Understanding CUI Markings
EXECUTIVE BRIEF
Understanding how to properly mark and manage Controlled Unclassified Information (CUI) is essential for defense contractors operating within the Department of Defense (DoD) supply chain. This blog outlines key requirements, responsibilities, and best practices to ensure compliance with CUI regulations.
- CUI includes unclassified but sensitive information that, if mishandled, can lead to lost contracts, reputational damage, or legal penalties
- There are two main types of CUI—Basic and Specified—each with distinct safeguarding requirements
- Organizational Index Groupings further classify CUI and influence the level of certification needed. Contractors handling CUI under the Defense grouping must complete a Certified Third-Party Assessor Organization (C3PAO) assessment to meet Cybersecurity Maturity Model Certification (CMMC) Level 2
- Proper markings, including banners, portion labels, and designation indicators, help ensure consistent identification and protection of CUI
Dig deeper and continue reading below.
CUI is a critical component of national security and compliance for DoD subcontractors. Properly marking and handling CUI is not just a technical requirement—it's a legal and contractual obligation. Failing to comply can lead to penalties, loss of contracts, or even civil liability under laws like the False Claims Act.
CUI refers to sensitive but unclassified data that requires safeguarding under federal law, regulation, or government-wide policy. In the defense sector, this includes information such as:
- Export control data
- Controlled technical information (CTI)
- Legal and procurement documents
CUI plays a pivotal role in protecting national interests and intellectual property, especially as threats to federal supply chains grow more sophisticated. DoD subcontractors who handle this data must understand their responsibilities to avoid compliance gaps.
CUI Basic vs. CUI Specified
CUI is categorized into two types:
- Basic: Requires baseline safeguarding measures consistent across all agencies
- Specified: Subject to additional handling requirements defined by the specific law or policy that governs it
Examples:
- Basic: PII in personnel files
- Specified: Export-controlled technical drawings governed by the International Traffic in Arms Regulations (ITAR)
CUI Specified often involves stricter dissemination controls.
What Are CUI Organizational Index Groupings?
In addition to understanding the type of CUI you're handling, it is equally important to know its Organizational Index Grouping. This classification determines which compliance path is required under the CMMC framework. For example, any contractor handling CUI categorized under the Defense grouping will absolutely need a C3PAO assessment to achieve CMMC Level 2 certification. Contractors dealing with CUI in other groupings may qualify for CMMC Level 2 (Self) certification depending on the nature and sensitivity of the information. However, prime flowdown requirements may require a subcontractor to be able to handle CUI within the defense grouping, resulting in a Level 2 (C3PAO) certification requirement.
Organizational index groupings categorize CUI based on the nature of the information and the risks associated with its exposure. For example, the defense grouping includes technical information and operations security, while the export control grouping covers data regulated under frameworks like the Export Administration Regulations and the ITAR. These groupings are not just labels—they directly influence your compliance obligations under the CMMC framework. Contractors handling CUI within the defense grouping will require CMMC Level 2 certification through a third-party assessment conducted by a C3PAO. As a result, approximately 75–80% of the Defense Industrial Base (DIB) is expected to fall under this requirement.
Understanding CUI Markings
CUI markings are required to clearly indicate the presence and category of protected information. These include:
- Banner Marking: Appears at the top of each page; e.g., "CUI"
- Portion Marking: Applied to specific paragraphs or sections (if required); e.g., (CUI)
- CUI Designation Indicator: Identifies the origin and authority; includes agency name and contact info
Example:
CUI
Department of Defense
CTI
Contact: fso@company.com
Who Is Responsible for Applying CUI Markings?
Responsibility for CUI marking is shared across:
- Executives and Facility Security Officers (FSOs)
- IT and cybersecurity teams
- Authorized users handling CUI
- Authorized individuals at the authorizing government agency
Everyone in the chain of custody must understand marking and safeguarding obligations. Lack of awareness is not a defense against noncompliance.
Consequences of Failing to Protect CUI
Failure to properly mark, handle, or safeguard CUI can result in serious consequences for defense contractors:
- Contracts with the DoD may be terminated, jeopardizing both current projects and future business opportunities
- Noncompliance may lead to legal penalties, including civil fines under the False Claims Act
- A failure to secure CUI can severely damage an organization’s reputation and erode trust among government partners
- Mishandled CUI may result in the loss of sensitive U.S. intellectual property, posing a direct threat to national security
Every contractor in the DIB shares the responsibility to prevent these outcomes through vigilant compliance and proper data protection.
How to Handle CUI in Emails
To securely email CUI:
- Use FIPS 140-2 validated encryption (Transport Layer Security or end-to-end)
- Include a CUI-marked cover sheet
- Limit recipients to those with a need to know
- Apply dissemination controls such as “Not Releasable to Foreign Nationals (NOFORN)” when required, in accordance with the CUI Marking handbook
How to Apply and Decontrol CUI Markings
Applying Markings
- Add a banner marking to each page of the document
- Include portion markings where necessary
- Insert a designation indicator at the bottom or in a footer
- Use document management tools to apply labels and audit access
Decontrolling CUI
Before any information is decontrolled, it must be formally reviewed to determine whether it no longer requires safeguarding. This process is critical to ensure sensitive data isn't prematurely released or mishandled. Only authorized individuals or agencies have the authority to perform decontrol actions. Even after decontrol, the information may still be sensitive and should not be considered public without further clearance. Always verify with your FSO or the contract’s controlling agency before treating information as unrestricted. For detailed guidance, refer to the National Archives and Records Administration’s decontrol guidance.
Regulatory Frameworks Governing CUI
Several key frameworks define how CUI must be handled:
- Defense Federal Acquisition Regulation Supplement 252.204-7012: Requires protection of CUI and reporting of cyber incidents
- National Institute of Standards and Technology SP 800-171: Defines 110 controls for protecting CUI in nonfederal systems
- 32 Code of Federal Regulations Part 2002: Outlines uniform CUI handling rules across agencies
- CMMC: Verifies contractors’ ability to protect CUI through maturity level certifications
CUI categories and requirements are managed by NARA and the Information Security Oversight Office (ISOO). See the full ISOO CUI Registry.
How ISI Helps with CUI Compliance
ISI offers full-spectrum support for defense contractors needing to comply with CUI requirements:
- Compliance consulting and readiness assessments
- Document marking tools and templates
- Performing a CUI scan to determine and diagram where CUI flows through your systems
- GRC tool or platform to track, manage, and audit CUI assets
- Tailored training for FSOs and staff
Whether you're preparing for CMMC Level 2 or responding to new contractual clauses, ISI simplifies the compliance process while strengthening your security posture.
FAQS
What is the ISOO CUI Registry and its purpose?
The ISOO CUI Registry categorizes types of CUI and outlines applicable safeguarding and dissemination rules. View it here.
How do you properly label documents containing CUI?
Each document should have a banner marking, portion markings if required, and a CUI Designation Indicator.
What tools can help automate CUI compliance?
Tools like classification labels in Google Workspace and Microsoft Purview can help apply markings and manage access.
What’s the difference between FOUO and CUI?
FOUO was a legacy designation. CUI replaces it with standardized handling requirements across agencies.
How long must CUI be retained and protected?
Retention depends on contract and agency policies. CUI must be protected if it retains its designation and sensitivity.
What are the penalties for mishandling CUI?
Penalties include contract loss, False Claims Act liability, financial penalties, and reputational harm. In some cases, national security implications may apply.
