored on the device." 100% agree and notice the use of the word "must".

Further down the page, "Equipment can be marked or labeled to indicate that CUI is stored on the device." Notice the use of the word "can". Of course it can, the question here is must we mark laptops and PC towers with fixed hard drives?

Page 27: Alternate Marking Methods

"Agency heads may authorize the use of alternate marking methods on IT systems, websites, browsers, or databases through agency CUI policy."

This is an interesting page because gives direction to agencies that using a logon warning banner like what is addressed in AC.2.005 can be sufficient in lieu of marking. Let's revisit this later.

Coming back around, let's go back to the AG and look at the example it gives:

"You were recently contacted by the project team for a new DoD program. The team said they wanted the CUI in use for the program to be properly protected. When speaking with them, you realize that most of the protections will be provided as part of existing enterprise cybersecurity capabilities. They also mentioned that the project team will use several USB drives to share specific data. You explain that the team must ensure the USB drives are externally marked to indicate the presence of CUI [a]. The project team labels the outside of each USB drive with an appropriate CUI label following NARA guidance [a]. Further, the labels indicate that distribution is limited to those employees supporting the DoD program [a]."

Yep, no question there, USB drives are removable media and should be marked but does not help us with the question of fixed drives.

Let's take a look at the CMMC Appendices for help. https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf

CMMC CLARIFICATION (Ref CMMC – Appendix B.11.3)

"All media (e.g., USB drives, CDs, DVDs, diskettes, hard drives, and paper) must be properly marked to alert individuals to the presence of Controlled Unclassified Information (CUI) stored on the media. Since the media itself may be small and provide limited space to mark it you should at a minimum mark it as “Controlled” or CUI” and the designating agency. If the media is hard to mark alternate methods may be approved to indicate the presence of CUI. For example, a company may place a CUI banner on the desktop background image or monitor attached to the system. They could also require the user to accept a banner message stating CUI may be present on the system."

Somewhat helpful but the use of e.g. means just examples and not all inclusive, so fixed drives in laptops and PC towers could still be included. The discussion of alternate methods may be approved to indicate the presence of CUI is interesting though, and that is in line with the NARA handbook on page 27.

How about the CMMC Glossary? https://www.acq.osd.mil/cmmc/docs/CMMC_Glossary_20201208_editable.pdf

"Media

Physical devices or writing surfaces including but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system. Source: FIPS 200."

Magnetic disks, hey those are fixed drives in my laptop or PC tower - but what if I use SSD instead? lol, can tell the age of FIPS 200 from the definition from here, so we have to go by intent.

Analysis

Is MP.3.122 missing the word "removable"?

Should it really state "Mark (paper and removable digital) media with necessary CUI markings and distribution limitations"?

All of the examples, while careful to say "includes but not limited to" only refer to examples of removable and physical media.

Why are we discussing this? Purchasing labels and ensuring they are affixed to either laptop or PC tower cases, or opening up the cases and affixing stickers to the fixed drive has an associated cost. So, it is natural for any company to ask is this something they "must" do, or something they "can" do, using the words in the NARA handbook. Can implies it is optional.

Couple of anticipated arguments for or against for consideration.

The bad - this is bad OPSEC and screams to people, hey steal me.

The good - this would be a good practice to do anyway if you have multiple classes of assets, some CUI approved and others not, in the same physical area to prevent user confusion for proper handling.

The good - if you are disposing of any devices, the sticker would remind them how to properly dispose of CUI equipment.

My current opinion on the topic with the information available today is the intent behind MP.3.122 deals with removable and paper media, so laptops and fixed drives would not be included from an intent perspective. All examples given in multiple documents only list out examples of removable and paper media. This is further supported by the word choices of "must" vs "can" when describing removable media and fixed media in the NARA CUI marking handbook, where you "must" label removable media and you "can" label fixed media. Multiple documents also describe alternate marking, for example requiring the user to accept a banner message stating CUI may be present on the system, which is basically the requirement from AC.2.005. So, my reading on this topic is that removable media must be marked per MP.3.122 and fixed media can be marked as well or using alternate marking such as including an electronic banner and logon warning message to sufficiently meet the requirement for MP.3.122.

The primary intent of MP.3.122 is to provide a notice to users that the media possesses CUI so that they are aware of how to handle it. How I would assess this control is by reading the organization's MP policy and procedures to verify that they have defined how they will be marking media whether with stickers, electronic means, or both, then examine the media onsite to verify it is marked IAW their policy, and then last validate that their interpretation and implementation meets the primary intent of the practice and that users are informed about where CUI exists in the environment.

This is another topic where formal dictation has to come from the DoD, or else we all will have different interpretations.

Now let the comments begin, congratulations to you if you read this far before commenting based on the headline :)