MP-03 Media Labeling

Media Protection

Low Moderate High

Description

The organization: (i) affixes external labels to removable information system media and information system output indicating the distribution limitations, handling caveats and applicable security markings (if any) of the information; and (ii) exempts [Assignment: organization-defined list of media types or hardware components] from labeling so long as they remain within [Assignment: organization-defined protected environment].

Supplemental Guidance

An organizational assessment of risk guides the selection of media requiring labeling. Organizations document in policy and procedures, the media requiring labeling and the specific measures taken to afford such protection. The rigor with which this control is applied is commensurate with the FIPS 199 security categorization of the information contained on the media. For example, labeling is not required for media containing information determined by the organization to be in the public domain or to be publicly releasable.

Enhancements

(0) None.

Compliance Mappings

ISO 27001:2022

A.5.13A.7.10

ISO 27002:2022

5.137.10

COBIT 2019

APO14BAI09

CIS Controls v8

CIS 3

PCI DSS v4.0.1

9.4

FINOS CCC

CCC-C16

ISO 42001:2023

A.7.4

MAS TRM

ANSSI

Hygiene.8SecNumCloud.9.2

FINMA Circular 2023/1

IV.D(78)IV.D(79)IV.D(80)

OSFI B-13

B-13.3.2

EU GDPR

Art.5(1)(f)Art.9(1)

EU DORA

Art.8(1)

BIO2

5.137.10

RBI CSF

Annex1.12

FISC Security Guidelines

FISC.F4FISC.O9

LGPD + BCB 4893

LGPD.Art.11

HKMA TM-E-1

TME1.7.2

MLPS 2.0

8.1.10.1

SAMA CSF

3.9

NCA ECC

2-7

UAE IA

CBB TM

TM-9

Qatar NIA

CBUAE

CR-5

CBE CSF

CTO-2

SA JS2

JS2-8.2

CBN CSF

Part3.4

BoG CISD

CISD-V

BCBS 239

Principle 11

FFIEC IS

II.C.13

HIPAA Security Rule

§164.310(d)(1)

ECB CROE

CROE.2.3.3

BOT Cyber Resilience

Ch2.3

CMMC 2.0

Solvency II

DR.266-DataSec

Lloyd's Minimum Standards

MS8.7

HITRUST CSF v11

07.b09.f

ISO 27799

5.38.2

ISO 17799 (legacy)

7.2.210.7.310.8.215.1.3

COBIT 4.1 (legacy)

DS11.6