These are two of the most-searched CUI questions, and they are often answered as if they were the same. They are not. One is about who decides and labels. The other is about who has to keep it safe. Getting the distinction right tells you exactly what your company is on the hook for.
Who is responsible for applying CUI markings
Responsibility for CUI markings starts with the designating agency: the government office that decides information qualifies as CUI. That office owns the decision and the category. It is the only party that can create the designation in the first place.
From there, the authorized holder applies the actual markings. When a contractor creates a document containing CUI while performing a contract, the contractor marks it according to the government's guidance: a banner marking at the top of each page, the CUI category, and the designating office.
| Role | Responsibility for markings |
|---|---|
| Designating agency | Decides information is CUI, sets the category, provides marking guidance |
| Authorized holder (incl. contractor) | Applies the required markings to CUI it creates or handles, per the designation |
| Contractor employees | Follow the company's process to mark CUI correctly and consistently |
Who is responsible for protecting CUI
Protection is broader. Every authorized holder is responsible for safeguarding the CUI in their possession. This is not delegated to a single office. The moment CUI is in your hands, you are responsible for keeping it safe and for controlling who you share it with.
For a defense contractor, that responsibility is concrete: the CUI on your laptops, your servers, your cloud accounts, and in your email is yours to protect. You cannot push that duty onto the prime that sent it or the agency that designated it. Holding it means protecting it.
- Safeguard CUI you store, process, or transmit.
- Share it only with others who have lawful access and a need to know.
- Report any loss or unauthorized disclosure as your contract requires.
- Destroy it correctly when it is no longer needed.
What this means for your company
Put the two answers together and the picture is clear. The government decides what is CUI and how it is labeled. Your company applies those labels to what it creates, and your company is fully responsible for protecting every piece of CUI it touches.
That protection responsibility is not a paperwork exercise. It is the reason the Department of Defense built a verification program instead of trusting self-assurances.
Where CMMC Level 2 comes in
CMMC Level 2 is how the DoD verifies you can actually protect CUI. It is the 110 requirements of NIST SP 800-171, and it exists precisely because protecting CUI is the holder's responsibility. If your contracts hand you CUI, or cite DFARS 252.204-7012, meeting Level 2 is how you prove you are holding up your end.
Frequently asked questions
Who is responsible for applying CUI markings?
The government office that designates the information as CUI is responsible for its markings. In practice, the authorized holder who creates or possesses the CUI applies the markings according to that designation: a banner marking at the top of each page, the CUI category, and the designating office. A contractor marks CUI it generates under a contract using the guidance the government provides, often in a contract clause or DD Form 254.
Who is responsible for protecting CUI?
Every authorized holder is responsible for protecting CUI in their possession. That includes federal employees and contractors alike. Once CUI is in your hands, you are responsible for safeguarding it and controlling how it is shared, regardless of who originally designated it. For a defense contractor, protecting CUI on your own systems is exactly what CMMC Level 2 verifies.
What is an authorized holder of CUI?
An authorized holder is any individual or organization that has lawful access to CUI and a legitimate need for it. Authorized holders are responsible for safeguarding the CUI they hold, applying required markings to CUI they create, and disseminating it only to others with lawful access and a need to know.
Can a contractor designate information as CUI?
No. Only the government can designate information as CUI. A contractor cannot create a new CUI designation on its own. What a contractor does is mark and protect CUI according to the government's designation, and apply the correct markings to CUI it generates while performing the contract.
Who is responsible if CUI is mishandled?
The authorized holder who mishandled it. If a contractor fails to protect CUI it was entrusted with, the contractor bears responsibility, which is why CMMC Level 2 exists: it verifies that a contractor can actually protect CUI before the government relies on it to do so. Mishandling can carry contractual and, in serious cases, legal consequences.