CUI Marking of Documents for CMMC

last changes April 3rd 2026

Table of Contents

• What Does CUI Mean?
• What Counts as CUI?
• Who Decides Whether Something Is CUI?
• Identifying CUI
• CUI Marking of Word Documents
• A Note on Technical Drawings and CTI
• Emails, Excel Files, and Other Formats
• Portion Marking
• Conclusion

How to Mark CUI Correctly for DoD Contracts

One request we come across frequently with companies in the Defense Industrial Base (DIB) is for help   with CUI marking guidelines: “How do we mark our CUI?”.

This article is meant to clear up some of the confusion and provide practical, DoD-focused guidance for employees who handle Controlled Unclassified Information (CUI). Correctly identifying and marking CUI matters because DoD contracts, agency guidance, and internal company procedures often require employees to handle CUI in a consistent way. For CMMC purposes, CUI is most directly associated with Level 2 and Level 3.

What Does CUI Mean?

CUI stands for Controlled Unclassified Information. It is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulation, or government-wide policy, but is not classified under Executive Order 13526 or the Atomic Energy Act. That distinction is important: classified information is subject to a very different set of handling and protection requirements.

In short, CUI is unclassified information that the Government has determined still needs to be protected in a standardized way.

What Counts as CUI?

It is important to understand what can fall into the category of Controlled Unclassified Information. The official source for this is the CUI Registry of the National Archives, which lists authorized CUI categories and markings. For defense contractors, one common category is Controlled Technical Information (CTI). Another common area is Export Controlled information, which can include certain items governed by export control authorities such as ITAR.

That said, employees should be careful here: “ITAR data” is not automatically the same thing as CUI in every case, and contractors should not assume that every export-controlled item must be marked as CUI without checking the contract, originator instructions, or company guidance. The official CUI category in the Registry is Export Controlled.

This brings us to the first major hurdle in marking CUI: identifying it correctly in the first place.

Who Decides Whether Something Is CUI?

This is one of the most important points for employees to understand:

Contractors should not make unilateral decisions to designate documents as CUI and start applying CUI markings on their own.

For DoD contracts, the Government or originating activity determines what information is being treated as CUI and what marking requirements apply, and contractors should follow the instructions in the contract and any agency guidance provided with the information. NARA’s CUI FAQ states that agencies are responsible for marking or identifying CUI shared with non-federal entities, questions about marked or unmarked information should go back to the government contracting activity, and contractors should not follow CUI program requirements or markings until directed to do so in a contract or agreement.

So, as a practical rule for employees:

Do not mark a document as CUI unless the contract, the Government originator, or your company’s approved CUI procedure specifically tells you to do so. If you are unsure, stop and ask.

The same caution applies to dissemination controls such as FEDCON or NOFORN. Only the designating agency may apply limited dissemination controls, and authorized holders may apply them only with the approval of the designating agency. Employees should not invent or add these markings on their own.

Identifying CUI

Identifying CUI can be challenging, and in many cases that question has to be answered by the Government originator, contracting activity, or your company’s internal compliance process.

As general guidance, we usually recommend the following:

If you received the information from the Government and are unsure whether it is CUI, ask the originator or the contracting activity. If you are a subcontractor, also check with your prime contractor. If your company is creating information for or on behalf of the Government, follow the contract and your company’s approved guidance on whether that deliverable must be marked as CUI.

It is also important not to go too far in the other direction. Your organization should not start marking everything as CUI “just to be safe.” CUI markings should only be used where the contract, the originator, or the applicable Government guidance tells you they apply.

To help identify possible CUI categories, employees and compliance teams should use the CUI Registry, which lists the official CUI categories and related authorities.

CUI Marking of Word Documents

For a DoD audience, the baseline rule for marking CUI documents is fairly straightforward. DoD marking guidance says the mandatory minimum marking requirements for DoD CUI are CUI banner/footer markings and the CUI Designation Indicator (DI) block. The banner and footer appear on every page, and the DI block appears on the first page or cover sheet. Even if only one page contains CUI, the document is treated as a CUI document for marking purposes.

At a minimum, DoD guidance uses the acronym “CUI” in the banner/footer. The DI block on the first page or cover sheet identifies key information about the document and its handling.

For DoD CUI documents, the DI block generally contains:

• Controlled By: the name of the DoD Component, if not already shown in the letterhead
• Controlled By: the office creating the document
• CUI Category: the category or categories of CUI in the document
• Distribution Statement or Limited Dissemination Control: if applicable
• POC: name and phone number or email address of a point of contact

A properly filled out CUI Document should look like the following (as per DoD CUI Identification and Marking training):

For many organizations, using a cover sheet is a good internal practice because it makes the document easier to recognize and helps ensure the DI block is present. The SF 901 CUI coversheet is a commonly used option, although it is not a substitute for following the actual marking requirements.

