If you work with the Department of Defense (DoD) or any federal agency that shares sensitive information, you’ve probably encountered the term "CUI" more than once. Controlled Unclassified Information (CUI) is a category of information that isn't classified, but still requires safeguarding and dissemination controls in accordance with federal law, regulation, or government-wide policy. And knowing how to properly mark and handle CUI is essential to staying compliant, passing audits, and keeping contracts.

This guide explains the CUI program, the rules for marking CUI, and what those rules look like in practice, so you can be confident you’re handling sensitive U.S. government information the right way.

What is CUI?

CUI stands for Controlled Unclassified Information. It refers to data that isn’t classified information but still requires safeguarding and controlled access under federal law, regulation, or government-wide policy. The program was created under Executive Order 13556 to replace the inconsistent ways federal agencies had been labeling and protecting sensitive information.

Before the CUI program, agencies used a variety of unofficial designations like “FOUO” (For Official Use Only) and “LES” (Law Enforcement Sensitive), each with different and often conflicting rules for handling. This patchwork created confusion and compliance risks across the federal government and its contractor base.

To solve this, the government established a unified framework for managing sensitive but unclassified information, led by the Information Security Oversight Office (ISOO), a division of the National Archives and Records Administration (NARA). ISOO maintains the official CUI Registry, a searchable resource that defines which types of information qualify as CUI and how they must be protected.

The CUI Registry organizes approved categories into topic areas such as:

• Critical Infrastructure
• Export Control
• Financial
• Intelligence
• Legal
• Privacy
• Proprietary Business Information
• Tax

For each category, the Registry outlines whether the information is designated CUI Basic or CUI Specified, cites the relevant laws or regulations, and provides marking requirements, including any mandatory category indicators or dissemination controls.

CUI can encompass a wide variety of sensitive data, from export-controlled technical drawings to proprietary business records, privacy-protected personal information, law enforcement data, or legal documents. In a defense contracting environment, it may also include supply chain data, weapons systems information, or Controlled Technical Information (CTI) shared through contracts with the Department of Defense.

CUI Basic vs CUI Specified

Understanding the difference between CUI Basic and CUI Specified is essential to marking and handling CUI correctly.

CUI Basic refers to the default set of handling and safeguarding requirements that apply to most types of CUI. These requirements are outlined in 32 CFR Part 2002 and apply unless a specific law or regulation says otherwise. If you are working with information that qualifies as CUI but no statute or policy imposes stricter protections, then it falls under CUI Basic.

CUI Specified, on the other hand, applies when a law, regulation, or government-wide policy sets additional or more specific protections for a particular category of CUI. These added requirements could involve stricter dissemination rules, enhanced encryption standards, or access limitations.

You don’t need to mark documents as “CUI Basic” or “CUI Specified.” Both are simply marked as “CUI.” However, for CUI Specified, you must include the proper category and apply any specific controls dictated by the governing authority.

For example, Export Controlled information — a type of CUI Specified — must comply with export control laws like ITAR or EAR. This might mean restricting access to U.S. persons or preventing transmission across certain networks. These obligations go beyond the standard handling practices applied to CUI Basic.

The CUI Registry lists each CUI category and indicates whether it is Basic or Specified. Always consult the registry and your agency’s guidance to confirm what rules apply.

Basic elements of CUI marking

When marking CUI, the goal is to clearly identify the information so it can be protected appropriately. These requirements are outlined in 32 CFR Part 2002 Subpart C, and further detailed in agency-specific policies such as DoDI 5200.48, CMMC requirement MP.L2-3.8.4 Media Markings, and NIST 800-171 3.8.4.

At a minimum, CUI markings include:

• The acronym "CUI" in the header and footer of each page
• The CUI designation indicator, typically located on the first page or cover of a document
• Category markings if specified in the CUI Registry
• Limited dissemination controls, if applicable

The CUI designation indicator shows who originally designated the information as CUI. For example, "CUI//DOD" or "CUI//ABC Corp" tells the reader who is responsible for the marking.

So who’s actually responsible for applying these markings? In most cases, it’s the person or team that creates the document or shares the information, which is usually a project lead, technical writer, or contracting officer’s rep. If your organization is the source of the CUI, it’s your job to make sure it’s properly marked before you send it to anyone else, whether that’s a government agency or another contractor.

What is a CUI banner marking?

One of the most visible components of CUI marking is the banner, also called a banner marking. This is the label that appears at the top and bottom of each page of a document—or at the beginning and end of an email or slide—to clearly identify the content as Controlled Unclassified Information.

At its simplest, a CUI banner just says: CUI. But it can also include category indicators or dissemination controls. For example, you might see banners like: CUI//PRIVACY or CUI//EXPORT CONTROLLED//NOFORN.

These markings tell recipients that the document contains CUI, and also specify the type and any limitations on who can receive or share it.

In documents, the banner must appear at the top and bottom of every page. In emails, it should be placed at the top and bottom of the message body, and the subject line should begin with "CUI." For slide decks, each slide should include a banner, usually in the header or footer area. Spreadsheets should display the marking on each sheet, either in a header row or prominently visible cell.

CUI banners are required for both CUI Basic and CUI Specified. Their purpose is to ensure that anyone handling the content immediately understands its sensitivity and treats it accordingly.

Examples of CUI marking scenarios

Let’s walk through some common real-world scenarios to see how CUI marking works in practice.

