The assessor opened the SharePoint site and clicked on a file marked "FCI." She then opened the metadata panel, checked the properties, and asked the question that turned my client's confident posture into visible discomfort: "This document contains ITAR technical data. Why is it marked as Federal Contract Information instead of CUI?"
The answer was simple: nobody had actually trained the engineering team on CUI marking and labeling requirements. They'd been told to "mark sensitive documents," so they picked a category that sounded official. The result was a finding that delayed their CMMC certification by three months and triggered a comprehensive remediation effort across their entire document management system.
CUI marking and labeling isn't a paperwork exercise. It's a control mechanism. When implemented correctly, it enables data loss prevention, enforces handling restrictions, and demonstrates that your organization understands what you're protecting. When done poorly, it creates audit findings, compliance gaps, and real operational risk.
What CUI Marking Actually Accomplishes
Before diving into the mechanics, it's worth being clear about why CUI marking exists. The requirement isn't about making documents look official. It's about creating a visible, machine-readable signal that enables three things:
First, it alerts anyone handling the information that special rules apply. An employee forwarding a document marked "CUI" should pause and think about who can receive it. A contractor opening a file with a CUI banner should know that different storage, transmission, and access requirements are in force.
Second, it enables automated controls. Data loss prevention systems scan for CUI markings. Email gateways can route marked content through encrypted channels. Classification engines can apply retention policies based on designation indicators. None of this works if your marking is inconsistent or incorrect.
Third, it demonstrates intent. When an assessor or auditor reviews your environment, proper CUI marking shows that your organization has identified controlled information, understands its obligations, and has implemented a system to differentiate CUI from other data. Poor marking suggests the opposite, regardless of what your policies claim.
The pattern I see most often in failed implementations: organizations treat marking as a compliance checkbox rather than an operational control. They create templates, issue guidance, and assume people will follow it. Then they're surprised during an assessment when half their documents are unmarked, a quarter are marked incorrectly, and the remainder use inconsistent formats that DLP systems can't parse.
Banner Marking Requirements
Banner markings appear at the top and bottom of every page containing CUI. This isn't optional. It's specified in 32 CFR Part 2002 and enforced in NIST 800-171 assessments.
The basic banner format is straightforward: "CUI" appears in all capital letters, centered or left-justified depending on your organization's standard. If the information falls into a specific CUI category that requires additional handling, you add a category marking after the CUI indicator.
Here's what that looks like in practice. A document containing export-controlled technical data might carry the banner "CUI//SP-EXPT" at the top and bottom of each page. A file with law enforcement sensitive information would show "CUI//SP-LES." Documents containing basic CUI without special handling requirements use "CUI" alone.
Limited Dissemination Controls
Limited dissemination controls restrict who can access the information beyond the standard CUI baseline. These appear after the category marking, separated by double slashes. Common examples include FEDCON (federal employees and contractors only), NOCON (no contractors), and NOFORN (no foreign nationals).
The full banner for ITAR technical data restricted to U.S. citizens might read: "CUI//SP-EXPT//NOFORN"
The mistake I see here: organizations applying dissemination controls they don't actually enforce. You can mark every document NOFORN, but if your SharePoint site allows access to foreign national employees, the marking is fiction. Assessors check both the banner and the access controls behind it. Inconsistency between the two is a finding.
Email and Digital Communications
Email presents a special challenge. The banner marking requirement applies, but email clients don't naturally support headers and footers on every message. Most organizations address this through one of three approaches.
The first approach: manual markings in the subject line and body. Users type "CUI" at the beginning of the subject line and include a banner at the start of the message body. This works if your staff is disciplined and your culture supports it. In practice, compliance rates hover around 60% without enforcement mechanisms.
The second approach: automated insertion through email gateway rules or Outlook plugins. Users flag messages as CUI, and the system adds the required markings. This raises compliance significantly but requires configuration, testing, and user training.
The third approach: segregated email infrastructure. CUI communications happen in a separate environment (often GCC High or a similar FedRAMP-authorized platform) that applies markings automatically. This is the cleanest solution architecturally, but it requires investment and creates workflow friction.
I've worked with contractors using all three approaches. The one that fails consistently: expecting users to remember marking requirements without technical controls or consequences. People are busy, deadlines are real, and manual compliance decays over time.
Building a CMMC Program That Survives Assessment
Carl speaks to defense contractors about the practical steps that separate performative compliance from programs that hold up under scrutiny. If your team is preparing for CMMC certification or struggling with CUI handling requirements, Carl's keynotes offer frameworks based on real assessments.
Book Carl to Speak
Designation Indicators and Category Markings
The CUI Registry maintained by the National Archives lists 24 categories and more than 100 subcategories. Each represents a different type of controlled information with its own legal or regulatory basis. Your job isn't to memorize the registry. It's to identify which categories apply to your environment and train your staff accordingly.
