How to Mark Controlled Unclassified Information (CUI) (2024)

Identifying and Marking CUI

NIST 800-171 and Cybersecurity Maturity Model Certification require Department of Defense (DoD) contractors to “Mark media with necessary CUI markings and distribution limitations”. A basic tenet of information security is to visually identifyCUI information that requires special protections so authorized users know what special handling controls must be applied. 32 CFR, Part 2002, which applies to both executive branch agencies and defense contractors, requires Controlled Unclassified Information markings to help ensure the data is secure.In this article we will walk you through the process of identifying CUI information and how to apply security CUI markings to physical and electronic media.

What is CUI?

Before we dig into how to mark Controlled Unclassified Information, we should discuss how we got here. CUI is any unclassified information that by law, regulation, or government-wide policy, requires safeguarding or dissemination controls. In 2010, President Obama issued Executive Order 13556 – Controlled Unclassified Information to standardize how CUI is handled by executive branch agencies. The executive order also designated the National Archives and Record Administration (NARA) as the Executive Agent (EA) responsible for implementing the CUI program.

DoD's Implementation of the CUI Program

In its role as the CUI Program Executive Agent, NARA has issued a significant amount of guidance on how to handle (i.e. mark, copy, transport, disseminate, reuse, and destroy) CUI.

NARA maintains the CUI Registry, an online repository for all official information, guidance, policy, and requirements related to handling CUI. However, the CUI Registry currently provides a caveat:

“Agency personnel and contractors should first consult their agency’s CUI implementing policies and program management for guidance.”

For DoD contractors, this leads us to two important points. The DoD has not yet implemented the CUI program as required by EO 13556 and 32 CFR, Part 2002. The Department of Defense will implement the CUI program once the Federal policy is finalized and published within the Federal Acquisition Regulation. Until then, the DoD will identify and protect CUI per the guidance in DoD Manual 5200.01, Volume 4. However, the DoD will likely adopt NARA’s guidance before the end of Fiscal Year 2020, so this blog post will describe NARA’s standards.

The second point to keep in mind, is that when CUI is provided to or generated by DoD contractors, the pertinent contract documents (e.g., contract clause, statement of work, DD Form 254, Security Classification Guide (SCG), and Cybersecurity Classification Guide) should identify the controls and protective measures contractors are expected to apply.

Determine the CUI Category

The originator of media that contains CUI is responsible for determining at origination whether the information may qualify for CUI status and to apply the appropriate security markings. Although the CUI Registry is the authoritative source for information about CUI, you should consult relevant contract documents, the Prime contractor, or government program management office for your initial guidance on how to identify and mark media with necessary cui markings and distribution limitations.

We should emphasize again, that the determination of whether information is deemed CUI is a function of laws, policies, and regulations associated with how information is produced or used. For example, if Company X produces a “Commercial Off the Shelf (COTS)” widget, the engineering drawings, research data, and process sheets are not CUI. But if Company X produces the same widget for the DoD only, those same engineering drawings, research data, and process sheets are CUI and must be marked as such.

CUI Organizational Index Groupings

CUI is broken into 20 broad “Organizational Index Groupings” which are further divided into 124 categories. The CUI Registry provides additional details for each category, to include Category Descriptions, Safeguarding and/or Dissemination Authorities, sanctions for violating handling controls, and if the CUI is “Specified” or “Basic”.

How to Mark Controlled Unclassified Information (CUI) (1)

If the laws, policies, and regulations that designate CUI include specific handling controls, dissemination controls, or sanctions for not protecting CUI, the information is referred to as “CUI Specified”.CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy is not called for. CUI Specified means that a law, policy, or regulation stipulates more than a general requirement to “protect” the information and is not a “higher level” of CUI.

For example, the Organizational Grouping “Defense” is divided into four categories –

  1. Controlled Technical Information
  2. DoD Critical Infrastructure Security Information
  3. Naval Nuclear Propulsion Information
  4. Unclassified Controlled Nuclear Information – Defense

Controlled Technical Information (CTI) is CUI Specified because 48 CFR 252.204-7012 defines CTI and requires defense contractors to implement NIST 800-171. However, DoD Critical Infrastructure Security Information is CUI Basic because the Safeguarding/Dissemination Authority, 10 USC 130e, does not provide any instruction on how the information is to be protected. In fact, 10 USC 130e only authorizes the Secretary of Defense to designate information as critical infrastructure information. To know if information is considered DoD Critical Infrastructure Security Information, you would have to reference the Secretary of Defense’s written determination that designates the information as CUI.

