Do laptops need to be physically marked/labeled if they process CUI?
Usual disclaimers, this article and the opinions within are my own and not those of any of my employers. I also will not be attempting to sell you anything. Article is meant to open dialogue and nothing in here is legal advice. Hope you enjoy and find a benefit from the article.
CMMC Practice MP.3.122: Mark media with necessary CUI markings and distribution limitations.
Let's start with the obvious, yes, technically embedded hard drives on a laptop or a PC tower are a form of media from a semantics perspective. Does that mean MP.3.122 applies to laptops and PC towers and they require stickers?
Let's dig deeper and look at the assessment objectives for help.
"Determine if:
[a] media containing CUI is marked with applicable CUI markings; and
[b] media containing CUI is marked with distribution limitations.
All media, hardcopy and digital, must be properly marked to alert individuals to the presence of CUI stored on the media [a]. The National Archives and Records Administration (NARA) has published guidelines for labeling media of different sizes."
Ok, so the further discussion in the AG brings us to https://www.archives.gov/files/cui/documents/20190222-cui-notice-2019-01-coversheet-label.pdf
This looks like it covers coversheets and stickers, and for our discussion, "c. usage of the SF 902 standard size affix able identification and protection media label" would be most applicable.
Let's look at another resource from NARA: https://www.archives.gov/files/cui/20161206-cui-marking-handbook-v1-1.pdf
Page 23: Marking Electronic Media Storing or Processing CUI
"Media such as USB sticks, hard drives, and CD ROMs must be marked to alert holders to the presence of CUI stored on the device." 100% agree and notice the use of the word "must".
Further down the page, "Equipment can be marked or labeled to indicate that CUI is stored on the device." Notice the use of the word "can". Of course it can, the question here is must we mark laptops and PC towers with fixed hard drives?
Page 27: Alternate Marking Methods
"Agency heads may authorize the use of alternate marking methods on IT systems, websites, browsers, or databases through agency CUI policy."
This is an interesting page because gives direction to agencies that using a logon warning banner like what is addressed in AC.2.005 can be sufficient in lieu of marking. Let's revisit this later.
Coming back around, let's go back to the AG and look at the example it gives:
"You were recently contacted by the project team for a new DoD program. The team said they wanted the CUI in use for the program to be properly protected. When speaking with them, you realize that most of the protections will be provided as part of existing enterprise cybersecurity capabilities. They also mentioned that the project team will use several USB drives to share specific data. You explain that the team must ensure the USB drives are externally marked to indicate the presence of CUI [a]. The project team labels the outside of each USB drive with an appropriate CUI label following NARA guidance [a]. Further, the labels indicate that distribution is limited to those employees supporting the DoD program [a]."
Yep, no question there, USB drives are removable media and should be marked but does not help us with the question of fixed drives.
Let's take a look at the CMMC Appendices for help. https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf
领英推荐
CMMC CLARIFICATION (Ref CMMC – Appendix B.11.3)
"All media (e.g., USB drives, CDs, DVDs, diskettes, hard drives, and paper) must be properly marked to alert individuals to the presence of Controlled Unclassified Information (CUI) stored on the media. Since the media itself may be small and provide limited space to mark it you should at a minimum mark it as “Controlled” or CUI” and the designating agency. If the media is hard to mark alternate methods may be approved to indicate the presence of CUI. For example, a company may place a CUI banner on the desktop background image or monitor attached to the system. They could also require the user to accept a banner message stating CUI may be present on the system."
Somewhat helpful but the use of e.g. means just examples and not all inclusive, so fixed drives in laptops and PC towers could still be included. The discussion of alternate methods may be approved to indicate the presence of CUI is interesting though, and that is in line with the NARA handbook on page 27.
How about the CMMC Glossary? https://www.acq.osd.mil/cmmc/docs/CMMC_Glossary_20201208_editable.pdf
"Media
Physical devices or writing surfaces including but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system. Source: FIPS 200."