A Microsoft Word document with Controlled Technical Information

If you are working on a Microsoft Word document that includes technical diagrams or descriptions subject to export control, you’ll need to include clear markings. Add "CUI" to the header and footer of every page. On the cover or first page, include a CUI designation block such as:

CUI
Controlled by: ABC Corp
Category: Controlled Technical Information
Distribution/Dissemination: Authorized for use by DoD personnel and contractors only
Contact Information: John Smith, john.smith@abccorp.com

Be consistent with formatting, but readability matters more than perfect alignment. If your organization has a standard template, use it.

An email containing CUI

Emails often trip people up because they feel informal. But if the content qualifies as CUI, you must still follow marking requirements.

Start your subject line with "CUI" to alert the reader. In the body of the email, include a banner at the top and bottom that reads "CUI". If the email includes attachments containing CUI, make sure the documents themselves are properly marked.

Example subject line:

CUI – Request for Quote: XYZ Subsystem Design

Example email body:
[CUI]
This email contains Controlled Unclassified Information. Handle in accordance with DoDI 5200.48.

[Email body content]

[CUI]

A slide deck for a DoD briefing

If you're presenting CUI in a PowerPoint presentation, the same rules apply. Every slide should include "CUI" in the header or footer. Include a full CUI designation block on the title slide. Make sure any diagrams, charts, or screenshots in the slides do not unintentionally expose CUI without the appropriate markings.

Files stored in shared drives or cloud systems

If your organization uses SharePoint, OneDrive, or another document repository, documents containing CUI must still be marked. Additionally, the folder or document name should reflect the presence of CUI.

For example, a folder might be labeled "Program Docs – CUI" and each file within should include "CUI" in the filename. You must also ensure that access controls are in place so that only authorized users can view or edit the content.

Printed materials

When printing documents that contain CUI, all markings must remain visible. This includes the "CUI" banner at the top and bottom of each page and the designation block on the front page. Do not remove or crop markings. When documents are no longer needed, dispose of them using methods approved for CUI such as shredding or secure destruction.

Spreadsheets and databases

Spreadsheets and database exports often mix sensitive and non-sensitive data, which can make CUI harder to spot. Be sure to include "CUI" in the header and footer of each worksheet, and apply portion markings if only certain rows or sheets contain CUI. Label the file name accordingly (for example, “Q4_Financials_CUI.xlsx”) and consider adding a cover sheet or first tab with a full designation block.

If the file includes queries, macros, or calculated fields tied to CUI, those should be protected too.

Screenshots and image files

Visual materials like screenshots and diagrams can contain CUI, especially if they capture system interfaces, technical data, or contract details. Mark the image itself by placing “CUI” in a corner or watermark. If you’re including the image in a larger document, ensure both the image and the document are marked. If the image is saved or shared independently, the file name should also include “CUI.”

Audio and video recordings

If you’re recording a meeting, training, or presentation that includes discussion of CUI, the recording itself becomes CUI and must be handled accordingly. Include an audio or visual notice at the beginning and end of the recording, such as: “This recording contains Controlled Unclassified Information.” The file name should include “CUI,” and any associated transcripts or closed captions must also be marked and protected.

Be mindful of how and where you store recordings. Access should be restricted to authorized personnel.

Chat logs and collaboration tools (e.g., Teams, Slack)

CUI often finds its way into chat tools, especially when teams are collaborating quickly. If CUI is shared in chat, mark the message with “CUI” at the beginning. If your platform allows it, use clearly labeled channels or threads for CUI-related discussions, and make sure logs are retained and stored securely in compliance with your organization’s CUI policy.

How to handle legacy CUI markings

You may come across older documents labeled with terms like "FOUO" or "LES." These are no longer valid CUI categories, but you shouldn’t just ignore them. DoD guidance states that legacy markings should be treated as CUI until they are reviewed and remarked according to the new standards.

In practice, that means you must apply the same protections to these documents, even if the markings are outdated. When in doubt, treat the material as CUI and consult your Facility Security Officer or Information Security lead.

Properly handling and safeguarding CUI

CUI marking can feel like a hassle, but it's a vital part of protecting government information and maintaining trust with federal partners. The good news is that once your organization sets up standard templates and processes, it becomes second nature. If you're working toward NIST 800-171 compliance or CMMC 2.0 certification, accurate CUI marking is a foundational step that supports your overall security program.

Secureframe’s security and compliance automation platform is built to simplify federal compliance, helping government contractors navigate the complexities of protecting CUI and demonstrate a strong security posture. By combining expertise, automation, and comprehensive support, we’ve helped companies achieve compliance with key frameworks like NIST 800-53 up to 70% faster.

• Automated monitoring and evidence collection: Secureframe integrates with your existing tech stack, including government cloud variants like AWS GovCloud, to automatically collect evidence and continuously monitor your tech stack for nonconformities.
• Trusted partner network: Our Partner Network includes certified Third Party Assessment Organizations (3PAOs) and CMMC 3PAOs (C3PAOs) that can support CMMC, FISMA, FedRAMP, and other federal audits.
• Federal compliance expertise: Secureframe’s dedicated, world-class support team of former FISMA, FedRAMP, and CMMC auditors and consultants guide you through federal readiness and audits and keep the platform up-to-date on the latest changes to federal compliance requirements.
• In-platform training: Deliver in-platform, proprietary employee training that meets federal requirements including insider threat, information spillage, anti-counterfeit training, and role-based training such as secure coding.

Learn more about how we simplify compliance with CMMC 2.0, NIST 800-53, NIST 800-171, NIST CSF, TX-RAMP, FedRAMP, CJIS, and more by scheduling a demo today.