Compliance at the Point of CUI Creation

Word count: ~1,640 Specificity markers: (1) NIST/CMMC references — MP.L2-3.8.4, AC.L2-3.1.3, AT.L2-3.2.1; (2) Cost/time — 30–90 minutes to build a CUI document template, 15-minute onboarding walkthrough; (3) Tool/product names — Microsoft Word CUI template, SharePoint GCC High, Microsoft Purview DLP; (4) Common mistake — creating CUI on personal devices or unapproved systems; (5) Decision point — what triggers CUI designation and who makes the call

---

Compliance at the Point of CUI Creation

Most CUI handling problems don't start with someone deliberately mishandling sensitive information. They start in the first 60 seconds after CUI is created — before anyone has thought about marking, routing, or storage. An engineer opens a Word document, drafts a technical specification that contains export-controlled data, saves it to the desktop, and then Dropbox syncs it to their personal account. The problem is already outside your control before the document is finished.

Getting compliance right at the point of creation means your controls have to be embedded in the workflow, not bolted on after the fact.

What "Creation" Actually Means

CUI is created or received — both events trigger your obligations simultaneously.

Created: A person in your organization generates new CUI. This includes: - Writing a technical document with controlled technical information - Drafting an acquisition-sensitive price proposal - Creating personnel records for individuals covered under privacy categories - Developing engineering drawings with DoD-specific performance requirements

Received: You receive CUI from the government, a prime contractor, or another source. This includes: - A contracting officer emails you a statement of work that contains sensitive acquisition information - The government provides GFI (Government Furnished Information) in the form of classified-unclassified technical data - A prime contractor shares program-sensitive requirements

The decision point: who makes the designation call?

When your organization creates CUI, someone in your organization must determine it qualifies as CUI and apply the marking. That's a human decision. The category designation comes from one of three sources:

1. Your contract specifies it: The contract or a Contract Data Requirements List (CDRL) tells you what information qualifies as CUI on this program. This is the easiest case — follow the contract.

1. The CUI Registry determines it: If the information qualifies under a category in the CUI Registry (archives.gov/cui), it's CUI regardless of whether the contract mentions it. For example, Controlled Technical Information qualifies as CUI if it meets the definition under the applicable export control regulations, even if your contracting officer didn't explicitly call it out.

1. The originating agency designated it: When you receive CUI already marked by a government agency or prime contractor, their designation is authoritative. You apply the same category and handling requirements they specified.

If you're genuinely uncertain whether something qualifies as CUI, the correct action is to treat it as CUI and consult your contracting officer or the originating agency. Over-designation has costs (more systems in scope, more handling burden) but is recoverable. Failure to designate CUI that later gets exposed is not.

What Must Happen at Creation

Step 1: Apply the marking immediately. The document, file, email, or drawing gets marked at the time it's created or received — not after it's been reviewed and approved, not at the end of the day, not when you remember.

For a document: CUI banner in the header and footer of every page. Designation indicator on the first page. If you're using a CUI document template (and you should be), this happens automatically when you open the template.

For an email you're composing with CUI: "CUI" in the subject line. CUI banner at the top of the body. Send only through your authorized encrypted email channel.

For an email you receive that contains CUI: it's already marked if the sender followed their obligations. Route it immediately to an authorized storage location — not your local inbox on a personal device, not your commercial Outlook if your contract requires GCC High.

Step 2: Route it to an authorized system. CUI must live in your CUI boundary. The creation location and the final resting location need to be inside that boundary. Documents created on systems outside the CUI environment need to be moved immediately and the originating copy deleted from the unauthorized location.

This is where the Dropbox-and-personal-device problem becomes concrete. If your CUI document template is in SharePoint GCC High but your employee opens a blank file on their personal Mac, drafts it, and then uploads it — the personal Mac was an unauthorized processing location. For most small contractors, the practical control is: CUI work happens on managed, enrolled devices only, with DLP policies (Microsoft Purview, for example) that block file saves to unauthorized locations.

Step 3: Log it if required. Some CUI — particularly CUI Specified with export control implications — requires tracking or registration. Your contracts may specify additional notification or registration requirements. Most CUI Basic does not require a creation log, but maintaining one is useful for lifecycle tracking and eventual disposition.

Building CUI Creation Into Your Workflow

The point of operationalizing creation compliance is to make the right behavior the easy behavior. Your people shouldn't have to think hard to comply — the environment should guide them toward compliance automatically.