In the two examples we provided, each Category was based on only one Safeguarding/Dissemination Authority. Some Categories have more 15 different authorities you may have to comb through to know if you are dealing with CUI and what protections are required. Fortunately, most defense contractors will likely deal with a limited number of categories of information based on their particular contract or industry. After some initial research you will likely become familiar with the CUI Categories you handle on a regular basis.

How to Mark CUI in Documents

CUI can be found on just about any form of media, to include paper documents, solid state storage devices, optical discs, magnetic disks, and magnetic tapes. The various forms of media have slightly different security marking requirements, but the same basic principle applies to all of them – Clearly identify the media as CUI and who designated it as CUI.

Paper documents must be marked with a Banner Marking and a CUI Designation Indicator. Agencies may choose to use Portion Markings (e.g. marking each paragraph’s Classification like we do in Classified environments) but they are not required by NARA.

1. Banner Marking consists of CUI Control Marking, CUI Category Marking, and Limited Dissemination control markings.

The CUI Control Marking, Category Marking, and Limited Dissemination Control markings are separated by double forward slashes (//). Multiple Category Markings or Dissemination controls are separated by single forward slashes (/). The Banner Marking text is bold, capitalized, black, and centered on the page. The Banner Marking must appear at the top of each page, but top and bottom banner markings are a “best practice”.

How to Mark Controlled Unclassified Information (CUI) (2)

a. CUI Control Marking. Use of either “CUI” or “CONTROLLED” is acceptable but must be applied consistently throughout the document. The CUI Control Marking is mandatory.

b. CUI Category Marking. If multiple CUI Categories are referenced in the document, list each Category. If the document contains CUI Specified, the CUI Category marking must start with “SP-“ and list the specified category. A CUI Category can have both CUI Basic and CUI Specific. It is the authority, not the information, that makes it CUI Basic or CUI Specific so you must know under which authority you designate a document as CUI (see image below). The CUI Category Marking is mandatory.

c. Limited Dissemination Controls place limits on how CUI can be shared. For example, the Limited Dissemination Control “NOFORN” prevents the information from being shared with non-US citizens and governments. Limited Dissemination Controls are not always required, so consult the CUI Registry and your agency for guidance. If they are applied, the only authorized Limited Dissemination Controls are:

  1. No Foreign Dissemination (NOFORN)
  2. Federal Employees Only (FED ONLY)
  3. Federal Employees and Contractors Only (FEDCON)
  4. No Dissemination to Contractors (NOCON)
  5. Dissemination List Controlled (DL ONLY)
  6. Authorized for Release to Certain Nationals Only (REL TO [USA, LIST])
  7. DISPLAY ONLY

How to Mark Controlled Unclassified Information (CUI) (4)

2. CUI Designation Indicator. All documents containing CUI must indicate the designator's agency.

The designation indicator can be accomplished through the use of a letterhead, a signature block that includes the agency, or a “Controlled by” line. The CUI Designation Indicator is required.

3. Portion marking. Agencies may choose to require documents to include portion markings.

Portion markings are placed at the beginning of section to which they apply, such as at the start of a paragraph. Portion markings provide granularity to identify what specific information belongs to specific CUI Categories or has specific Limited Dissemination Controls. For example, the NOFORN Limited Distribution Statement may apply to only one piece of information in the entire document and the use of portion markings would clearly identify what specific information cannot be released to non-U.S. citizens.

How to Mark CUI in Emails

There are only a few differences between the rules for marking printed documents and emails. A Banner Marking will be placed at the top of the email body and the email must carry a CUI Designation Indicator. If you forward an email that contains CUI, you must include all the original CUI markings.

NARA also recommends that senders terminate the Subject Line with the phrase “[Contains CUI]”. If the email includes an attachment that contains CUI, NARA also recommends that the file name indicate the presence of CUI, such as “FileName[CONTAINS CUI].docx”.

How to Mark Controlled Unclassified Information (CUI) (5)

How to Mark CUI on Electronic Storage Media

Due to size restrictions and access difficulties, it can be a bit more challenging to apply security markings to electronic storage media such as DVDs, thumb drives, and hard drives. At a minimum, storage media will include a CUI Control Marking and a CUI Designation Indicator.

How to Mark Controlled Unclassified Information (CUI) (6)
How to Mark Controlled Unclassified Information (CUI) (7)

How to Mark Controlled Unclassified Information (CUI) (8)

CUI Marking on Computers

If you are unable to access internal computer storage media, you must mark the outside of the computer. If you are using government-owned equipment, you can use an SF 902 or SF 903 to mark equipment. The SF 902 and 903 are nearly identical except the SF903 is narrow enough to on a thumb drive. If you are not marking government-owned equipment or if you do not have access to the SF 902 or SF 903, the security markings can be applied with a permanent marker.

