CMMCDocs.comControlled Unclassified Information (CUI) is the reason CMMC exists. The entire framework was built to ensure that defense contractors properly protect sensitive but unclassified information. Yet CUI marking and handling remains one of the most confusing aspects of compliance for many organizations.
What Is CUI?
CUI is information that the government creates or possesses that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. It is not classified information, but it is sensitive enough to require protection beyond what you would give ordinary business data.
CUI is organized into categories and subcategories defined by the National Archives and Records Administration (NARA) in the CUI Registry. Common categories in defense contracting include Export Controlled, Proprietary Business Information, Privacy, and Critical Infrastructure. The specific CUI category determines any special handling requirements beyond the baseline.
CUI Marking Requirements
CUI must be marked with a CUI banner at the top of each page. The minimum banner marking is: CUI or CONTROLLED. For CUI with specific category markings, the banner includes the category: CUI//SP-EXPT (for Export Controlled, Specified).
Documents should include a CUI designation indicator block on the first page with: the CUI designation, the authorized holder, the CUI category or categories, distribution and dissemination controls, and the POC for questions about the marking.
When CUI is transmitted via email, the subject line should include the CUI marking. Electronic files should include CUI markings in the filename or metadata where feasible.
Handling Procedures
Storage: CUI must be stored in a manner that prevents unauthorized access. For physical documents, this means locked containers or rooms with controlled access. For electronic CUI, this means encrypted storage with access controls limiting access to authorized individuals.
Transmission: CUI transmitted electronically must be encrypted using FIPS 140-2 validated cryptography. In practice, this means TLS 1.2+ for web and email traffic, and encrypted file transfer mechanisms. Unencrypted email is not acceptable for CUI.
Destruction: CUI must be destroyed in a manner that prevents reconstruction. For paper, this means cross-cut shredding. For electronic media, this means NIST 800-88 compliant sanitization — either cryptographic erasure or physical destruction depending on the media type.
Common Mistakes
The most common mistake is not marking CUI at all. Many contractors receive CUI from the government or prime contractor and handle it without applying proper markings. The second most common mistake is over-marking — treating everything as CUI when it is not, which expands your compliance scope unnecessarily and increases costs.
Another frequent error is not training employees on CUI recognition and handling. If your workforce does not know what CUI looks like, how to mark it, or how to handle it, no technical control will save you. CUI awareness training should be part of your onboarding process and annual refresher training.