Who Marks CUI and How It Works

Word count: ~1,700 Specificity markers: (1) NIST/CMMC references — MP.L2-3.8.4, 32 CFR Part 2002, EO 13556; (2) Cost/time — 1–2 hours per role to define marking authorities, quarterly spot checks; (3) Tool/product names — CUI Registry, ISOO guidance, CDSE training; (4) Common mistake — contractors inventing CUI categories or over-designating; (5) Decision point — when a contractor can mark vs. when they must refer to the government

---

Who Marks CUI and How It Works

Marking CUI isn't just a formatting exercise — it involves legal authority. Not everyone can designate information as CUI. Not everyone has to. And contractors have different authorities than government agencies. Getting this right matters because over-designation creates unnecessary compliance burden, and failure to mark CUI you're required to mark creates a gap your assessor will find.

The Authority Structure

The CUI program operates under Executive Order 13556 (2010) and 32 CFR Part 2002 (2017 implementation). These establish a hierarchy of authority:

The National Archives and Records Administration (NARA) serves as the executive agent for the CUI program. NARA's Information Security Oversight Office (ISOO) issues implementing guidance, maintains the CUI Registry, and provides oversight of how agencies manage CUI.

Federal agencies are "Authorized Holders" who can designate information as CUI. The Department of Defense is the primary agency generating CUI for defense contractors, but agencies like DoE, NASA, DoS, and others may generate CUI that flows to contractors on cross-agency programs.

Contractors are Authorized Holders once they receive CUI, but their authority is derivative — you can mark and handle CUI under the authority granted by the originating agency, but you cannot independently create new CUI categories or change the designation level of CUI you receive.

Two Types of Marking Situations for Contractors

Type 1: You Receive Already-Marked CUI

When the government or a prime contractor sends you CUI that's already properly marked, your obligation is to:

1. Handle it according to the markings it carries
2. Apply those same markings to any copies you make
3. Apply those same markings to physical printouts

You don't re-designate it. You don't choose a different category. You don't upgrade or downgrade the marking. The originating agency's designation is authoritative — you apply it consistently.

When you redistribute received CUI: If you forward government-marked CUI to a subcontractor, you forward the markings with it. You cannot strip markings from CUI before passing it to a sub (that would be improperly handling CUI). You can add your own point of contact information to the designation indicator block, but the core designation stays as received.

Type 2: You Create New CUI Under a Government Contract

This is where contractors have marking authority — and where it gets more complex.

When you create information under a government contract, you may be creating CUI. Two situations:

The contract specifies it: Your contract tells you that certain deliverables or information types are CUI — for example, "all technical data with military application produced under this contract is Controlled Technical Information." In this case, you mark the information as CUI//SP-CTI when you create it, per the contract's direction. Your authority to mark derives from the contract, which in turn derives from the contracting agency's designation authority.

The CUI Registry determines it: Some information qualifies as CUI regardless of whether the contract explicitly says so. If you produce information that meets the definition of a CUI category in the CUI Registry, you're required to mark it — your contract isn't the only trigger. For example, if you create a document with specific engineering characteristics that meet the DoD definition of Controlled Technical Information under NIST SP 800-171, that document is CUI whether or not your contract mentioned it.

The decision point for contractors: Before creating a new CUI document, ask:

1. Does my contract specify this type of information is CUI? → Mark per the contract
2. Does this information meet a CUI Registry category definition? → Mark accordingly
3. Neither? → Don't mark it as CUI. Non-CUI documents marked as CUI expand your compliance scope unnecessarily.

When you're genuinely uncertain, consult your contracting officer before applying a CUI designation to a large set of documents. The CO has designating authority and can clarify.

Who in Your Organization Marks CUI

Not everyone in your organization needs marking authority. You need three defined roles:

CUI Program Official (or CUI Coordinator)

One person (or a small team in large organizations) owns the CUI program. This person: - Maintains awareness of what CUI categories your contracts involve - Ensures marking procedures are current and communicated - Is the point of contact when employees have questions about whether something is CUI - Serves as the internal liaison to the contracting officer on CUI designation questions - Reviews and approves new document templates

This doesn't need to be a dedicated role. In most small defense contractors, this is the ISSO (Information System Security Officer) or the contracts/compliance manager. The key is that someone owns it and people know who that is.

