Who Is Responsible for Applying CUI Markings?

One of the most frequent compliance questions we encounter from defense contractors is deceptively simple: who is actually responsible for marking documents as CUI? The answer involves a shared responsibility model that many organizations misunderstand — with real consequences during CMMC assessments.

Controlled Unclassified Information (CUI) marking is not a bureaucratic formality. It is the mechanism that tells every person who handles a document exactly how to protect it, who can access it, and under what conditions it can be shared. When markings are missing or incorrect, CUI can be mishandled, shared inappropriately, or left unprotected — any of which can result in a failed CMMC assessment, contractual breach, or compromise of sensitive defense information.

This guide explains the chain of responsibility for CUI markings, from the government agency that designates information as CUI through the contractor workforce that must apply and maintain those markings on documents they create or receive.

The Authorizing Agency's Role in CUI Designation

The foundational principle of CUI is that the authorizing agency determines what qualifies as CUI. An authorizing agency is the government entity that creates, owns, or controls the information in question. Only an authorized holder with the authority to designate CUI may make that determination.

This authority flows from specific laws, regulations, and government-wide policies cataloged in the CUI Registry maintained by the National Archives and Records Administration (NARA). The registry lists every CUI category and subcategory along with the legal basis for its protection.

What the Authorizing Agency Decides

The authorizing agency makes several critical determinations:

• Whether information qualifies as CUI — Based on applicable laws and regulations referenced in the CUI Registry
• Which CUI category or subcategory applies — Such as CUI//CTI (Controlled Technical Information) or CUI//PRVCY (Privacy)
• Whether limited dissemination controls apply — Restrictions beyond the baseline CUI safeguarding requirements
• The distribution statement — Defining who may receive the information and under what conditions
• Decontrol decisions — When information no longer requires CUI protection

This is not a discretionary judgment call for contractors. If the authorizing agency has designated information as CUI, the contractor cannot override that designation. Conversely, a contractor should not unilaterally mark information as CUI without proper authority or guidance.

How Designation Flows to Contractors

In practice, CUI designation reaches contractors through several channels:

1. Contract language — DFARS clauses and contract data requirements lists (CDRLs) specify what types of information will be CUI
2. Marking on government-furnished information — Documents provided by the government arrive with CUI markings already applied
3. Agency-specific guidance — Many agencies publish CUI marking guides and supplements
4. Direct communication — Contracting officers or program managers may provide explicit CUI designation guidance

What we tell clients is to treat CUI designation guidance as a critical input to their security program. If the guidance is unclear, ask the contracting officer for clarification rather than guessing. An incorrect assumption about what is or is not CUI can ripple through your entire compliance posture.

The Contractor's Marking Obligations

Once the authorizing agency has designated information as CUI, contractors bear the operational responsibility for applying correct markings on documents they create, reproduce, or derivative works they generate from CUI source material.

When Contractors Must Mark

Contractors must apply CUI markings in the following situations:

• Creating new documents that contain CUI based on government-designated information
• Generating derivative works from CUI source material (reports, analyses, presentations)
• Reproducing CUI documents for distribution or use within the organization
• Compiling or aggregating information that includes CUI elements
• Responding to CDRLs or other contractual deliverables that contain CUI

Required Marking Elements Under 32 CFR Part 2002

The marking requirements for CUI are defined in 32 CFR Part 2002, which implements the CUI program established by Executive Order 13556. Every properly marked CUI document must include the following elements:

Element	Location	Example
CUI Banner Marking	Top and bottom of each page	CUI or CONTROLLED
CUI Designation Indicator	Header block or first page	CUI Category: CTI
Designating Agency	First page or cover	Designated by: U.S. Army
Limited Dissemination Control	Banner marking (if applicable)	CUI//SP-CTI//NOFORN
Distribution Statement	First page or cover	Distribution Statement B
Portion Markings	Individual paragraphs (when required)	(CUI) or (CUI//CTI)

Banner Markings

Banner markings appear at the top and bottom of every page that contains CUI. The standard banner marking is simply CUI or CONTROLLED. When a limited dissemination control applies, the banner marking incorporates it — for example, CUI//NOFORN indicates CUI that may not be released to foreign nationals.

