NIST 800-171 and Cybersecurity Maturity Model Certification require Department of Defense (DoD) contractors to “Mark media with necessary CUI markings and distribution limitations”. A basic tenet of information security is to visually identify Controlled Unclassified Information (CUI) information that requires special protections so authorized users know what special handling controls must be applied. 32 CFR, Part 2002, a regulation that applies to both executive branch agencies and defense contractors, requires Controlled Unclassified Information markings to help ensure the data is secure. In this article we will walk you through the process of identifying CUI information and how to mark CUI on physical and electronic media.
Note: we updated this post in March 2022 to cover the new DoD CUI marking requirements.
What is CUI?
Before we dig into how to mark Controlled Unclassified Information, we should discuss how we got here. CUI is any unclassified information that by law, regulation, or government-wide policy, requires safeguarding or dissemination controls. In 2010, President Obama issued Executive Order 13556 – Controlled Unclassified Information to standardize how CUI is handled by executive branch agencies. The executive order also designated the National Archives and Record Administration (NARA) as the Executive Agent (EA) responsible for implementing the CUI program.
DoD's Implementation of the CUI Program
In its role as the CUI Program Executive Agent, NARA has issued a significant amount of guidance on how to handle (i.e. mark, copy, transport, disseminate, reuse, and destroy) CUI.
“Agency personnel and contractors should first consult their agency’s CUI implementing policies and program management for guidance.”
For DoD contractors, this leads us to two important points. First: the DoD has implemented NARA’s CUI policy through DoD Instruction (DoDI) 5200.48, published in March 2020. This document provides some instruction for marking DoD-related CUI. In conjunction with this instruction is the DoD’s CUI knowledge base website: https://www.dodcui.mil/. The DoD CUI website in fact publishes a CUI marking aid that we will expound upon below.
The second point to keep in mind, is that when CUI is provided to or generated by DoD contractors, DoDI 5200.48 instructs the DoD to identify the controls and protective measures for CUI in the pertinent contract documents, such as contract clauses, statements of work, DD Form 254, Security Classification Guide (SCG), and Cybersecurity Classification Guide.
Determine the CUI Category
The originator of media that contains CUI is responsible for determining at origination whether the information may qualify for CUI status and to apply the appropriate security markings. Although the NARA CUI Registry is the authoritative source for information about CUI, you should consult relevant contract documents, the Prime contractor, or government program management office for your initial guidance on how to identify and mark media with necessary CUI markings and distribution limitations.
We should emphasize again, that the determination of whether information is deemed CUI is a function of laws, policies, and regulations associated with how information is produced or used. For example, if Company X produces a “Commercial Off the Shelf (COTS)” widget, the engineering drawings, research data, and process sheets are not CUI. But if Company X produces the same widget for the DoD only, those same engineering drawings, research data, and process sheets are CUI and must be marked as such.
CUI Organizational Index Groupings
CUI is broken into 20 broad “Organizational Index Groupings” which are further divided into 124 categories. The CUI Registry provides additional details for each category, to include Category Descriptions, Safeguarding and/or Dissemination Authorities, sanctions for violating handling controls, and if the CUI is “Specified” or “Basic”.
If the laws, policies, and regulations that designate CUI include specific handling controls, dissemination controls, or sanctions for not protecting CUI, the information is referred to as “CUI Specified”. “CUI Basic” is the subset of CUI for which the authorizing law, regulation, or Government-wide policy is not called for. CUI Specified means that a law, policy, or regulation stipulates more than a general requirement to “protect” the information and is not a “higher level” of CUI.
For example, the Organizational Grouping “Defense” is divided into four categories –
- Controlled Technical Information
- DoD Critical Infrastructure Security Information
- Naval Nuclear Propulsion Information
- Unclassified Controlled Nuclear Information – Defense
Controlled Technical Information (CTI) is CUI Specified because 48 CFR 252.204-7012 defines CTI and requires defense contractors to implement NIST 800-171. However, DoD Critical Infrastructure Security Information is CUI Basic because the Safeguarding/Dissemination Authority, 10 USC 130e, does not provide any instruction on how the information is to be protected. In fact, 10 USC 130e only authorizes the Secretary of Defense to designate information as critical infrastructure information. To know if information is considered DoD Critical Infrastructure Security Information, you would have to reference the Secretary of Defense’s written determination that designates the information as CUI.
In the two examples we provided, each Category was based on only one Safeguarding/Dissemination Authority. Some Categories have more 15 different authorities you may have to comb through to know if you are dealing with CUI and what protections are required. Fortunately, most defense contractors will likely deal with a limited number of categories of information based on their particular contract or industry. After some initial research you will likely become familiar with the CUI Categories you handle on a regular basis.
Identifying CUI in your environment is the very first step to take on a DFARS / NIST / CMMC journey. We cover CUI identification in depth in session 2 of our DFARS / CMMC Workshop. See also our blog on CUI Identification, which includes a free download for a CUI Identification tool. This same tool is available from our Free Tools page.
How to Mark CUI in Documents
CUI can be found on just about any form of media, to include paper documents, solid state storage devices, optical discs, magnetic disks, and magnetic tapes. The various forms of media have slightly different security marking requirements, but the same basic principle applies to all of them – Clearly identify the media as CUI and who designated it as CUI.