How to Mark Controlled Unclassified Information (CUI) (9)
How to Mark Controlled Unclassified Information (CUI) (10)

Summary

You will likely have to invest some additional time to learn how to properly mark media necessary CUI markings and distribution limitations. This article provided a general overview of common situations in which security markings must be applied to media that contain CUI, and what markings are required. However, you may also run into situations which we didn’t discuss in this blog, for instance:

  • The media contain multiple CUI categories.
  • The CUI is mixed with classified information (CONFIDENTIAL, SECRET, or TOP SECRET).
  • You handle different forms of media.
  • You must ship media that contain CUI.

If you are unsure how to mark or otherwise handle CUI, the CUI Registry has numerous resources. Of course, the experts at Totem Technology are here to help.

How to Mark Controlled Unclassified Information (CUI) (2024)

FAQs

How do I mark a document as CUI? ›

At a minimum, CUI markings for unclassified documents will include: The acronym “CUI” at the top and bottom of each page • The CUI designation indicator. Do not add “UNCLASSIFIED” before ”CUI.” Do not add the CUI category to the top and bottom of the page.

What marking at a minimum is required for CUI? ›

At minimum, CUI markings for unclassified DoD documents will include the acronym “CUI” in the banner and footer of the document. portion marked with “(CUI).” Use of the unclassified marking “(U)” as a portion marking for unclassified information within CUI documents or materials is required.

How do I mark CUI in an email? ›

Limited Dissemination Controls Markings by a double forward slash (//). Emails that contain CUI: Must include a Banner Marking above the email text. Must include a Banner Marking above the email text when forwarding or responding CUI received by email.

What is controlled unclassified information CUI answers? ›

What is CUI? CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies. CUI is not classified information.

What color should CUI markings be? ›

Banner Examples #
StateHex ValueFont Color
Unclassified#007a33white
Controlled (CUI)#502b85white
Confidential#0033a0white
Secret#c8102ewhite
2 more rows

What does the marking CUI mean? ›

Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies. CUI SHOULD NOT. BE USED TO: • Conceal violations of the law, inefficiency, or administrative errors.

What are the 3 basic elements of standard CUI banner marking? ›

  • Subject. Line.
  • Indicator. Marking.
  • Optional. Attachment.
  • Indicator. Marking.

What is CUI basic select the correct option? ›

CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not have any specific handling or dissemination requirements. CUI Basic is handled according to the uniform set of controls set forth in the CFR and the CUI Registry.

What are the 2 types of CUI? ›

Unclassified Controlled Technical Information (UCTI) Sensitive but Unclassified (SBU) For Official Use Only (FOUO)

How do you mark CUI in Outlook? ›

On the Name your policy screen, type CUI-CTI.
...
Initial Steps
  1. Select Compliance from the Admin center menu. ...
  2. Select +Create a label. ...
  3. The description for admins will be the same as that of the users. ...
  4. The page to define the scope for this label appears. ...
  5. Click Next. ...
  6. On the Encryption page, check Configure encryption settings.
27 Jul 2021

Can I send CUI to my personal email? ›

The body of the email must not contain any CUI; it must be in an encrypted attachment. The applicable CUI marking must be included at the top of each email.

What is the correct banner marking for unclassified documents with CUI? ›

The CUI banner marking must appear, at a minimum, at the top center of each page containing CUI. of either “CONTROLLED” or “CUI.” Markings are separated by two forward slashes (//).

How do I know if I have CUI data? ›

Labeled information. Some types of information are simple to identify as CUI. “Export control” includes any information that is subject to export control, such as International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR)—this would be CUI.

What is not considered Controlled Unclassified Information? ›

CUI is best understood by first knowing what does not qualify as CUI. Put simply, any information classified under Executive Order No. 13526 and the Atomic Energy Act cannot be considered CUI.

How do you handle CUI? ›

Securing CUI
  1. Level 1 suggests performing basic cyber hygiene practices like installing anti-virus software and regularly changing passwords to safeguard Federal Contract Information (FCI).
  2. Level 2 describes an “intermediate level of cyber hygiene” that begins implementing NIST SP 800-171 requirements to secure CUI.
24 Mar 2022

What color is top secret? ›

As Insider has previously reported, blue cover sheets are used to label "CONFIDENTIAL" documents, red is used to label "SECRET" documents, and orange is used to label "TOP SECRET" documents, for example.

