Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

mp-3

media marking

assessment objective:

Determine if the organization:

mp-3(a)

marks information system media indicating the:

mp-3(a)[1]

distribution limitations of the information;

mp-3(a)[2]

handling caveats of the information;

mp-3(a)[3]

applicable security markings (if any) of the information;

mp-3(b)

mp-3(b)[1]

defines types of information system media to be exempted from marking as long as the media remain in designated controlled areas;

mp-3(b)[2]

defines controlled areas where organization-defined types of information system media exempt from marking are to be retained; and

mp-3(b)[3]

exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas.

potential assessment methods and objects:

Examine: [select from: Information system media protection policy; procedures addressing media marking; physical and environmental protection policy and procedures; security plan; list of information system media marking security attributes; designated controlled areas; other relevant documents or records].

Interview: [select from: Organizational personnel with information system media protection and marking responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for marking information media; automated mechanisms supporting and/or implementing media marking].