CUI Creators (Employees Who Generate CUI)

Any employee who creates documents, emails, or other materials that may contain CUI needs: - Training on what CUI is (specifically, which categories apply to their contract work) - Ability to use the CUI templates and apply correct markings - Knowledge of when to escalate (when they're unsure if something is CUI)

This is the majority of the marking work. Your CUI creators are your engineers, program managers, contracts specialists, and technical writers — anyone who produces deliverables or working documents under CUI-bearing contracts.

Reviewers and Approvers

For high-sensitivity documents (prime deliverables to the government, documents that will be shared with subcontractors), a second set of eyes on the CUI designation and markings is a reasonable practice. This doesn't have to be a formal approval gate for every internal working document, but for external-facing CUI documents, a designated reviewer confirms the markings are correct before release.

Derivative Marking: When You Use CUI to Create New CUI

Derivative marking applies when you create a new document by incorporating, paraphrasing, or drawing information from an existing CUI source. The new document inherits the CUI designation.

How to mark a derivative document:

The designation indicator block should reference the source document:

` Controlled by: Department of Defense CUI Category: Controlled Technical Information (CTI) Distribution: FEDCON Derived from: [Source document identifier, date] POC: [Your organization's CUI POC contact] `

The category used should be the highest applicable category from among the sources. If you're creating a synthesis document that draws from a CTI source and an export-controlled source, the derivative document carries both designations: CUI//SP-CTI/SP-EXPT.

Portion marking: In some contexts (particularly documents that contain both CUI and non-CUI information), portion marking — applying category indicators at the section or paragraph level — helps handlers understand which portions require protection. This is common in classified environments but less frequently required for CUI. If your contract requires portion marking, it will say so.

What Contractors Cannot Do

Contractors cannot independently create new CUI categories. The CUI Registry is controlled by NARA. Contractors cannot designate information as CUI under a category that doesn't exist in the Registry. If you find yourself inventing a new CUI type because the existing categories don't quite fit, stop and consult your contracting officer. You may be marking something that isn't actually CUI, or there may be an existing category you haven't identified.

Contractors cannot downgrade or remove CUI designations. If you receive information marked as CUI, you cannot decide it doesn't need to be CUI and remove the markings. Only the originating agency has the authority to change or remove the designation. If you believe CUI you received has been incorrectly designated, contact the originating agency's CUI POC.

Contractors cannot create CUI from publicly available information. Information that is publicly released and publicly available is not CUI, even if it describes controlled technical subjects. The CUI designation applies to information that requires protection because of its sensitivity — not because of its subject matter. A CUI designation cannot be applied to a public paper just because the topic is export-controlled.

Common Marking Authority Mistakes

No defined CUI coordinator. When there's no designated owner, employees guess. Some over-mark, some under-mark, and there's no consistent standard. Define the role and communicate it.

Employees marking documents based on subject matter alone. Subject matter is not sufficient to determine CUI status. An engineer writing about propulsion technology is not automatically creating CTI. The information must meet the specific definition in the CUI Registry category for that contract. Train employees to check the definition, not just the topic area.

Applying CUI markings to documents from other companies without reviewing them. If a subcontractor sends you a document that isn't marked as CUI, don't assume it isn't. Review it against your contract's CUI categories. But also don't automatically apply CUI markings to unmarked documents from outside your organization — contact the source and ask them to apply the correct markings.

What Your Assessor Expects

For MP.L2-3.8.4, the assessor evaluates both the markings themselves and whether you have a process that reliably produces correct markings. They'll ask:

• "Who in your organization has authority to designate CUI?"
• "How do employees know which category of CUI applies to their work?"
• "What happens when an employee isn't sure whether something is CUI?"
• "How do you handle CUI received from the government that wasn't marked?"

The assessor is checking whether your CUI marking program is a managed process with defined roles and clear procedures, or whether each employee is free-styling their own approach. A mature marking program has a CUI coordinator, defined categories per contract, templates, and a documented escalation path for uncertain cases.

The documentation they'll want to see: a CUI procedure that defines who marks what and how, training records showing employees received marking training, and a sample set of properly marked documents. The combination of all three demonstrates the program works end to end — not just that your templates are formatted correctly.

---

Reference: EO 13556, 32 CFR Part 2002, ISOO CUI Notice 2019-01. CUI Registry at archives.gov/cui. CDSE CUI awareness training at cdse.edu includes marking-specific modules.

Got specific questions about CMMC? Our expert is available around the clock — no waiting, no sales pitch.

Got Questions? Ask our CMMC Expert →

Prefer email? Reach us at ix@isegrim-x.com