Paper documents must be marked with a Banner Marking and a CUI Designation Indicator. Agencies may choose to use Portion Markings (e.g. marking each paragraph’s Classification like we do in Classified environments) but they are not required by NARA. The DoD does require portion markings, and like the Banner Marking and Designation Indicator, all DoD CUI marking is discussed in the DoD CUI knowledge base desktop marking aid.
1. Banner Marking is simple: "CUI".
When you create a document that contains DoD CUI, the header and footer of that document must include “CUI”, as in the example document pictured below. It’s that simple. This is true for Microsoft Word, PowerPoint, and Excel, and Adobe PDF formats.
Engineering and other technical drawings will need to be marked “CUI” in the drawing information block.
NOTE: other Federal agencies may require more stringent banner markings than the DoD. The official NARA marking list is here, but DoD marking policies take precedence for DoD CUI.
2. CUI Designation Indicator. All documents containing CUI must indicate the designator's agency.
A CUI Designation Indicator is required by the DoD and can be accomplished through the use of a letterhead, a block of designation elements on the first page of a document, or a signature block that includes the agency. In the image above, the Designation Indicator is shown in the blue bracketed section, and contains the following lines:
- the name of the DoD Component (not required if identified in the letterhead)
- identification of the office creating the document
- identification of the CUI categories contained in the document, e.g. “CTI”, “UCNI”
- applicable distribution statement or limited dissemination control (LDC)
- name and phone number or email of DoD point of contact (POC)
The DoD requires that any document that contains Controlled Technical Information (CTI), export-controlled information, or other scientific, technical, or engineering information be marked with a Distribution Statement in addition to the Designation Indicator. There are five Distribution Statements, b through f:
- Distribution Statement B: Distribution authorized to U.S. Government agencies only [fill in reason and date of determination]. Other requests for this document shall be referred to [insert controlling DoD office].
- Distribution Statement C: Distribution authorized to U.S. Government agencies and their contractors
[fill in reason and date of determination]. Other requests for this document shall be referred to [insert controlling DoD office].
- Distribution Statement D: Distribution authorized to Department of Defense and U.S. DoD contractors only [insert reason and date of determination]. Other requests for this document shall be referred to [insert controlling DoD office].
- Distribution Statement E: Distribution authorized to DoD Components only [fill in reason and date of determination]. Other requests shall be referred to [insert controlling DoD office].
- Distribution Statement F: Further dissemination only as directed by [insert controlling DoD office and date of determination] or higher DoD authority
Export controlled information must also be marked with the following export control warning as directed in DoDI 5230.24, DoDD 5230.25, and Part 250 of Title 32, CFR:
Finally, the Designation Indicator may be used to indicate Limited Dissemination Controls, such as “NOFORN”. NOFORN indicates that information may not be disseminated in any form to to foreign governments, nationals, organizations or non-U.S citizens.
It is up to the DoD Program Management and contracts team to determine what Distribution Statement and/or Limited Distribution Statement is applied to any given document. So if you handle technical or export controlled information for the DoD, you’ll need to ask your customer what Distribution Statement and/or Limited Distribution Statements to apply.
3. Portion marking. Agencies may choose to require documents to include portion markings.
Portion markings are placed at the beginning of section to which they apply, such as at the start of a paragraph. Portion markings provide granularity to identify what specific information belongs to specific CUI Categories or has specific Limited Dissemination Controls. For example, the NOFORN Limited Distribution Statement may apply to only one piece of information in the entire document and the use of portion markings would clearly identify what specific information cannot be released to non-U.S. citizens.
See the DoD CUI marking aid for detailed instructions on portion marking.
How to Mark CUI in Emails
There are only a few differences between the rules for marking printed documents and emails. A Banner Marking will be placed at the top and bottom of the email body and the email must carry a CUI Designation Indicator, as shown in the example below. If you forward an email that contains CUI, you must include all the original CUI markings.
NARA also recommends that senders terminate the Subject Line with the phrase “[Contains CUI]”. If the email includes an attachment that contains CUI, NARA also recommends that the file name indicate the presence of CUI, such as “FileName[CONTAINS CUI].docx”.
Be careful with sending CUI via email, however; strict encryption and multifactor authentication requirements come into play for the transmission of CUI. If you have questions about sending CUI via email, reach out to us.
How to Mark CUI on Electronic Storage Media
Due to size restrictions and access difficulties, it can be a bit more challenging to apply security markings to electronic storage media such as DVDs, thumb drives, and hard drives. At a minimum, storage media will include a CUI Control Marking and a CUI Designation Indicator.
CUI Marking on Computers
If you are unable to access internal computer storage media, you must mark the outside of the computer. If you are using government-owned equipment, you can use an SF 902 or SF 903 to mark equipment. The SF 902 and 903 are nearly identical except the SF903 is narrow enough to on a thumb drive. If you are not marking government-owned equipment or if you do not have access to the SF 902 or SF 903, the security markings can be applied with a permanent marker.
You will likely have to invest some additional time to learn how to properly mark media with the necessary CUI markings and distribution limitations. This article provided a general overview of common situations in which security markings must be applied to media that contain CUI, and what markings are required. However, you may also run into situations which we didn’t discuss in this blog, for instance:
- The media contain multiple CUI categories.
- The CUI is mixed with classified information (CONFIDENTIAL, SECRET, or TOP SECRET).
- You handle different forms of media.
- You must ship media that contain CUI.