Document templates: Build CUI templates for every format your organization uses: Word, PowerPoint, Excel, PDF cover sheets. Each template includes: - The CUI banner pre-formatted in the header and footer - A designation indicator placeholder on page 1 with fields to fill in (Controlled by, CUI Category, Distribution, POC) - Instructions at the top (which get deleted before sending) reminding the user to verify the category and distribution limitations

Building a template takes 30 to 90 minutes. Done once, it eliminates the most common marking failure permanently.

Email guidance: A short job aid (one printed page or a desktop wallpaper image) that shows employees the correct format for CUI emails: subject line prefix, body banner, approved recipients, approved sending system. Laminate it and put it near every workstation that sends CUI.

Onboarding walkthroughs: Before a new employee accesses CUI systems, spend 15 minutes walking them through what CUI looks like in your environment, how to create a document using the CUI template, and where to save it. Make this experiential — have them actually open the template and practice the workflow. Knowledge retained from doing something is stronger than knowledge from watching a slide deck.

DLP policies: Microsoft Purview Information Protection (formerly Azure Information Protection) can auto-classify documents that contain patterns matching CUI categories — Social Security numbers, export control language, technical data keywords — and enforce handling policies automatically. This isn't perfect, and you still need human review, but auto-classification catches the edge cases where an employee creates CUI without recognizing it. Purview is included with Microsoft 365 E3 and higher, including GCC High licensing.

Receiving CUI: The Forwarding Problem

When you receive CUI from the government or a prime contractor, the most common compliance failure is immediate forwarding. Someone gets a CUI-marked email, reads "FYI, see attached" and forwards it to three colleagues and a subcontractor before checking whether those recipients are authorized.

Your procedures need to address receiving CUI explicitly: - Route incoming CUI to authorized storage immediately - Do not forward without verifying the recipient's authorization and their system's ability to handle CUI - If the CUI came to a non-authorized system (personal email, personal device), move it to the authorized environment and document the inadvertent disclosure

AT.L2-3.2.1 (security awareness training) is the upstream control here. If your employees understand what CUI is and why forwarding it blindly is a problem, they'll pause before hitting forward. The training directly supports creation-phase compliance.

Common Mistakes at the Point of Creation

Creating CUI on personal devices. Engineers work where they are. Without clear policy and technical controls, CUI drafting happens on personal laptops, home office desktops, and phones. By the time the document reaches an authorized system, it's been processed, temporarily stored, and potentially synced to cloud services outside your control. Enforce device enrollment — CUI work on managed devices only — and make it technically difficult (not just policy-prohibited) to save CUI to unauthorized locations.

Marking the file but not the email. A properly marked CUI document attached to an unmarked email is a half-measure. The email body is itself a CUI communication if it describes, summarizes, or quotes the CUI document. Mark both.

Using "CUI" as a folder name instead of a document marking. Storing files in a folder called "CUI" does not satisfy MP.L2-3.8.4, which requires the media itself (the document) to carry the marking. The folder name is a convenience label. The document banner is the required marking. Both should exist, but only the document marking satisfies the requirement.

No designation indicator. The banner says "this is CUI." The designation indicator says what kind and who controls it. Missing the designation indicator means handlers don't know which category's rules to follow, who to call with questions, or what distribution limitations apply. It's required, and assessors will check for it.

What Your Assessor Expects

For MP.L2-3.8.4, the assessor will pull a sample of CUI documents from your environment and check: - Banner present on every page - Designation indicator on first page with required fields populated - Consistency between banner and designation indicator - Derived documents (new documents that incorporate CUI) properly marked

They'll also interview employees — specifically, people who regularly create CUI — and ask them to walk through what happens when they draft a document with controlled information. If the employee's process doesn't include marking, routing to an authorized system, and using an authorized transmission method, the assessor has found a gap regardless of what your policy says.

For AC.L2-3.1.3, the assessor verifies that you're enforcing information flows — that CUI created in your environment can't leak to unauthorized systems or recipients. DLP policies, access controls, and approved transmission channels are all evidence for this control.

The creation phase is where your theoretical compliance meets your actual daily operations. If your procedures describe what should happen and your people's daily habits match those procedures, you'll be in good shape. If there's a gap between policy and practice at creation, it will show up in the interview.