For most defense contractors, the relevant categories are limited. Export Control (SP-EXPT) covers ITAR and EAR-controlled technical data. Procurement and Acquisition (PRCR) applies to source selection information and procurement data. Critical Infrastructure Security Information (SP-CRIT) appears in certain sectors. Federal Contract Information (FCI) isn't technically CUI but often appears in the same systems.
The designation indicator shows why something is CUI. This matters because different categories have different handling requirements, retention schedules, and dissemination rules. A document marked simply "CUI" without a category indicator creates ambiguity. Staff don't know which rules apply, and automated systems can't enforce category-specific controls.
When Category Markings Are Required vs. Optional
Basic CUI uses the "CUI" banner alone. Category markings are optional unless the information requires special handling beyond the baseline CUI requirements. This is where organizations get tripped up. They assume every piece of CUI needs a category marker, so they start making up categories or applying indicators incorrectly.
The rule: use a category marking when the category itself imposes additional requirements or when your organization needs to segregate the information for access control or compliance purposes. Export-controlled data gets "SP-EXPT" because ITAR and EAR impose specific handling rules beyond NIST 800-171. Procurement data gets "PRCR" because different roles need access to procurement information than to technical data.
If you can't articulate why you're using a particular category marker or what additional controls it triggers, you probably shouldn't use it.
Portion Marking and When It Applies
Portion marking identifies which parts of a document contain CUI. Instead of marking the entire document at the highest level, you mark individual paragraphs, sections, or data elements with their actual classification.
In the classified world, portion marking is mandatory. For CUI, it's generally optional unless the agency that authorized the information requires it or your contract specifies it. That said, portion marking makes sense in specific scenarios.
First, when documents contain both CUI and non-CUI information and you need to enable broader distribution of the non-CUI portions. Engineering specifications often mix publicly-available standards with proprietary or export-controlled design details. Portion marking lets you identify exactly what's controlled.
Second, when automated extraction or redaction tools need to operate on documents. Systems that generate public-facing documentation from controlled source files need markup that indicates which sections can be released. Portion marking provides that.
Third, when your review or approval processes require precision. Legal and compliance teams reviewing proposals or technical documents can assess handling requirements more accurately when each section carries its own marking.
The format mirrors banner marking: "(CUI)" appears before each controlled paragraph, or "(U)" before uncontrolled sections if you're marking everything. For portions requiring category indicators, you'd see "(CUI//SP-EXPT)" before the relevant paragraph.
The practical constraint: portion marking requires significant user discipline and creates visual clutter in documents. I've seen it work well in engineering environments where technical writers are accustomed to detailed markup. I've seen it fail completely in business environments where staff find it cumbersome and compliance rates collapse. Implement it where it adds value, not because it sounds thorough.
Handling and Storage Requirements Tied to Markings
CUI marking and labeling means nothing if the marked information isn't handled accordingly. This is where technical controls meet policy requirements, and where most organizations reveal whether they've actually operationalized their CUI program.
Physical Storage and Media
Physical documents and removable media containing CUI require markings on the exterior of containers. File folders get labels. Binders get covers. USB drives get exterior markings or labeled cases. Bankers boxes used for archival storage need clear CUI indicators on at least two sides.
The requirement exists so that anyone handling the container knows what's inside without opening it. Shipping and receiving staff, administrative personnel, and visitors can all see that special handling applies. When I walk through a contractor's facility, I'm looking at how documents are stored. Unlabeled file cabinets and unmarked archive boxes suggest a marking program that exists on paper but not in practice.
Lockable storage is required, but the specific controls depend on your environment and risk assessment. Most contractors use locking file cabinets or safes for hard copy CUI. Electronic media goes in locked drawers or containers. The key point: controls must align with your System Security Plan and documented risk decisions.
Transmission and Sanitization
Marked CUI can't be transmitted over unencrypted channels or to unauthorized recipients. Email encryption, secure file transfer protocols, and approved cloud platforms form the technical baseline. But the marking is what triggers these controls.
Data loss prevention systems scan outbound email and file transfers for CUI markers. When detected, the system either blocks the transmission, routes it through an encrypted gateway, or alerts security staff. This only works if documents are marked consistently and if the DLP engine is configured to recognize your marking conventions.
The same logic applies to sanitization. When devices or media leave your control, marked CUI must be removed or destroyed according to NIST 800-88 requirements. The marking tells the IT team what sanitization standard applies. An unmarked hard drive containing export-controlled data is a TARP violation waiting to happen if it's disposed of as non-CUI equipment.
DLP Configuration for CUI Enforcement
Data loss prevention systems provide the technical enforcement layer for CUI marking requirements. Without DLP, you're relying entirely on user behavior and manual review. With properly configured DLP, you get automated scanning, policy enforcement, and incident alerting.
