Prepared by NISP Authorization Office (NAO) 04/01/2018 v1.1
with all systems authorized under RMF, the correct balance of security commensurate
with risk is found by using the tailoring process.
18. What are the "security markings" required by DAAPM and control MP-3? The
contractor is required to follow both the NISPOM and DAAPM. The DAAPM is the
manual that provides the “additional security controls.”
NISPOM 8-101 states: The contractor will maintain an ISs security program that
incorporates a risk-based set of management, operational, and technical controls,
consistent with guidelines established by the CSA.
NISPOM 8-300 states: Additional security controls may be provided by the CSA to
establish the baseline security control set required for each IS processing classified
information.
NISPOM 4-200 states: Physically marking classified information with appropriate
classification markings serves to warn and inform holders of the information of the
degree of protection required. Other notations facilitate downgrading, declassification,
and aid in derivative classification actions. Therefore, it is essential that all classified
information and material be marked to clearly convey to the holder the level of
classification assigned, the portions that contain or reveal classified information, the
period of time protection is required, the identity (by name and position or personal
identifier) of the classifier, the source(s) for derivative classification, and any other
notations required for protection of the information.
NISPOM 8-302g.(1) states: Mark, label, and protect ISs media to the level of
authorization until an appropriate classification review is conducted and resultant
classification determination is made.
The DAAPM (Appendix A) MP-3 Supplemental Guidance states that security markings
refer “to the application/use of human readable security attributes.”
19. Does DAAPM MP-3 require volatile hardware component security markings to
include CLASSIFIED BY, DERIVED FROM, and DECLASSIFY ON? MP-3
marking requirements include "distribution limitations, handling caveats, and applicable
security markings (if any) of the information." In addition, the NISPOM must be
referenced for additional media marking information. It is important to note that the
intent of the markings is to ensure that the classification of the item is clear to the holder
(NISPOM 4-200) so that proper protection can be provided.
DSS recognizes forms of media as special types of material generally containing multiple
files and coming in all shapes and sizes, which makes marking and labeling more
difficult than for individual documents. Such media often contain both unclassified and
classified documents and may include multiple categories of information and/or handling
caveats. Therefore, the highest classification of any classified item contained within the
media (overall marking) along with any and all associated categories/caveats (e.g.,
CNWDI, NATO) will be conspicuously marked (stamped, printed, etched, written,
engraved, painted, or affixed by means of a tag, sticker, decal, or similar device) on the
exterior of such material (or, if such marking is not possible, on documentation that
accompanies the media) so it is clear to the holder (NISPOM 4-203).
If each document on a removable device contains all of the required information for that
document, only the overall classification and associated caveats markings must be
marked on the exterior of the device. Other notations such as names, addresses,
subjects/titles, source of classification and declassification instructions are not necessary