How to Mark CUI: The Practical Reference

Word count: ~1,960 Specificity markers: (1) NIST/CMMC control — MP.L2-3.8.4, 32 CFR Part 2002, CUI Registry; (2) Cost/time — 30–90 min to create CUI templates; (3) Tool/product names — CUI Registry at archives.gov/cui, ISOO guidance documents, Word/PowerPoint templates; (4) Common mistake — FOUO on documents, strip-cut shredded output on marked docs, missing designation indicator; (5) Decision point — CUI Basic vs. CUI Specified banner format

---

How to Mark CUI: The Practical Reference

This is a reference document. Come back to it when you're not sure how to mark something.

CUI marking is required by 32 CFR Part 2002 and enforced through CMMC requirement MP.L2-3.8.4 (mark media with necessary CUI markings and distribution limitations). The marking rules are standardized — they don't change by agency or contract unless the contract specifies additional requirements. If you're handling DoD CUI, the framework below applies.

The Two Required Elements

Every CUI document has two required marking elements: the banner marking and the designation indicator.

Banner Marking

The banner appears at the top and bottom of every page, in the header and footer. It's a single line. The minimum for CUI Basic:

` CUI `

That's it. If you're handling CUI Basic (standard-protection information with no additional legal restrictions), "CUI" centered in the header and footer of every page is correct.

If the CUI falls under a Specified category (information where a specific law or regulation imposes additional handling requirements beyond the 800-171 baseline), the banner includes the category indicator:

` CUI//SP-[CATEGORY] `

The SP indicates Specified. The category abbreviation follows. Examples:

| Information Type | Banner | |---|---| | CUI Basic (general) | CUI | | Controlled Technical Information | CUI//SP-CTI | | Export Controlled (EAR) | CUI//SP-EXPT | | Privacy Act data | CUI//SP-PRVCY | | Naval Nuclear Propulsion | CUI//SP-NNP | | Proprietary Business Information | CUI//SP-PROPIN |

If a document contains multiple Specified categories, separate them with forward slashes:

` CUI//SP-CTI/SP-EXPT `

Dissemination controls come after a double slash following the category indicator. They limit who can receive the information:

| Control | Meaning | |---|---| | NOFORN | Not releasable to foreign nationals | | FEDCON | Federal employees and contractors only | | FED ONLY | Federal employees only | | DL ONLY | Dissemination list only (specific named individuals) | | NOCON | Not releasable to contractors |

A fully annotated banner for export-controlled CTI not releasable to foreign nationals:

` CUI//SP-CTI//NOFORN `

One more layer: if the document is subject to display limitations (information should not be displayed on screens in publicly visible areas), add DISPLAY ONLY to the designation indicator — not the banner.

Where the banner goes: Header and footer, every page. Font size should be legible but doesn't have to be enormous — 10pt or larger, in the same font as the document header. Make it visible. An assessor shouldn't have to search for it.

Designation Indicator

The designation indicator is a block of information on the first page (or a cover page or cover sheet) that gives the document handler the context to apply the right handling procedures. Required fields:

` Controlled by: [Name of the designating agency] CUI Category: [Category name and abbreviated identifier] Distribution/Dissemination Controls: [Control if applicable, or "None"] POC: [Name and contact information for the designating authority] `

Example:

` Controlled by: Department of Defense CUI Category: Controlled Technical Information (CTI) Distribution/Dissemination Controls: FEDCON POC: Contracting Officer, [Contract Number], [Phone/Email] `

The "Controlled by" field names the government agency that holds authority over this information — typically the Department of Defense for defense contractor CUI. If you're a contractor creating CUI under a DoD contract, "Department of Defense" is correct for most situations. If the CUI originated from another agency (e.g., you received it from DoE), use that agency.

The designation indicator block should be in 10pt or larger font, easily visible on the first page, and distinct from document metadata or title block information.

Marking by Document Type

Word Documents and PDFs

Use a template with the banner in the header and footer, automatically applied to every page. The designation indicator block goes at the bottom of page 1 (before the main content begins) or on a dedicated cover page.

When saving as PDF, verify the header and footer markings survive the conversion. Some PDF conversion tools strip headers and footers. Test your workflow once and confirm the output has markings on every page.

PowerPoint Presentations

Banner in the slide footer, every slide. If you're using Slide Master, add the CUI banner to the Slide Master footer so it appears automatically. Designation indicator on the title slide or the first content slide.

If the presentation will be projected in a meeting: banner should be large enough to be visible from the back of the room (or from a screen share thumbnail). If the content is NOFORN, confirm that all attendees and any screen-share participants are cleared for that dissemination control.

Email

Include the banner in the subject line prefix: CUI: [Your subject] or CUI//SP-CTI: [Your subject]. Place the full banner at the top and bottom of the email body. If your email platform supports automatic classification labels (Microsoft 365 with Purview sensitivity labels), configure a CUI label that applies the subject-line prefix and body banners automatically.

