Labeling physical and electronic media that contain Controlled Unclassified Information (CUI) is a deceptively simple control with outsized impact: when implemented correctly it reduces accidental disclosure, simplifies handling and disposal, and demonstrates adherence to NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2; this checklist gives you a concrete, step-by-step approach tailored for small businesses to meet MP.L2-3.8.4.
What MP.L2-3.8.4 requires (practical interpretation)
In plain terms, MP.L2-3.8.4 mandates that organizations mark and label media—both physical (USB drives, optical discs, printed documents) and electronic (files, containers, cloud objects)—so that personnel can readily identify materials containing CUI and apply proper handling. For small businesses this means defining consistent label formats, embedding labels where possible in file metadata, and ensuring physical labels are durable and linked to your asset/inventory and sanitization workflows.
Step-by-step implementation checklist
1) Build or update your labeling policy and procedures
Create a written policy that defines what constitutes CUI in your environment, who can mark/unmark media, the approved label formats, and steps for onward transfer, storage, and destruction. Include examples and a decision tree: e.g., "If data contains DFARS-controlled technical information → mark as CUI; if public-facing → no label." Capture this in your System Security Plan (SSP) and add a POA&M entry for any gaps.
2) Define standard label contents and templates
Standardize the visual and machine-readable components of labels. A simple human-readable label for physical media should include: "CUI" banner, handling instruction (e.g., "No foreign disclosure"), owner/point-of-contact, date created, and media ID or barcode. Example: "CUI // DoD Controlled Technical Info // Owner: ACME Eng // Media ID: USB-2026-001 // Handling: Do not remove from secured facility." For electronic labels, define metadata fields: classification, owner, creation date, expiration, and handling instructions.
3) Implement electronic labeling techniques (technical details)
Use available technical controls to embed classification: apply Microsoft Purview (sensitivity) labels or SharePoint/OneDrive metadata for Office docs; for PDFs use XMP metadata or an embedded visible header/footer stamp. For files on Linux, use extended attributes (xattr) such as user.cui_classification="CUI//CTI". For S3 objects, add metadata headers (x-amz-meta-classification="CUI"). Where possible integrate labeling with DLP and CASB so automated classification applies labels based on content scans or data patterns (e.g., keywords, regular expressions matching contract numbers, SSNs).
4) Label physical media and link to inventory
Purchase durable, tamper-evident labels (polyester or laminated) and implement a media inventory/CMDB record for each item. Apply unique IDs (human-readable + barcode/QR) to every USB, external drive, CD/DVD, or printed binder. The inventory record should include media ID, contents description, owner, location, last scanned, encryption status, and disposition date. Example: a small engineering shop assigns USB-serials and logs check-in/check-out with timestamps when contractors borrow drives.
5) Integrate labeling into handling, encryption and disposal workflows
Labels must not be the only control. Ensure all labeled media containing CUI are encrypted (FIPS 140-2/140-3 validated modules where required, or platform tools such as BitLocker or macOS FileVault for whole-disk encryption) and covered by access controls. Define and document chain-of-custody for transfers, require authorization for removing labeled media from facilities, and apply NIST SP 800-88 sanitization procedures prior to reuse or disposal. Record sanitization and removal events against the media ID in your inventory.
6) Train users and automate where possible
Provide role-based training that shows examples of correct/incorrect labeling, how to add metadata, how to scan barcodes into the inventory system, and steps to follow when CUI is found unlabeled. To reduce human error, automate labeling with DLP policies, Office macros/templates that insert headers/footers, and scripts that set extended attributes during file creation. Conduct tabletop exercises simulating lost media to validate the process.
Risks of not implementing MP.L2-3.8.4
Failure to properly label media increases the risk of accidental disclosure, uncontrolled distribution, and improper disposal—events that can lead to loss of DoD contracts, corrective action plans, fines, and reputational damage. From a technical perspective, unlabeled electronic files may escape detection by DLP and content scanning tools and propagate to cloud services or personal devices, multiplying breach impact. Noncompliance will also surface during assessments and increase findings in your SSP/POA&M.
Compliance tips and best practices
Keep labels simple and enforceable: a small business should aim for one established label per CUI category and integrate it in tools employees already use. Maintain an authoritative inventory tied to labels and require encryption. Use automated classification where practical, and include periodic audits (quarterly sampling) to verify labels match content. Map labels to other controls (access control lists, backup policies, retention and sanitization) and keep your labeling policy versioned in a revision-controlled document repository.
In summary, MP.L2-3.8.4 is an actionable control: document your policy, standardize label formats (human and machine readable), embed electronic labels via metadata and platform features, physically mark and inventory media, require encryption and sanitized disposal, and train staff. For small businesses, automation and a lightweight inventory/chain-of-custody system provide outsized benefits in reducing risk and demonstrating compliance during assessments.
