← Custodia

Who Is Responsible for Marking and Protecting CUI? (2026)

Who is responsible for applying CUI markings and for protecting CUI, answered plainly: the designating agency, the authorized holder, and what that means for a defense contractor under CMMC Level 2.

By David Fuentes· Compliance Officer, CustodiaJuly 5, 20267 min read

These are two of the most-searched CUI questions, and they are often answered as if they were the same. They are not. One is about who decides and labels. The other is about who has to keep it safe. Getting the distinction right tells you exactly what your company is on the hook for.

Who is responsible for applying CUI markings

Responsibility for CUI markings starts with the designating agency: the government office that decides information qualifies as CUI. That office owns the decision and the category. It is the only party that can create the designation in the first place.

From there, the authorized holder applies the actual markings. When a contractor creates a document containing CUI while performing a contract, the contractor marks it according to the government's guidance: a banner marking at the top of each page, the CUI category, and the designating office.

RoleResponsibility for markings
Designating agencyDecides information is CUI, sets the category, provides marking guidance
Authorized holder (incl. contractor)Applies the required markings to CUI it creates or handles, per the designation
Contractor employeesFollow the company's process to mark CUI correctly and consistently

Who is responsible for protecting CUI

Protection is broader. Every authorized holder is responsible for safeguarding the CUI in their possession. This is not delegated to a single office. The moment CUI is in your hands, you are responsible for keeping it safe and for controlling who you share it with.

For a defense contractor, that responsibility is concrete: the CUI on your laptops, your servers, your cloud accounts, and in your email is yours to protect. You cannot push that duty onto the prime that sent it or the agency that designated it. Holding it means protecting it.

  • Safeguard CUI you store, process, or transmit.
  • Share it only with others who have lawful access and a need to know.
  • Report any loss or unauthorized disclosure as your contract requires.
  • Destroy it correctly when it is no longer needed.

What this means for your company

Put the two answers together and the picture is clear. The government decides what is CUI and how it is labeled. Your company applies those labels to what it creates, and your company is fully responsible for protecting every piece of CUI it touches.

That protection responsibility is not a paperwork exercise. It is the reason the Department of Defense built a verification program instead of trusting self-assurances.

Where CMMC Level 2 comes in

CMMC Level 2 is how the DoD verifies you can actually protect CUI. It is the 110 requirements of NIST SP 800-171, and it exists precisely because protecting CUI is the holder's responsibility. If your contracts hand you CUI, or cite DFARS 252.204-7012, meeting Level 2 is how you prove you are holding up your end.

Frequently asked questions

Who is responsible for applying CUI markings?

The government office that designates the information as CUI is responsible for its markings. In practice, the authorized holder who creates or possesses the CUI applies the markings according to that designation: a banner marking at the top of each page, the CUI category, and the designating office. A contractor marks CUI it generates under a contract using the guidance the government provides, often in a contract clause or DD Form 254.

Who is responsible for protecting CUI?

Every authorized holder is responsible for protecting CUI in their possession. That includes federal employees and contractors alike. Once CUI is in your hands, you are responsible for safeguarding it and controlling how it is shared, regardless of who originally designated it. For a defense contractor, protecting CUI on your own systems is exactly what CMMC Level 2 verifies.

What is an authorized holder of CUI?

An authorized holder is any individual or organization that has lawful access to CUI and a legitimate need for it. Authorized holders are responsible for safeguarding the CUI they hold, applying required markings to CUI they create, and disseminating it only to others with lawful access and a need to know.

Can a contractor designate information as CUI?

No. Only the government can designate information as CUI. A contractor cannot create a new CUI designation on its own. What a contractor does is mark and protect CUI according to the government's designation, and apply the correct markings to CUI it generates while performing the contract.

Who is responsible if CUI is mishandled?

The authorized holder who mishandled it. If a contractor fails to protect CUI it was entrusted with, the contractor bears responsibility, which is why CMMC Level 2 exists: it verifies that a contractor can actually protect CUI before the government relies on it to do so. Mishandling can carry contractual and, in serious cases, legal consequences.

Keep reading
  1. CUI
    CUI Marking Guide: Banner Markings, Explained Simply (2026)

    A CUI banner goes at the top of every page and names what the information is and who controlled it. Here is how to read one, how to build one, and the mistakes that fail a CMMC assessment.

    Read →
  2. CUI
    CUI Basic vs CUI Specified: The Plain-English Difference (2026)

    CUI Basic is the default control level. CUI Specified adds handling rules set by a specific law or policy. Here is how to tell which one you have, and why it barely changes your CMMC obligation.

    Read →
  3. CUI
    How to Destroy CUI Correctly: The Goal, Methods, and Rules (2026)

    The goal of destroying CUI is to make it unreadable, indecipherable, and irrecoverable. Here are the approved methods for paper and digital media, and the CMMC requirement behind them.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)