Who is responsible for applying CUI marking? ›

The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly.

Can CUI be stored in a locked desk drawer? ›

If such building security is not provided or is deemed inadequate, the information (documents and AIS storage media) shall be stored in locked desks, file cabinets, bookcases, locked rooms, etc. In all cases FOUO and other CUI must be placed out of sight during non-working hours.

How do you store information in CUI? ›

After working hours, CUI will be stored in unlocked containers, desks, or cabinets if the government building provides security for continuous monitoring of access. If building security is not provided, the information will be stored in locked desks, file cabinets, bookcases, locked rooms, or similarly secured areas.

What is the purpose of marking classified information? ›

The purpose of marking is to provide required information about classification. This includes alerting the holder to the presence of classified information and specifically identifying what information needs protecting and the level of protection required.

Does CUI need to be encrypted in email? ›

CUI must be encrypted in transit on all devices or when stored at rest on mobile devices. When is FIPS 140-2 not required? CUI may be stored at rest on any non-mobile device or data center, unencrypted, as long as it is protected by other approved logical or physical methods.

What is the correct portion marking for paragraph 3 in the derivative document? ›

3. (C) Paragraph 3 contains “Confidential” information. Therefore, this portion will be marked with the designation “C” in parentheses preceding the portion. ❖ Identify the original classification authority (OCA) by name and position or personal identifier.

Can CUI be taken home? ›

CUI Markings can be removed (or stuck through) when the information has been decontrolled. Decontrolling occurs when an authorized holder, consistent with 32 CFR 2002 and the CUI Registry, removes safeguarding or dissemination controls from CUI that no longer require such controls.

What are the 6 categories of CUI? ›

CUI Categories
  • Ammonium Nitrate.
  • Chemical-terrorism Vulnerability Information.
  • Critical Energy Infrastructure Information.
  • Emergency Management.
  • General Critical Infrastructure Information.
  • Information Systems Vulnerability Information.
  • Physical Security.
  • Protected Critical Infrastructure Information.
13 Apr 2020

What is an example of CUI? ›

Examples of CUI would include any personally identifiable information such as legal material or health documents, technical drawings and blueprints, intellectual property, as well as many other types of data. The purpose of the rule is to make sure that all organizations are handling the information in a uniform way.

Which of the following is not a correct way to store CUI? ›

CUI should not be stored on personal systems. Printing and hard copy storage should be kept to a minimum.

Does CUI replace unclassified? ›

In some cases, CUI designations replace For Official Use Only (FOUO) and Sensitive but Unclassified (SBU) designations and markings.

Is CUI The new Fouo? ›

CUI policy provides a uniform marking system across the Federal Government that replaces a variety of agency-specific markings, such as FOUO, LES, SBU, etc.

Can contractors Mark CUI? ›

Answer: Yes. Contractors need to follow whatever guidelines are in their contract, as the CUI program is an executive branch program CUI requirements do not bind the public, except as authorized by law or regulation or as incorporated into a contract or agreement.

What is CUI basics? ›

CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. Agencies handle CUI Basic according to the uniform set of controls set forth in this part and the CUI Registry.

Who is responsible for protecting CUI answer? ›

Keeping CUI, or Controlled Unclassified Information, protected is the reason regulations such as CMMC and NIST 800-171 exist. But who is responsible for protecting CUI? Ultimately, the Department of Defense (DoD) is in charge of safeguarding classified national security information.

Can I put CUI on Google Drive? ›

Add Google Drive to Your Content Sources

To find CUI data in Google Workspace, click on Add Cloud Source and select Google Drive, which is the de facto storage for Google Workspace. You'll then be prompted to enter the appropriate Google credentials.

How many types of CUI are there? ›

There are seven CUI information types, including Personally Identifiable Information (PII), Sensitive Personally Identifiable Information (SPII), Proprietary Business Information (PBI), Unclassified Controlled Technical Information (UCTI), Sensitive but Unclassified (SBU), For Official Use Only (FOUO) and Law ...

What are examples of controlled unclassified information CUI? ›

Examples
  • CUI Registry Categories.
  • Controlled technical information with military or space application.
  • Protected critical energy infrastructure information, including nuclear reactors and materials.
  • Export control information or materials.
  • Geodetic and geospatial information related to imagery intelligence.

What is not CUI information? ›

However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.

Can you discuss CUI over the phone? ›

You can discuss most CUI over voice telephone lines. The preferred order of phone use for this purpose is first using cellphones and encrypted VoIP (WebEx) lines if available as they are the most secure, POTS (analogue dial tone) lines as the second most secure.

