Who is Responsible for Applying CUI Markings?

If you work with the Department of Defense (DoD) or any federal agencies, you’ve likely been having a lot of conversations about Controlled Unclassified Information (CUI).

CUI is a category of information that isn’t classified, but still requires safeguarding from all parties that come into contact with it. Ensuring that you handle CUI correctly is an essential part of working with any federal agency.

In this guide, we’ll cover CUI marking, what it is, and who’s responsible for applying markings to CUI.

What is CUI?

Controlled Unclassified Information (CUI) is a category of sensitive Federal government information that is unclassified but still requires strict safeguarding and protection. The CUI program was put in place by the U.S government to standardize how data is shared and protected. It was introduced under Executive Order 13556 to replace designations like For Official Use Only and Law Enforcement Sensitive, which had different, sometimes conflicting rules.

The CUI program is overseen by the Information Security Oversight Office (ISOO), which sits under the National Archives and Records Administration (NARA).

CUI is the day-to-day operational data that the government creates or possesses, or that an organization (like yours) creates or possesses for the government. The government doesn't want this information made public, even if it's not a state secret.

The CUI registry categorizes information into index groupings including:

• Critical Infrastructure: Related to systems and critical infrastructure like energy and water.
• Defense: Military systems and DoD infrastructure. (DoD contractors handling CUI need to meet CMMC Level 2 requirements.)
• Financial: Budget information, consumer complaints, and electronic transfer data.
• Tax: Taxpayer information and tax conventions.
  

Each category is either designated CUI Basic or CUI specified, here’s what you need to know about each type of CUI…

CUI Basic vs. CUI Specified

When it comes to CUI markings (more on this soon), you’ll need to know the difference between CUI Basic and CUI Specified.

CUI Basic is the default and most common category of CUI that contractors in the Defence Industrial Base (DIB) work with. The requirements for handling CUI Basic are covered in 32 CFR Part 2002 and Basic means that the data must be protected and dealt with appropriately but it doesn’t require any stricter handling controls or protections.

If you’re a defence contractor working with CUI you’ll need to implement the NIST SP 800-171 controls and CMMC Level 2.

CUI Specified refers to a subset of CUI that requires additional, enhanced security protections that limit who can access it. For example, DoD data relating to military sales or Export Controlled Information is CUI Specified and must comply with laws like ITAR or EAR.

If you’re working with CUI, you should always consult the CUI Registry as this will tell you whether the information falls under CUI Basic or CUI Specified.

What are CUI Markings?

All CUI must be clearly marked. This is not optional. Markings ensure that the data is handled appropriately and in line with the specific guidance for that type of CUI (Basic or Specified).

A CUI marking is a mandatory visual label that identifies information as sensitive and dictates how it must be safeguarded.

Markings generally originate from government agencies or prime contractors. However, every organization that handles CUI on behalf of a government agency has the responsibility to ensure the CUI markings stay in place so data isn’t disclosed or shared with people or organizations that shouldn’t have access.

CUI markings ensure that every person or organization who touches the information understands its importance, how to protect it, and how it must be processed and shared. If your organization is a contractor in the DIB and handles CUI

Digital CUI Markings

Any electronic files that contain CUI will have markings in the header and footer as well as in any key locations that may help people to identify it as CUI to ensure the appropriate level or care is taken. For example:

• Emails: Should include CUI in the subject lines to let the recipient know that CUI is included within the email. Plus, any attachments to the email that contain CUI should also be marked.
• Files and Documents: Whether it’s a spreadsheet, word document, or slide deck, CUI should be clearly marked. Every page or slide should include CUI somewhere in the header or footer. Also ensure that filenames include CUI so people can see that CUI is contained within the document before they open it.
• Shared Folders: Should include CUI in the folder name if CUI is contained within it. Any digital files containing CUI need to be stored in systems that meet NIST SP 800-171 requirements.
• Images and Screenshots: Must have a watermark identifying it as CUI. If an image is placed within a document or slide deck, the images should be marked as CUI so anyone viewing the information understands how to handle it.
• Chat Tools (like Slack): Any channels where CUI is discussed should include CUI in the channel name. Also ensure only employees who need access can get into those channels.
  

Physical CUI Markings

Printed documents containing CUI must be clearly labeled as CUI. This usually includes CUI in the header and footer of pages as well as a marking on the front page clearly stating that CUI is contained within the following pages.

Any USB drives or hard drives that contain CUI must also have external CUI labels. And any physical spaces that contain CUI will need to be access controlled (for example: keycard entry or locked cabinets).

Physical documents or media containing CUI also need to be disposed of in ways that are compliant with CUI handling. So you can’t just throw them in the office trash can, they’ll need to be destroyed securely in a way that's a CUI complaint.

CUI Banner Marking and Portion Marking

Generally, there are two types of CUI markings: banner and portion marking.

Banner Markings

Banner markings must appear at the top and bottom of every page, slide, or email. Its job is to offer immediate visibility, ensuring anyone who opens the file knows they are handling sensitive data.

It can be simple (e.g., CUI) or indicate specific controls (e.g., CUI//EXPORT CONTROLLED). But must be placed in clearly visible locations like headers and footers for documents; subject lines and body text for emails.

Portion Markings

Portion markings are granular labels applied to specific paragraphs or bullets, using tags like (CUI) for sensitive data or (U) to indicate that a section contains unclassified information.

Unlike banners, portion markings are generally optional unless your specific contract requires them. However, they are highly useful when mixing public and controlled information in a single document.

Note: If you use portion markings, you must apply them consistently. More importantly, portion markings never replace the banner, so you still need the full CUI marking at the top and bottom of the page even if you’re adding portion markings throughout the content.

Who’s Responsible for CUI Markings

A common misconception is that CUI markings are solely the government’s responsibility. While the originating agency (like the DoD) must apply initial markings, the responsibility travels with the data. So if you create CUI or touch CUI, you are responsible for it and must ensure it’s marked appropriately.

Under DoD Instruction 5200.48, the authorized holder of a document or material (which may include DoD personnel as well as prime contractors and subcontractors when so designated) is responsible for determining, at the time of creation, whether the information falls into a CUI category and, if so, for applying the appropriate CUI markings and dissemination instructions.

Your responsibilities generally fall into two buckets:

• Preservation: You must maintain existing markings on any data passed down to you.
• Derivative Marking: If you create a new document (e.g., a CAD drawing or report) based on CUI source material, you must apply the correct markings immediately.

This isn't optional. 32 CFR Part 2002 makes it clear that failing to mark CUI is a failure of contract compliance. If your team finds unmarked data that qualifies as CUI, you are required to fix it, not ignore it.

To summarize, if your organization creates CUI you are required to identify it and apply the correct markings.

Ensure Your Organization Handles CUI Appropriately with Workstreet

If you’re a DoD contractor that’s working towards CMMC or other government-led frameworks like FedRAMP, GovRAMP, CJIS, NIST 800-171, and NIST 800-53 frameworks, Workstreet can help you get certified faster with our automation-first services and dedicated public sector specialists.

Book a call with our expert team to learn more about how Workstreet can accelerate your path towards compliance.