The challenge: most DLP platforms aren't preconfigured for CUI. They come with rules for credit card numbers, Social Security numbers, and other structured data. CUI marking is contextual and format-dependent. You need to build custom rules based on your organization's marking conventions.
Start with banner detection. Your DLP rules should scan documents and emails for "CUI" appearing at the beginning of content, in headers, or in subject lines. Regular expressions work for basic detection, but you'll need refinement to reduce false positives. The string "CUI" appears in words like "circuitry" and "pharmaceutical." Context matters.
Next, add category indicators. If your organization uses "CUI//SP-EXPT" for export-controlled data, configure DLP to recognize that pattern and apply more restrictive rules than for basic CUI. This might mean blocking external transmission entirely, requiring additional approval steps, or logging all access events.
Third, implement response actions tied to detection. When DLP identifies marked CUI in an outbound email to an unauthorized domain, what happens? Options include blocking the message, encrypting it automatically, quarantining it for review, or alerting security staff. The right answer depends on your operational model and risk tolerance.
Common DLP Failures in CUI Environments
The pattern I see most often: organizations deploy DLP, configure basic rules, and declare victory. Then an assessment reveals that marked documents are flowing through SharePoint to unauthorized users, email attachments are going out unencrypted, and nobody's monitoring the DLP alerts because the signal-to-noise ratio is terrible.
First failure mode: rules that are too broad. Scanning every document for any occurrence of "CUI" generates thousands of false positives. Users learn to ignore alerts, and legitimate incidents disappear into the noise. Tighten your detection logic. Look for CUI in specific locations (headers, footers, subject lines) rather than anywhere in the content.
Second failure mode: no enforcement in internal systems. DLP focuses on the perimeter—outbound email, web uploads, removable media. But most CUI handling happens inside your environment. If your SharePoint sites, file shares, and collaboration platforms don't enforce access controls based on CUI markings, you're protecting the wrong boundary.
Third failure mode: marking inconsistency that breaks automation. If engineering uses "CUI//EXPT" and contracts uses "CUI//SP-EXPT" and finance just writes "Export Controlled" in red text, your DLP rules can't possibly cover all variations. Standardization enables automation. Variation defeats it.
Compliance Programs That Work Beyond the Audit
Carl delivers keynotes on building compliance and security programs that function operationally, not just on paper. His talks are built on real assessments, actual findings, and the patterns that separate mature programs from performative ones. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventCommon Marking Mistakes That Assessors Flag
I've reviewed dozens of CUI implementations during CMMC assessments and NIST 800-171 validations. The same marking errors appear repeatedly, and they're rarely the obscure edge cases organizations worry about. They're basic execution failures that reveal systemic gaps.
Missing Markings on Derivative Documents
Your engineering team receives a CUI-marked technical drawing from a prime contractor. They use that drawing to create a manufacturing work instruction. The work instruction contains the same controlled details but carries no CUI banner. This is a derivative document, and it requires marking.
Assessors look for this specifically. They trace information flow from source documents through your internal processes. Proposals become contracts. Contracts become specifications. Specifications become work instructions. If the CUI marking disappears at any stage, it's a control failure.
The underlying issue: staff don't understand that CUI remains CUI when you transform the format or incorporate it into new documents. Training focuses on handling CUI you receive from outside your organization. It rarely addresses what happens when you generate new documents using that CUI as source material.
Inconsistent Marking Conventions Across Systems
Your document management system applies CUI banners automatically based on metadata. Your email system requires manual subject line marking. Your shared drives rely on folder labels. The result: three different marking schemes that create confusion and break automated controls.
Standardization matters. If assessors see different marking formats in different parts of your environment, they'll question whether your CUI identification process is controlled. More practically, staff who encounter multiple standards default to whatever's easiest, which is usually nothing.
The fix isn't technical. It's governance. Establish a single marking standard, document it, configure systems to support it, and enforce it through review processes and automated validation.
Overly Broad or Unnecessarily Restrictive Markings
Some organizations mark everything as CUI to avoid making judgment calls. Others apply the most restrictive dissemination controls available because it feels safer. Both approaches create operational problems and compliance risk.
Marking non-CUI information as CUI imposes unnecessary handling restrictions, slows workflows, and trains staff to ignore markings because they know the label is wrong. It also creates compliance burden. You're now required to apply NIST 800-171 controls to data that never needed protection in the first place.
Applying overly restrictive dissemination controls has the opposite effect: you block legitimate access and create pressure to work around the system. Engineering teams that can't access NOFORN-marked data they need for their jobs find unofficial ways to share it. The marking becomes meaningless.
Accuracy matters more than caution. Mark what's actually CUI, apply dissemination controls only where legally or contractually required, and accept that some judgment calls will be necessary.
