Short answer: Controlled Unclassified Information must carry a banner marking at the top of every page, portion markings on paragraphs that contain CUI, and a designation indicator block on the first page identifying the source and category. The minimum banner is the word "CUI" — but most DoD-related CUI also carries a category (e.g. CUI//SP-PROCURE) and dissemination control (e.g. CUI//SP-PRVCY/FED ONLY). Get the markings wrong and you have mishandled CUI, regardless of how secure the storage was.
What CUI marking actually means
Marking is how you signal to a downstream handler that the content is CUI, which category, and which dissemination controls apply. The rules come from 32 CFR Part 2002 and the NARA CUI Registry. Marking is not security — it's labeling — but DFARS 252.204-7012 requires you to handle CUI per the markings on it.
The banner line
The banner line goes centered at the top of every page. Minimum form:
With category and dissemination:
Read the slashes carefully: // separates the CUI marker from the category; a single / separates category from dissemination control.
Portion marks
On documents with mixed CUI and non-CUI content, every paragraph, image, and bullet must carry a leading portion mark in parentheses: (CUI) for CUI content,(U) for unclassified content. Skipping portion marks forces the entire document to be treated as CUI by default.
Designation indicator
The first page must include a block identifying:
- Who designated the document as CUI (name + organization)
- The controlling authority (usually the contract or grant number)
- Distribution / dissemination controls
- POC for questions about the marking
Email and file rules
- Email: banner marking goes in the subject line prefix and at the top of the body. Encrypt in transit (S/MIME or transport-level via GCC High / Gov SMTP).
- File names: include the marking in the filename when feasible (e.g.
CUI_acme-drawing-rev3.pdf) so it survives copy/move operations. - Removable media: physical label on the device with banner marking.
- Printed copies: banner top AND bottom of each page; secure cover sheet (DD Form 2923 or equivalent) when transported.
Frequently asked questions
- Is FOUO the same as CUI?
- No. FOUO was the legacy DoD marker and was phased out. Documents still circulating with FOUO markings should be re-marked as CUI per current rules, but DoD treats legacy FOUO as CUI by default for handling purposes.
- Do I mark documents I create from CUI inputs?
- Yes. Any derivative document (analysis, drawing revision, quote) that incorporates CUI inherits CUI status and must be marked accordingly.
- What if the prime sent me CUI without proper markings?
- Treat it as CUI, apply the markings you believe correct, and ask the prime's security POC to confirm in writing. Document the exchange.
- Does email subject-line marking leak the contract?
- The CUI banner does not reveal contract content. If the contract number itself is sensitive, use a generic identifier in the subject and put the full citation inside the encrypted body.
- DFARS 252.204-7012: A Plain-English Guide for Small ContractorsDFARS · 9 min read
- Responding to a Prime's CMMC Flow-Down Letter (Template Inside)Flow-Down · 7 min read
- CMMC Level 1 vs Level 2: Which Do You Actually Need?CMMC Basics · 7 min read
- FedRAMP Moderate Equivalent vs Moderate: What CMMC Level 2 Actually RequiresCloud & Hosting · 8 min read