Companies in the Defense Industrial Base (DIB) frequently send requests for assistance with CUI marking. In this article, we hope to give clarity and provide some guidelines to help companies who need to ensure that their CUI is properly marked, especially in the context of CMMC Maturity Levels 3 and up. Proper CUI marking of documents is a must and these levels of CMMC are specifically designed with the protection of CUI data in mind.
CUI stands for Controlled Unclassified Information. This information is controlled but NOT CLASSIFIED, which is an important point as classified information from the US Government is subject to entirely different protection requirements.
Understanding what falls into the category of Controlled Unclassified Information (CUI) is essential. According to the archives.gov website, CUI is defined as:
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
In short, CUI is information that the US government has decided to require safeguarding or dissemination controls either through laws, regulations, or government-wide policies.
The two most common types of CUI are Controlled Technical Information (CTI) and information that is protected by the International Traffic in Arms Regulation (ITAR) which is usually referred to as “ITAR Data.” CTI is most commonly seen in the form of technical drawings while ITAR information can take many forms. Generally, most organizations are aware of the ITAR data they handle while there is usually more confusion with CUI. This is the first challenge in marking CUI — identifying CUI in the first place.
Identifying CUI has its hurdles and falls outside the scope of this article, but the general recommendations we give to our clients are:
It is important to note, however, that your organization should not start marking all information preemptively as CUI as this may cause many issues for your company in the long run.
To help your organization in identifying CUI, you can find the list of CUI at the CUI Registry. Each of these categories has a regulation or law that can be perused to see if it applies to your company and its data attached in PDF format.
According to the DoD CUI training, all CUI must, at the bare minimum, have the acronym “CUI” in the banner and footer. On the cover page for the CUI, there must also be an additional section known as the “designation indicator” which has some additional information regarding the CUI contained within the document. This designation indicator must contain the following lines at the minimum and should be located in the lower right corner of the cover page.
A properly filled out CUI Document should look like the following (as per DoD CUI Identification and Marking training):
The General Services Administration (GSA) provides a CUI marking cover sheet available for download here. Here is a real-world example of a properly marked Word document taken from the DoD’s training:
As you can see, there is only one “Controlled by” line in the designation indicator wherein the letterhead already includes the DoD component name. If there is more than one page, the designation indicator block is only required on the first page while the CUI markings in the banner and footer are required for every page. We suggest a cover sheet for all documents containing CUI as a good policy to ensure that the designation indicator blocks are correctly applied as well as to help make the CUI easy to identify. Easy identification of CUI makes it faster for your company to identify when it isn’t being handled correctly.
This article demonstrates how to apply the proper markings to Word documents. The DoD CUI training also outlines examples for Excel documents and emails. In both cases, the same principles apply: CUI in banner and footer, designation indicator block on the first page.
For more details, see the DoD’s CUI Identification and Marking training.
To ensure that your company is marking CUI properly every time, companies must have a CUI Labeling Policy so that all employees who handle CUI know what is expected of them.