CUI Marking
Also known as: CUI banner marking, CUI designation indicator
A CUI marking is the standardized label, at minimum the banner CUI or CONTROLLED at the top of each page, that identifies a document as Controlled Unclassified Information. The authorized holder who creates the document is responsible for applying CUI markings and dissemination instructions at the time of creation.
In more detail
The banner line can carry three parts: the control marking (CUI or CONTROLLED), category markings (for example CUI//SP-CTI), and limited dissemination controls. A designation indicator block identifies the designating agency.
Responsibility follows the creator, not the recipient: whoever originates CUI marks it. Recipients must protect marked CUI and preserve markings on any copies or derivatives, but they do not invent markings for unmarked information; if something arrives that seems sensitive but unmarked, the move is to ask the sender, not to mark it yourself.
Marking is also the bright line in the regulation: if a document carries no CUI banner, it is not CUI in the regulatory sense. For contractors this is the fastest scoping check available, unmarked ordinary contract information is FCI, which is CMMC Level 1 territory.
Related terms
- Controlled Unclassified Information
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections, and at the contractual level, CMMC Level 2.
- CUI Basic
CUI Basic is the subset of Controlled Unclassified Information whose underlying law, regulation, or government-wide policy requires protection but does not prescribe specific handling controls. It is safeguarded at the uniform baseline set by 32 CFR Part 2002, which for contractors maps to the NIST SP 800-171 requirements.
- CUI Specified
CUI Specified is the subset of Controlled Unclassified Information whose underlying law, regulation, or government-wide policy prescribes its own specific safeguarding or dissemination controls, which apply in addition to or instead of the CUI Basic baseline. Export-controlled technical data under ITAR is a common example.
- Federal Contract Information
Federal Contract Information (FCI) is non-public information provided by or generated for the federal government under a contract to develop or deliver a product or service. It is the information type protected under FAR 52.204-21 and is the trigger for CMMC Level 1.
- DoD Distribution Statement
DoD Distribution Statements (A through F) are markings the Department of Defense applies to technical documents to indicate who may receive them and under what conditions. Statements B through F generally indicate Controlled Technical Information and trigger CUI handling requirements.