Magnetic disks, hey those are fixed drives in my laptop or PC tower - but what if I use SSD instead? lol, can tell the age of FIPS 200 from the definition from here, so we have to go by intent.
Analysis
Is MP.3.122 missing the word "removable"?
Should it really state "Mark (paper and removable digital) media with necessary CUI markings and distribution limitations"?
All of the examples, while careful to say "includes but not limited to" only refer to examples of removable and physical media.
Why are we discussing this? Purchasing labels and ensuring they are affixed to either laptop or PC tower cases, or opening up the cases and affixing stickers to the fixed drive has an associated cost. So, it is natural for any company to ask is this something they "must" do, or something they "can" do, using the words in the NARA handbook. Can implies it is optional.
Couple of anticipated arguments for or against for consideration.
The bad - this is bad OPSEC and screams to people, hey steal me.
The good - this would be a good practice to do anyway if you have multiple classes of assets, some CUI approved and others not, in the same physical area to prevent user confusion for proper handling.
The good - if you are disposing of any devices, the sticker would remind them how to properly dispose of CUI equipment.
My current opinion on the topic with the information available today is the intent behind MP.3.122 deals with removable and paper media, so laptops and fixed drives would not be included from an intent perspective. All examples given in multiple documents only list out examples of removable and paper media. This is further supported by the word choices of "must" vs "can" when describing removable media and fixed media in the NARA CUI marking handbook, where you "must" label removable media and you "can" label fixed media. Multiple documents also describe alternate marking, for example requiring the user to accept a banner message stating CUI may be present on the system, which is basically the requirement from AC.2.005. So, my reading on this topic is that removable media must be marked per MP.3.122 and fixed media can be marked as well or using alternate marking such as including an electronic banner and logon warning message to sufficiently meet the requirement for MP.3.122.
The primary intent of MP.3.122 is to provide a notice to users that the media possesses CUI so that they are aware of how to handle it. How I would assess this control is by reading the organization's MP policy and procedures to verify that they have defined how they will be marking media whether with stickers, electronic means, or both, then examine the media onsite to verify it is marked IAW their policy, and then last validate that their interpretation and implementation meets the primary intent of the practice and that users are informed about where CUI exists in the environment.
This is another topic where formal dictation has to come from the DoD, or else we all will have different interpretations.
Now let the comments begin, congratulations to you if you read this far before commenting based on the headline :)
Senior Consultant at Deloitte
3 年Great discussion with thoughtful comments! FWIW: we sat on the same side of the table as a large prime going through their DIBCAC last year and DCMA did not ask that laptops be marked/labeled. In fact, it did not come up in discussion at all.
Dark by Design ZeroTrust Principal Executioner.
3 年Encrypt disk and mark
Also food for thought, MP.3.122 exists in NIST SP 800-171 as control 3.8.4 verbatim. Think about how many DIBCAC assessments have occurred, and how many times the topic of stickers on laptops have been brought up by DIBCAC. Does CMMC fundamentally change 3.8.4, or does this stay the same?
There are great reasons to put stickers on laptops, especially if different classification levels are processed in the same environment but really an electronic banner is more effective to alerting users using the system. Removable media is not capable of an electronic banner, so it is important that they are marked so users know on sight how to handle it. Anything not labeled in an environment should default to the highest level of information in that area until it is investigated. Context of operating environments are important here because if all assets are CUI and that is the only type of information in the environment, then the labeling becomes less critical to differentiate between different asset types.
Great discussions so far. Something like this which should be simple, isn't so simple or clear. I think this was a good thought exercise to test for flexibility vs rigidity in our thinking. We all have our own biases and what we know and are comfortable with from past experiences. A difficult part of an assessor's job is to balance that with ensuring that the objective is sufficiently met. To that end, it is important to understand intent and what risk a practice is trying to protect against. The practices are not prescriptive telling you exactly what to do. If they were, this would be a checklist assessment. Media has to be labeled to notify users that CUI is present, so that they handle the media IAW policy for CUI. A label can be a sticker but does not have to be. It is one way to do it but not the only way to do it.