last changes Feb 1st 2023
CUI Marking Guidelines
One request we come across frequently with companies in the Defense Industrial Base (DIB) is for help with CUI marking guidelines: “How do we mark our CUI?”.
In this article we hope to help clear up some of the confusion and provide some guidelines to help companies who need to ensure that their CUI is properly marked – especially in the context of CMMC Maturity Levels 3 and up. These levels of CMMC are specifically designed with the protection of CUI data in mind – proper CUI marking of those documents is a prerequisite.
What Does CUI Mean?
The acronym CUI stands for Controlled Unclassified Information. This information is controlled but NOT CLASSIFIED, which is an important point as classified information from the US Government is subject to entirely different protection requirements.
What is CUI?
It is important to understand what falls into the category of Controlled Unclassified Information (CUI). The definition of CUI according to the archives.gov website is as follows:
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
In short, CUI is information that the government has decided requires safeguarding or dissemination controls either through laws, regulations, or government-wide policies.
Examples of CUI
The two most common forms of CUI seen are Controlled Technical Information (CTI) or information that is protected by the International Traffic in Arms Regulation (ITAR) which is most commonly referred to as “ITAR Data”. CTI is most commonly seen in the form of technical drawings while ITAR information can take many forms. Generally most organizations are aware of the ITAR data they handle while more confusion seems to occur around CUI.
This brings us to the first hurdle when marking CUI: identifying CUI in the first place.
Identifying CUI presents its own challenges and falls outside of the purview of this article but the general advice we give to our clients is:
- Ask your Prime if the information is CUI or not. It is your Prime’s responsibility to mark any CUI they are sharing with you.
- Talk to your DoD representative if you are the Prime contractor or
- Talk to your legal counsel if you are unsure.
It is important to note however that your organization should not start marking all information preemptively as CUI as this can cause many issues for your company down the road.
To help your organization in identifying CUI you can find the list of CUI at the CUI Registry located at the following link: https://www.archives.gov/cui/registry/category-list
Each of these categories has the regulation or law that can be perused to see if it applies to your company and its data attached in PDF format.
CUI Marking of Word Documents
According to the DoD CUI training all CUI must, at the bare minimum, have the acronym “CUI” in the banner and footer. On the cover page for the CUI there must also be an additional section known as the “designation indicator” which has some additional information regarding the CUI contained within the document. This designation indicator must contain the following lines at the minimum and should be located in the lower right corner of the cover page.
- Controlled By: Name of the DoD component (not required if identified in the Letterhead)
- Controlled By: Identification of the office making the document
- CUI Categories: Categories of CUI listed in the document
- Distribution/Dissemination Control: such as FEDCON or NOFORN
- POC: name and phone number or email of POC
A properly filled out CUI Document should look like the following (as per DoD CUI Identification and Marking training):
The General Services Administration (GSA) provides a CUI marking cover sheet available for download here: https://www.gsa.gov/cdnstatic/SF901-18a.pdf
Here is a real-world example of a properly marked Word document taken from the DoD’s training:
As you can see, there is only one “Controlled by” line in the designation indicator as in this case the letterhead has the DoD component name already. If there is more than one page, the designation indicator block is only required on the first page while the CUI markings in the banner and footer are required for every page. To this end Ecuron suggests a cover sheet for all documents containing CUI as a good policy to ensure that the designation indicator blocks are correctly applied as well as to help make the CUI easy to identify. Easier identification of CUI makes it easier for your company to identify when it isn’t being handled correctly.
This article demonstrates how to apply the proper markings to Word documents. The DoD CUI training also outlines examples for Excel and Emails. In both cases the same principles apply: CUI in banner and footer, designation indicator block on the first page.
For more details see the DoD’s CUI Identification and Marking training.
To ensure that your company is marking CUI properly every time, companies must have a CUI Labeling Policy to ensure that all employees who handle CUI know what is expected of them. If your organization would like help in developing a CUI Labeling Policy Ecuron, as a CMMC Registered Provider Organization™, is positioned to help.
Need Help with CUI Marking or CMMC?
Due to our status as a Cyber AB Registered Practitioner Organization™ (CMMC-RPO), Ecuron can perform pre-assessment services which include CMMC Gap Analysis, CMMC Implementation Help, CMMC Pre-Assessment.
We do not conduct the final Certification Assessments.
We offer CMMC Consulting Services to get you CMMC compliant in 4 Steps:
- CMMC Gap Analysis / CMMC Gap Assessment
See where your organization stands and what it takes to achieve compliance
- CMMC Implementation Help
Based on the results of the first phase we will help you to close existing gaps by implementing suitable controls and any missing requirements. This includes developing and writing the extensive documentation required.
- CMMC Pre-Assessment
Think of it as a mock audit. We will verify that everything is in place, mature, and can be proven to an auditor. If we find issues we will help you fix them. Once we are confident that you are ready for the CMMC Assessment we will recommend to schedule the actual audit.
- CMMC Assessment Support
We help you prepare for the certification audit, gather & organize evidence for a smooth assessment by the C3PAO. We will be at your side throughout the process.
Join Our CMMC Notification List
Sign up below and we will notify you about CMMC related news, updates, and services.