Marking is the simplest practice in Media Protection. You’re adding labels to paper and headers to documents. The purpose is obvious. Any employee who sees a marked document knows it’s sensitive and should not leave it on their desk or email it to a personal account.
MP.L2-3.8.4 At a Glance
- Use consistent CUI labels on all physical documents and folders
- Add headers and footers to digital documents (Word, PDF, spreadsheets)
- Include distribution limitations (Internal Use Only, Do Not Forward, etc.)
- Mark folder/drive names to indicate content sensitivity
- Train staff on marking standards
- Use templates to make marking automatic
What the assessor is actually evaluating
The assessor is checking two things. First, can they pick up a random document and immediately see it’s marked CUI? Second, is the marking consistent across your organization? One contract marked “CONFIDENTIAL” and another marked “CUI - INTERNAL USE ONLY” looks sloppy. Pick one standard and use it everywhere.
Physical marking is straightforward. Buy CUI labels. Put them on documents and folders. When a document gets printed, it should automatically include a header and footer from your template. When a folder is created on the shared drive, it should be named with a CUI prefix or indicator.
Digital marking has two parts. First, document metadata. If you create a contract in Word, your template should include a header and footer automatically. If you save a PDF, the filename should indicate content type (e.g., “2026-Customer_Contract_ACME_CUI.pdf” instead of “contract1.pdf”). Second, folder naming. Your shared drive should have clear structure: “CUI_Contracts”, “CUI_Financial”, “Internal_Use_Only”, etc.
The purpose is not to be an official classification system like the government uses. You’re just communicating to your employees: “This is sensitive. Handle it carefully.” An assessor accepts this. Media marking supports MP.L2-3.8.1 (overall media protection) and helps with PE.L2-3.10.5 (controlling output devices).
What a realistic SSP definition looks like
Example SSP Language
"Organization marks all media containing CUI to indicate sensitivity and distribution limitations.
Physical Media Marking: All printed documents containing CUI display a "CUI" label in the header and footer. File folders containing CUI documents are labeled with a red "CUI" sticker. Printed media is marked before distribution. Training includes proper handling of marked materials.
Digital Media Marking: All Word documents and spreadsheets containing CUI include a standard header and footer with "CONTROLLED UNCLASSIFIED INFORMATION" and date created. PDF documents include document properties (Title, Keywords, Subject) indicating CUI status. Shared drive folders are prefixed with "CUI_" or "_INTERNAL_" to indicate content type.
File Naming Convention: Documents containing CUI follow the naming pattern: [YEAR]_[TYPE]_[DESCRIPTION]_CUI.ext. Example: 2026_Contract_Acme_Corp_CUI.docx. This makes content sensitivity obvious in file listings.
Distribution Marking: Documents include a distribution line indicating intended recipients. Example: 'FOR INTERNAL USE ONLY. DO NOT FORWARD TO EXTERNAL RECIPIENTS.' This is visible in footers and document headers."
How to present your evidence
Evidence Checklist for MP.L2-3.8.4
- Sample Marked Documents: Examples of physical CUI documents with labels
- Digital Document Samples: PDFs and Word docs showing headers/footers
- Photo Evidence: Pictures of file cabinets with CUI labels, file folders marked
- Word Templates: Default document template showing standard header/footer
- File Naming Standards: Document showing how to name files (includes CUI indicator)
- Shared Drive Structure: Screenshot of folder names indicating CUI content
- Marking Policy: Written procedure for marking media at creation
- Training Records: Staff training on marking requirements
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
What You'll Hear in the Assessment Room
Assessor: "Show me how you mark media containing CUI."
What works: "All our documents include a CUI header and footer. Our printed materials have labels. Our folder names indicate content type. Here are examples." [Pull up Word template and show header/footer. Show photos of physical labels. Show shared drive structure]
Assessor: "I want to see your marking standards documented."
What works: "This is our Media Marking Procedure. It specifies what marking applies to what media type, and includes a template employees can use." [Pull up policy document]
Assessor: "Are your employees trained on this?"
What works: "Yes, everyone gets trained during onboarding. Here are our training records. This is the quick reference guide we put on every desk." [Pull up training list and desk reference card]
Assessor: "If I open a random document, will I know it contains CUI?"
What works: [Open a real document from your file share] "Yes. The header and footer are visible. The filename includes CUI. The folder it's stored in is marked CUI."
Assessor: "What about files that are created by third parties?"
What works: "If a vendor sends us a contract, we add our marking before storing it. Our template automatically adds the header and footer when we resave it." [Show example of vendor file marked after receipt]
Common failures
Why Companies Fail MP.L2-3.8.4
- No marking at all. A contract is created and sent without any indication it contains CUI. Assessor asks an employee what makes this document confidential and they point to nothing visible.
- Inconsistent marking. Some documents say "CONFIDENTIAL", others say "INTERNAL", others have no marking. Employees don't know what the difference is.
- Physical documents are not marked. Printed contracts, invoices, and reports have no labels. A visitor walking through the office cannot tell what's sensitive.
- Digital marking is missing from spreadsheets and presentations. Only Word documents are marked, but the Excel file with the same sensitive data has no header.
- Folder names don't indicate content. A shared drive has folders named "Project A", "Project B", "Stuff". Assessor asks which ones contain CUI and you can't tell from the names.
- No template. Each employee marks documents differently. Some remember to add headers, others don't. No standard exists.
How to Pass MP.L2-3.8.4
- Create one standard. Pick "CUI" or "CONFIDENTIAL - INTERNAL USE ONLY". Use it everywhere. Consistency matters more than the exact wording.
- Make templates automatic. Add headers and footers to your default Word template. Any document created from this template is automatically marked.
- Use file naming. All CUI documents include "_CUI" or similar in the filename. This makes sensitivity obvious in email and file lists.
- Label folders. Name your shared drive folders to indicate content. "CUI_Contracts" is clearer than "Sales".
- Buy labels. Get physical stickers for printed materials. They're cheap. Use them.
- Train once, document always. Show employees the standard once. Use reminders in policy documents. Include marking in your onboarding checklist.
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
If you use an MSP/MSSP
Media Marking with Managed Service Providers
If your MSP manages document templates or shared drive structure, ensure they implement your marking standards. Provide your MSP with a written marking standard and confirm they apply it to all templates they create or maintain. If they manage email systems, work with them to add automatic footers to outgoing email containing CUI. Request periodic audits showing that files in shared drives follow your naming convention. You own the marking standards, but the MSP executes them, so verify compliance quarterly.
Disclaimer: This guide is for educational purposes. CMMC Level 2 assessments are conducted by Authorized C3PAO partners. Consult the official NIST SP 800-171 standard and your assessor for definitive requirements.