Can you share CUI? ›

Question: CUI can be shared in collaborative environments and forums, to include a teleconference, that meet the required cybersecurity requirements. (NIST SP 800-53 moderate confidentiality, NIST 800-171, or fedramp moderate depending on what the system is and who owns it).

Who is responsible for applying CUI marking? ›

The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly.

What are the 2 types of CUI? ›

Unclassified Controlled Technical Information (UCTI) Sensitive but Unclassified (SBU) For Official Use Only (FOUO)

How do I mark an email as CUI in Outlook? ›

On the Information protection page, under Labels, click the ellipses appearing on the CUI group line and select +Add sub-label. This will bring up the screen to name and create a tooltip for your label. In the Name field, enter a designator, such as CUI-Controlled Technical Information.

What are examples of CUI? ›

Examples of CUI would include any personally identifiable information such as legal material or health documents, technical drawings and blueprints, intellectual property, as well as many other types of data. The purpose of the rule is to make sure that all organizations are handling the information in a uniform way.

What are the 6 categories of CUI? ›

CUI Categories
  • Ammonium Nitrate.
  • Chemical-terrorism Vulnerability Information.
  • Critical Energy Infrastructure Information.
  • Emergency Management.
  • General Critical Infrastructure Information.
  • Information Systems Vulnerability Information.
  • Physical Security.
  • Protected Critical Infrastructure Information.
13 Apr 2020

What is not considered CUI? ›

Put simply, any information classified under Executive Order No. 13526 and the Atomic Energy Act cannot be considered CUI. In other words, any classified information labeled “classified,” “secret,” or “top-secret” cannot be designated as CUI.

How do you store information in CUI? ›

CUI must be stored in controlled environments that prevent or detect unauthorized access. Printed CUI documents must be protected by at least one physical barrier, such as a cover sheet or a locked bin/cabinet.

Can CUI be stored in a locked desk? ›

After working hours, CUI will be stored in unlocked containers, desks, or cabinets if the government building provides security for continuous monitoring of access. If building security is not provided, the information will be stored in locked desks, file cabinets, bookcases, locked rooms, or similarly secured areas.

Which of the following is not a correct way to store CUI? ›

CUI should not be stored on personal systems. Printing and hard copy storage should be kept to a minimum.

How do I know if I have CUI data? ›

Labeled information. Some types of information are simple to identify as CUI. “Export control” includes any information that is subject to export control, such as International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR)—this would be CUI.

What are the standard markings for classified information? ›

Portion markings consist of the letters “(U)” for unclassified, “(C)” for “Confidential,” “(S)” for “Secret,” and “(TS)” for “Top Secret.” b. (U) These abbreviations are placed, in parentheses, before the portion, or fter the title to which they apply.

What is CUI basic select the correct option? ›

CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not have any specific handling or dissemination requirements. CUI Basic is handled according to the uniform set of controls set forth in the CFR and the CUI Registry.

Can you send CUI by mail? ›

Yes! CUI can be sent to others via interagency mail systems, USPS, FedEx, UPS, or other commercial delivery services.

What are examples of controlled unclassified information CUI? ›

Examples
  • CUI Registry Categories.
  • Controlled technical information with military or space application.
  • Protected critical energy infrastructure information, including nuclear reactors and materials.
  • Export control information or materials.
  • Geodetic and geospatial information related to imagery intelligence.

What is the correct banner marking for unclassified documents with CUI? ›

The CUI banner marking must appear, at a minimum, at the top center of each page containing CUI. of either “CONTROLLED” or “CUI.” Markings are separated by two forward slashes (//).

Does CUI have to be encrypted? ›

CUI must be encrypted in transit on all devices or when stored at rest on mobile devices. When is FIPS 140-2 not required? CUI may be stored at rest on any non-mobile device or data center, unencrypted, as long as it is protected by other approved logical or physical methods.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Dean Jakubowski Ret

Last Updated:

Views: 5538

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Dean Jakubowski Ret

Birthday: 1996-05-10

Address: Apt. 425 4346 Santiago Islands, Shariside, AK 38830-1874

Phone: +96313309894162

Job: Legacy Sales Designer

Hobby: Baseball, Wood carving, Candle making, Jigsaw puzzles, Lacemaking, Parkour, Drawing

Introduction: My name is Dean Jakubowski Ret, I am a enthusiastic, friendly, homely, handsome, zealous, brainy, elegant person who loves writing and wants to share my knowledge and understanding with you.