Skip to Main Content
All Trimarc services are now delivered through TrustedSec! Learn more
August 12, 2025

Dealing With Unmarked and Mismarked CUI

Written by Chris Camejo
CMMC Information Security Compliance

Implementing CMMC and other Controlled Unclassified Information (CUI) protection obligations depends on the accurate identification of CUI, and in some cases also depends on the identification of the CUI categories and limited dissemination controls applicable to each document.

Identification of CUI should be easy, because government agencies are required to mark all CUI before sending it to a contractor, but many contractors do not understand what proper CUI markings look like. This can be further complicated by documents that are mismarked or unnecessarily marked by other contractors. This post will help contractors identify CUI and understand what to do when marking errors are suspected.

Correct CUI Markings

Understanding what a real CUI marking looks like will help identify when documents have been mismarked and prevent confusing other markings with CUI markings.

The National Archives and Records Administration (NARA) is in charge of the government-wide CUI program, including the CUI marking standard. The NARA CUI Marking Guide provides detailed information on the standard markings. At a minimum each document that contains CUI must contain:

  • A banner at the top of each page that says either “CUI” or “CONTROLLED”
  • The name of the agency that designated the information as CUI (agency letterhead is acceptable for this purpose).
Figure 1 - Example Document With NARA Standard CUI Markings

The CUI banner will contain extra information when CUI falls into certain categories that require extra safeguards and/or when the CUI is subject to limited dissemination controls. For example, a document marked with the banner “CUI//SP-AIV/SP-CHRI//FEDCON” contains CUI in both the Accident Investigation (SP-AIV) and Criminal History Records Information (SP-CHRI) categories that can only be disseminated to federal employees and contractors (FEDCON).

Figure 2 - NARA CUI Banner Format

A standardized CUI coversheet can be used to indicate the document is CUI in lieu of the banner marking on each page. The coversheet would contain the applicable CUI category and limited dissemination control markings.

Figure 3 - CUI Coversheet Template

Although this technically violates the NARA CUI marking standard, the DoD has its own CUI marking standard that puts CUI category and limited dissemination control information in a Designation Indicator block on the coversheet or first page rather than in the CUI banner on every page. DoD also exclusively uses the “CUI” banner (rather than “CONTROLLED”) and requires a “CUI” footer, which is optional in the NARA standard.

Figure 4 - Example Document With DoD Standard CUI Markings

Keep in mind, the marking standard applies regardless of the document format and may include slide decks, spreadsheets, technical drawings, emails, etc. All of these documents should have a CUI banner and, if disseminated by DoD, a Designation Indicator if they contain CUI. NARA and DoD CUI marking guides provide guidance on how to mark these types of documents.

Who Marks CUI?

CUI marking is inherently a government function and CUI must be marked before a government agency disseminates CUI to a contractor. This is because CUI is defined as information that the government itself must protect in accordance with specific laws, regulations, and government-wide policies that are listed in the CUI Registry. It is the government’s responsibility to know what information it must protect, not a contractor’s responsibility.

Contractors should only mark documents as CUI under very specific circumstances. These include:

  • When copying CUI from one document to another, in which case the applicable CUI markings must be copied to the new document
  • When a government agency informs a contractor that a certain type of information must be marked as CUI upon creation, in which case the markings specified by the government agency must be applied to documents that contain that information

The government’s CUI markings, as well as any CUI markings properly applied by contractors, should flow through the supply chain unaltered as documents (and the obligation to safeguard them) are passed down to subcontractors.

An agency may request that contractors mark proprietary and other similar information before sending it to the government. This is because the government is required to protect certain contractor information under various laws and regulations, which makes that information CUI once it comes into the government’s possession. The government is asking for this marking as a courtesy so that government personnel are aware of their protection obligations. This does not mean that a contractor must treat its own proprietary information as CUI after it has been sent to the government, or that the contractor must mark their proprietary information as CUI when sending it directly to another contractor.

CUI Marking Errors

Contractors may confuse other types of markings with CUI markings. Only the standard CUI markings indicate the presence of CUI. Legacy and other markings may require other types of protection, but do not automatically mean the information is or will become CUI. Markings commonly confused with CUI markings include:

  • DoD Distribution Statements
  • ITAR and/or EAR Export Controlled markings
  • Legacy markings that predate the CUI program including FOUO, SBU, LES, etc.

Confusion about CUI markings is often also a result of unnecessary or incorrect markings applied by upstream contractors (including very large prime contractors) that don’t understand the CUI program. Common examples include:

  • Applying CUI markings to documents that are not CUI due to misunderstandings about what information meets the definition of CUI and who is responsible for marking it (e.g., marking their own proprietary information as CUI when sharing it with another contractor)
  • Applying inappropriate CUI category markings to documents due to misunderstandings of the CUI categories (e.g., marking all information subject to export controls with CUI Export Controlled category markings)
  • Using things that are not category markings as category markings (e.g., marking CUI with a category of “ITAR” or “Defense”)

Here are some indicators of potentially incorrect CUI markings that should be investigated:

  • CUI banners that contain anything other than either the words “CONTROLLED” or “CUI” potentially followed by CUI category markings, and/or limited dissemination control markings separated by forward slashes, e.g., “CONTROLLED//SP_CATEGORY1/SP_CATEGORY2//DISSEM”
  • CUI category markings that are not in the official list of CUI category markings
  • CUI limited dissemination control markings that are not in the official list of limited dissemination control markings
  • Documents with CUI markings that do not indicate the agency that designated the information as CUI
  • For documents marked using the DoD standard: A designation indicator that indicates it is controlled by anyone outside the DoD
  • For documents marked using the DoD standard: A designation indicator that provides a POC outside the DoD
  • Documents that don’t seem like they should be CUI, e.g., public documents

Addressing Mismarked CUI

Contractors, and especially subcontractors, may encounter a variety of documents that they have questions about including:

  • Documents that carry potentially incorrect CUI markings
  • Documents that carry CUI markings but do not seem like CUI
  • Documents that do not carry CUI markings but seem like they might be CUI

In all of these cases, the correct course of action is for the contractor (or subcontractor) to reach out directly to the government agency’s Contracting Officer for the specific contract the information is being handled under with their questions. Government regulations require each agency to have a process for handling challenges to CUI markings. The contractor should handle the information as if it is CUI until a response is received.

Subcontractors may feel obligated to ask upstream contractors to clarify confusing CUI markings rather than directly contacting the Contracting Officer. This approach is often futile as upstream contractor personnel often do not understand the CUI program themselves and, even if they did, do not have the authority to make these determinations. It is ultimately the government’s responsibility to review the potentially applicable laws, regulations, and government-wide policies to determine if a particular piece of information is correctly or incorrectly marked as CUI.

What’s Next?

Hopefully this information has helped contractors and subcontractors better understand how to identify CUI in their environment and deal with documents that may not be CUI. This will be much more important in the future as a proposal for a government-wide CUI contract clause is working its way through the regulatory process. This proposal includes a requirement that unmarked, mismarked, and unexpected CUI be reported to the government Contracting Officer within eight hours of discovery. A previous post has more information on this proposal and how it will affect contractors that both have and do not have CUI obligations today.

TrustedSec has extensive experience dealing with CUI as a CMMC Registered Practitioner Organization (RPO) and from helping organizations implement the NIST SP 800-171 CUI safeguarding requirements before the CMMC program existed. If your organization requires help understanding and implementing CUI protection requirements, get in touch with us!