Here is a real-world example of a properly marked Word document taken from the DoD’s training:

As you can see, there is only one “Controlled by” line in the designation indicator as in this case the letterhead has the DoD component name already. If there is more than one page, the designation indicator block is only required on the first page while the CUI markings in the banner and footer are required for every page. To this end Ecuron suggests a cover sheet for all documents containing CUI as a good policy to ensure that the designation indicator blocks are correctly applied as well as to help make the CUI easy to identify. Easier identification of CUI makes it easier for your company to identify when it isn’t being handled correctly.

A Note on Technical Drawings and CTI

Because many defense contractors deal with drawings, specifications, and engineering data, it is worth calling out Controlled Technical Information (CTI) specifically. CTI is a recognized CUI category in the CUI Registry, and it is commonly seen in DoD environments. The Registry also notes that CTI is to be marked with one of DoD Distribution Statements B through F in accordance with DoD distribution-statement guidance.

In practice, that means some technical documents may require both proper CUI markings and the appropriate DoD distribution statement. Employees should not guess which one applies; they should follow the markings and instructions provided by the originator, contract, or company procedure.

Emails, Excel Files, and Other Formats

The same basic concepts apply across other formats, but the exact implementation is not always identical to Word documents. DoD guidance provides marking examples for emails, presentations, spreadsheets, and other media. For example, the banner/footer and DI block concept still applies, but the placement differs by format.

For emails, DoD guidance says CUI markings should appear at the top and bottom of the email, and the DI block is typically placed after the sender’s signature block. For presentations, the DI block appears on the first slide and the banner/footer appears on each slide. Spreadsheets use the same overall idea, but the markings have to fit the format.

So while the principles are consistent, employees should follow the company’s approved CUI marking procedure for the specific format they are using rather than assuming every format is handled exactly like a Word document.

Portion Marking

Portion marking is something we wish would be done more often. Under the CUI program, portion marking is optional in a fully unclassified document, although it may be required by agency policy or by contract. Portion marking means that only those sections of an unclassified document that contain CUI are specifically marked as such.

For many companies, portion marking can be very helpful because it makes it easier to distinguish CUI from non-CUI within a document. This can be especially valuable when a subcontractor needs only one section of a larger document. If the document is not portion marked and is treated as CUI as a whole, then even providing only that one section may still trigger a CMMC Level 2 flowdown. If portion markings had been applied and that section were clearly identified as non-CUI, the contractor may be able to provide only that section without also having to flow down Level 2 requirements.

Conclusion

For employees of defense contractors, the most important takeaway is this: do not guess.

Do not decide on your own that something is CUI. Do not invent CUI categories. Do not add dissemination controls such as NOFORN or FEDCON unless they were provided or approved by the Government. If the status of the information is unclear, ask the originator, contracting activity, your prime contractor, or your company’s internal security/compliance point of contact.

For DoD CUI documents, the baseline marking approach is to use CUI banner/footer markings and a Designation Indicator block, then follow any category, distribution statement, or dissemination-control instructions that came with the document or contract. Getting this right is not just a paperwork issue — it is a key part of handling CUI correctly and consistently across your organization.

For more details see the DoD’s CUI Identification and Marking training.

Need Help with CUI Marking or CMMC?

If you would like to speak to our team to discuss your CMMC requirements and schedule a complimentary 15-30 min consultation, email us at cmmc@ecuron.com or give us a call.

For a general overview of the CMMC certification process and rough time estimates see this flowchart.

Due to our status as a Cyber AB Registered Practitioner Organization™ (CMMC-RPO), Ecuron can perform pre-assessment services which include CMMC Gap Analysis, CMMC Implementation Help, CMMC Pre-Assessment.
We do not conduct the final Certification Assessments.

We offer CMMC Consulting Services to get you CMMC compliant in 4 Steps:

1. CMMC Gap Analysis / CMMC Gap Assessment
   See where your organization stands and what it takes to achieve compliance
2. CMMC Implementation Help
   Based on the results of the first phase we will help you to close existing gaps by implementing suitable controls  and any missing requirements. This includes developing and writing the extensive documentation required.
3. CMMC Pre-Assessment
   Think of it as a mock audit. We will verify that everything is in place, mature, and can be proven to an auditor. If we find issues we will help you fix them. Once we are confident that you are ready for the CMMC Assessment we will recommend to schedule the actual audit.
4. CMMC Assessment Support
   We help you prepare for the certification audit, gather & organize evidence for a smooth assessment by the C3PAO. We will be at your side throughout the process.