When a document contains multiple CUI categories, the banner marking reflects the most restrictive category present. For example, if a document contains both basic CUI and CUI with a NOFORN dissemination control, the entire document is marked at the higher level.

Portion Markings

Portion markings identify specific paragraphs, sections, or elements within a document that contain CUI. While portion marking is not always mandatory for basic CUI, it is strongly recommended and may be required by the authorizing agency.

A portion-marked paragraph looks like this:

• (CUI) This paragraph contains controlled technical information related to the system design specifications...
• (U) This paragraph contains uncontrolled information that is publicly releasable...

Portion markings become especially important in documents that mix CUI with uncontrolled information, as they help recipients understand exactly which sections require protection.

Distribution Statements

Distribution statements control who may access a document and under what conditions. The Department of Defense uses standardized distribution statements (A through F, plus X) that correspond to different access restrictions:

• Distribution A — Approved for public release, unlimited distribution
• Distribution B — Distribution authorized to U.S. Government agencies only
• Distribution C — Distribution authorized to U.S. Government agencies and their contractors
• Distribution D — Distribution authorized to DoD and U.S. DoD contractors only
• Distribution E — Distribution authorized to DoD components only
• Distribution F — Further distribution only as directed by the controlling office
• Distribution X — Distribution authorized to U.S. Government agencies and private individuals or enterprises with a demonstrated need

The authorizing agency determines which distribution statement applies. Contractors must apply the correct distribution statement as specified.

Common CUI Marking Mistakes

In our experience advising defense contractors, several marking errors appear repeatedly. Avoiding these mistakes is critical both for information protection and for CMMC assessment readiness.

Overmarking

Some organizations mark everything as CUI as a precaution. While this might seem safe, overmarking creates real problems. It desensitizes employees to CUI protections, increases the scope of your CUI environment (and therefore your CMMC assessment boundary), and can create unnecessary restrictions on information sharing. Only information that meets the criteria in the CUI Registry should be marked as CUI.

Undermarking or Failure to Mark

The opposite problem is equally dangerous. When CUI-designated information is not properly marked, recipients may not apply appropriate safeguarding controls. This is a direct pathway to unauthorized disclosure and a finding during CMMC assessments under the Media Protection control family.

Incorrect Category Indicators

Applying the wrong CUI category indicator — for example, marking information as basic CUI when it should carry a specific category like CTI — can result in inadequate protection or incorrect dissemination decisions.

Missing Markings on Derivative Documents

When contractors create new documents derived from CUI sources, they must carry forward the CUI markings. A common failure is creating a summary report or presentation from CUI source material without applying any CUI markings to the derivative document.

CUI Markings and CMMC Assessment

CUI marking practices are evaluated during CMMC assessments as part of the Media Protection (MP) control family. Assessors will examine whether your organization:

• Has documented procedures for identifying and marking CUI
• Applies markings consistent with 32 CFR Part 2002 and agency guidance
• Trains personnel on proper marking requirements
• Maintains marking consistency across documents and systems
• Has a process for resolving marking disputes or ambiguities

What we tell clients is that CUI marking is not just a documentation exercise — it directly affects your CUI boundary definition, which in turn determines the scope of your entire CMMC assessment. Organizations that have clear, consistent marking practices tend to have better-defined CUI boundaries and smoother assessments.

For more on the controls that govern CUI protection, see our NIST 800-171 compliance guide. For a broader overview of CUI requirements and categories, read our guide on what is CUI.

Practical Steps for Getting CUI Markings Right

If your organization is preparing for CMMC certification or simply tightening its CUI handling practices, here is what we recommend:

1. Obtain clear designation guidance from your contracting officer or program manager for every contract involving CUI
2. Create a CUI marking guide specific to your organization that references the categories and dissemination controls relevant to your contracts
3. Train all personnel who create, handle, or distribute CUI on proper marking procedures
4. Implement marking templates in your document management system that pre-populate CUI banners and required elements
5. Conduct periodic marking reviews to verify that CUI documents across your organization are consistently and correctly marked
6. Establish an escalation process for situations where CUI designation or marking is unclear — default to asking the authorizing agency rather than guessing

CUI marking is a shared responsibility. The authorizing agency makes the designation decision, but every contractor in the supply chain must understand and apply the correct markings. Getting this right is foundational to the entire CUI protection framework and to your success in CMMC certification.