No Validation or Quality Control Process
The organizations with the cleanest CUI marking programs have one thing in common: they review marked documents regularly. Quality assurance processes spot-check markings before documents are released. Periodic audits sample files from various systems. Automated scripts flag unmarked files in CUI directories.
The organizations with the worst marking programs assume that training and templates are sufficient. They issue guidance, send staff to a one-hour training session, and hope for the best. Then they're surprised during an assessment when 40% of CUI is unmarked and another 30% is marked incorrectly.
Marking is an execution problem, not a policy problem. You need verification mechanisms that operate continuously, not just before assessments. Build them into document approval workflows, quarterly compliance reviews, and system audits.
Integration with Information System Controls
CUI marking connects to nearly every NIST 800-171 control family. Access control decisions depend on knowing what's CUI and what isn't. Audit and accountability logging makes sense only if you're tracking access to identified controlled information. Incident response procedures trigger based on what data was exposed, which requires accurate marking.
This integration is where marking moves from a documentation requirement to an operational control. Your access control systems should read CUI markings and enforce permissions accordingly. Your backup systems should handle marked data differently from general business information. Your incident response playbooks should escalate based on the category indicators present.
In practice, most organizations implement this integration in stages. Phase one: manual marking and user training. Phase two: automated detection and DLP enforcement. Phase three: integration with identity management, access control, and logging systems. Few contractors reach phase three before their first CMMC assessment, but assessors evaluate your roadmap as well as your current state.
The question assessors ask: "If I find a document marked CUI//SP-EXPT in your SharePoint environment, what technical controls ensure that only authorized users can access it?" If the answer is "we trust that the SharePoint administrator set permissions correctly," you have a gap. If the answer is "our access control system reads the category marking and enforces role-based permissions automatically, and here's the log that shows it's working," you're demonstrating mature implementation.
Training Staff on Marking Requirements
CUI marking training fails when it focuses on policy rather than decision-making. Staff sit through presentations about 32 CFR Part 2002, memorize acronyms, and leave with no practical understanding of when to mark something or how to apply category indicators correctly.
Effective training starts with context. Explain what CUI is, why it matters to your organization, and what happens if it's mishandled. Then focus on the specific categories relevant to your environment. If you're a defense contractor working with ITAR data, spend time on export control categories and dissemination controls. If you're processing federal procurement data, focus on PRCR markings and retention requirements.
Role-based scenarios work better than generic policy review. Engineers need to know how to handle technical drawings received from primes. Proposal writers need to understand when pricing data requires marking. Administrative staff need to recognize CUI in emails and route it appropriately. Tailor the training to what each role actually encounters.
Testing matters. Compliance verification through annual quizzes or scenario-based assessments identifies who's retained the training and who needs refreshers. More importantly, it signals that marking requirements are enforceable expectations, not suggestions.
The pattern I see in successful programs: organizations treat CUI marking as a core competency, not a compliance obligation. New hires receive marking training during onboarding. Refresher sessions happen annually or when procedures change. Managers review marking accuracy as part of quality control processes. The culture reinforces the behavior.
Why Marking Failures Signal Deeper Problems
When I review a contractor's CUI marking program during an assessment and find systemic problems—unmarked documents, inconsistent banners, category indicators that don't match the content—I'm not just documenting a marking deficiency. I'm looking at an indicator that the organization doesn't actually know what CUI it possesses or where it lives.
Accurate marking requires accurate identification. You can't mark something correctly if you haven't determined what it is and why it's controlled. Organizations that struggle with marking usually struggle with CUI identification, which means they're uncertain about the full scope of data requiring NIST 800-171 controls.
This uncertainty cascades. If you don't know where all your CUI lives, you can't scope your assessment boundary correctly. If your boundary is wrong, you're either over-controlling systems that don't need it or under-controlling systems that do. Both create compliance risk and operational inefficiency.
Marking discipline also correlates with security culture. Organizations where staff routinely ignore marking requirements are usually the same organizations where security policies are viewed as obstacles rather than enablers. Password complexity requirements get worked around. MFA prompts generate helpdesk tickets requesting exemptions. Incident reporting procedures are followed only when someone thinks they'll get caught.
CISOs understand this intuitively. When I report marking deficiencies to leadership, the conversation isn't about banner formats or category indicators. It's about whether the organization has the cultural and operational maturity to manage controlled information under regulatory scrutiny. Often, the answer is no, and marking failures are just the most visible symptom.
That's why fixing a CUI marking program isn't a documentation project. It's a signal that leadership is serious about compliance, that staff understand the stakes, and that systems are designed to enforce requirements rather than work around them. Get marking right, and you've built a foundation for everything else. Get it wrong, and you're performing compliance theater while actual controls remain absent.