If your email system auto-inserts a signature block, the CUI banner can appear before the signature, not after. The structure is: CUI banner → body content → CUI banner → signature.

Attachments: The attachment must also be marked independently. A CUI-marked email with an unmarked CUI attachment is not fully compliant. The attachment needs its own banner and designation indicator.

Spreadsheets

Banner in the page header, visible when printed or when the print preview shows page breaks. For each worksheet tab that contains CUI, the banner should appear at the top of the first visible row (row 1 is often the best place if the data starts at row 2 or lower). Add a "Cover" tab as the first tab with the full designation indicator block.

Physical Media and Portable Devices

Label the physical item with the CUI banner. For USB drives, print a label that includes "CUI" and affix it to the drive. For external hard drives, label the case. For optical media, write or print on the disc surface.

Maintain a log of physical CUI media — the asset identifier, what CUI it contains, who has it, and where it's stored. MP.L2-3.8.1 requires protecting CUI media, which implies you know where all of it is.

Printed Documents

Every page gets the banner. If the document was created digitally with proper markings and then printed, the headers and footers carry through. If you're printing without digital markings (e.g., printing from a system that doesn't support templates), stamp or handwrite "CUI" at the top and bottom of each page before distribution.

Printed CUI must be stored in controlled areas, collected from printer output trays immediately, and not left in conference rooms or common areas.

CUI Basic vs. CUI Specified: How to Decide

CUI Basic applies when a law, regulation, or government policy requires protection but doesn't mandate specific handling requirements beyond the NIST 800-171 baseline. Most general defense contractor CUI is CUI Basic.

CUI Specified applies when a specific law or regulation imposes additional handling requirements on top of the baseline. Export-controlled technical data (ITAR/EAR) is the most common example in the defense sector. Privacy Act data is another. Check the CUI Registry category entry — if it notes "Specific handling requirements apply per [law/regulation]," it's Specified.

If you're not certain which category applies: go to archives.gov/cui/registry/category-list and look up the category. Each entry includes the authorizing law, description of what qualifies, and whether it's Basic or Specified. If you're still not certain after reading the registry entry, contact your contracting officer or the originating agency's CUI point of contact.

Common Marking Mistakes

Still using "FOUO." For Official Use Only (FOUO) was replaced by the CUI program under Executive Order 13556 in 2010 and the subsequent 32 CFR Part 2002 implementation in 2017. FOUO is no longer a valid marking under the executive branch CUI program. If you have documents still marked FOUO, they need to be reviewed and either re-marked as CUI (if they contain CUI) or the FOUO marking removed (if they don't). Assessors who find FOUO-marked documents will flag it.

Missing the designation indicator. The banner is the minimum. The designation indicator is also required. Many organizations apply banners and skip the designation block. The indicator is what tells handlers which category's rules to apply and who to contact with questions. Both are required under 32 CFR Part 2002.

Inconsistency between banner and designation indicator. If the banner says CUI//SP-CTI but the designation indicator lists a different category, you have a problem. The two must match. This happens when someone copies a designation indicator block from an old document and doesn't update it.

Marking only the first page. The banner goes on every page. A 50-page engineering report with a banner only on the title page is improperly marked. Use templates with automatic header/footer marking to prevent this permanently.

Over-marking non-CUI. Marking documents as CUI that don't contain CUI expands your assessment scope (more media to protect, more systems potentially in scope) and dilutes your marking program — if everything is marked CUI, your employees stop treating the marking as meaningful. Only mark information that qualifies per your contracts and the CUI Registry.

Forgetting derived documents. If a new document incorporates information from a CUI source, that document is also CUI. The designation follows the information. Engineers who synthesize CUI from multiple sources into a new analysis document need to mark the output document as CUI, referencing the relevant category.

What Your Assessor Expects

For MP.L2-3.8.4, the assessor will pull a sample of CUI documents from your environment (file shares, email archives, physical document storage) and check each one for:

• Banner marking on every page
• Designation indicator on the first page or cover page
• Correct format for the category (Basic vs. Specified)
• Consistency between banner and designation indicator
• Appropriate dissemination controls if required by contract

They'll also ask employees who create CUI to describe how they mark a document. If your employees can't explain the marking process or don't know where to find the CUI templates, that's a finding under both MP.L2-3.8.4 (marking) and AT.L2-3.2.1 (awareness training).

The practical fix: CUI templates for every document type your organization uses. Train every employee who creates CUI to use them. Run a quarterly spot check — pull five CUI documents at random and check for correct markings. Document the spot check results. That quarterly check is itself evidence of ongoing compliance and control monitoring.

---

Reference: CUI Registry at archives.gov/cui. ISOO CUI Notice 2019-01 for designation indicator requirements. 32 CFR Part 2002 for the full regulatory framework.

Got specific questions about CMMC? Our expert is available around the clock — no waiting, no sales pitch.

Got Questions? Ask our CMMC Expert →

Prefer email? Reach us at ix@isegrim-x.com