​​​​CUI Marking of Documents for CMMC

CUI Marking Guidelines

These guidelines help companies ensure that their CUI is properly marked, especially in the context of CMMC Maturity Levels 3 and up. Proper CUI marking of documents is critical to achieving CMMC Level 3 and above, since the additional controls required to reach these levels pertain exclusively to CUI.

What Does CUI Mean?

CUI stands for controlled unclassified information. This information is controlled but NOT CLASSIFIED. This is an important point, as classified information from the US Government is subject to entirely different protection requirements.

What Is CUI?

Understanding what falls into the category of Controlled Unclassified Information (CUI) is essential. According to the Archives.gov website:

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Simply put, CUI is information that the US government believes to require safeguarding either through laws, regulations, or government-wide policies.

Examples of CUI img

Examples of CUI

The two most common types of CUI are controlled technical information (CTI) and information that is protected by the International Traffic in Arms Regulation (ITAR), which is usually referred to as “ITAR Data.” CTI is most commonly seen in the form of technical drawings, while ITAR information can take many forms.

Most organizations are aware of what is considered ITAR data, but CTI is more difficult to properly identify. This is the first challenge in marking CUI — identifying what information is CUI in the first place.

Identifying CUI

Identifying CUI takes into account many factors that are too numerous to list this page, but the general recommendations we give to our clients are:

  • 1. Confirm with your Prime if the information is CUI or not. It is your Prime’s responsibility to mark any CUI they are sharing with you.

  • 2. Talk to your DoD representative if you are the Prime contractor.

  • 3. Talk to your legal counsel if you are unsure.

Please note that your organization should not start marking all information preemptively as CUI, as this may cause many issues for your company in the future. To help your organization identify CUI, you can find a comprehensive list of CUI at the CUI Registry. Each of these categories has a regulation or law that can be perused to see if it applies to your company and its data attached in PDF format.

CUI Marking of Word Documents

According to the DoD CUI training, all CUI must have the acronym “CUI” in the banner and footer. On the cover page for the CUI, there must also be an additional section known as the “designation indicator,” which has some additional information regarding the CUI contained within the document. This designation indicator must contain the following lines at the minimum and should be located in the lower right corner of the cover page.

  • Controlled By: Name of the DoD component (not required if identified in the Letterhead)

  • Controlled By: Identification of the office making the document

  • CUI Categories: Categories of CUI listed in the document

  • Distribution/Dissemination Control: Such as FEDCON or NOFORN

  • POC: Name and phone number or email of POC

A properly filled out CUI Document should look like the following (as per DoD CUI Identification and Marking training):

GIO CUI Marking of Word-Documents img

The General Services Administration (GSA) provides a CUI marking cover sheet for download here. Here is a real-world example of a properly marked Word document taken from the DoD’s training:

GIO CUI Marking of Word-Documents img

As you can see, there is only one “Controlled by” line in the designation indicator wherein the letterhead already includes the DoD component name. If there is more than one page, the designation indicator block is only required on the first page, while the CUI markings in the banner and footer are required for every page.

We suggest implementing a policy that all documents containing CUI require a cover sheet to ensure that the designation indicator blocks are correctly applied as well as to help make the CUI easy to identify. Easy identification of CUI makes it faster for your company to determine when it isn’t being handled correctly.

Examples of CUI img

Conclusion

This page demonstrates how to apply the proper markings to Word documents. The DoD CUI training also outlines examples for Excel documents and emails. In both cases, the same principles apply: CUI in banner and footer, designation indicator block on the first page.

For more details, see the DoD’s CUI Identification and Marking training.

To ensure that your company is marking CUI properly every time, institute a CUI Labeling Policy so that all employees who handle CUI know what is expected of them.