NIST 800-53 r5 · Controls catalogue · Family MP
MP-3Media Marking
Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (4)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Media marking ensures sensitive information on removable or system media is handled according to its classification, reducing the chance of inadvertent exposure to unauthorized actors. |
CWE-284 | Improper Access Control | 4,832 | Markings provide explicit guidance on distribution limits and handling caveats, directly supporting enforcement of access controls for physical and logical media. |
CWE-285 | Improper Authorization | 1,230 | Security markings on media enable correct authorization decisions by indicating required protections before media is accessed, transferred, or reused. |
CWE-668 | Exposure of Resource to Wrong Sphere | 779 | Marking prevents media containing sensitive data from being moved or accessed within an inappropriate security sphere by making sensitivity visible to handlers. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||