In our last blog post, I covered what CUI is. For this one, I’ll cover the traditional and non-traditional ways of marking CUI
The marking process is what alerts holders to the information that needs protection. It also helps with any dissemination and safeguarding controls required. The CUI Registry establishes this marking process
Table of Contents
CUI Registry
The CUI Registry is the online repository for all information on handling CUI.
The site identifies all approved categories and subcategories. It also classifies the control levels for each and includes guidance on handling.
Control Level
The “control level” indicates the safeguarding and disseminating requirements.
Section 2002.4 of Title 32 CFR defines three control levels...
CUI Basic - Authorities marked this information as sensitive but haven’t provided any specific controls. The basic level of safeguards and dissemination controls will protect this information.
CUI Specified - Sensitive information which laws, regulations or government-wide policies or authorities require specific controls. These controls may be different from those required by CUI Basic. The distinction is that the authority spells out specific controls for CUI Specified information. For example...
Unique Markings
Enhanced physical safeguards
Limits on who can access the information
CUI Specified, but with CUI Basic controls - specifying only some of the controls
The controls for any CUI Basic categories and subcategories are the same. The controls for CUI Specified categories and subcategories can differ from Basic ones and from each other. A CUI Specified category may include subcategories that are Basic and vice versa. If there’s an instance that falls into a CUI Specified category or subcategory, the Registry will list the controls.
Traditional CUI Marking
Marking is the first step in the proper handling of CUI because it alerts holders to protect the information.
The following describes the traditional way to apply markings…
Designation Indicator (mandatory) - must identify who originated the CUI. It is a best practice to include the name and contact information for the Point of Contact. The indicator can take various forms, including…
A letterhead (example on the left)
A signature block (example on the left)
A “controlled by” line (example on the right)
The CUI Banner Marking (mandatory) appears at the top of the document alerting the recipient that the document contains CUI. Banners must appear in bold, capitalized and centered (when possible). Keep banner marking separate from any administrative markings.
When marking a document with more than one page, the banner marking will be the same for the entire document. When using a footer (optional), it must be identical to the banner marking. Banner markings may include up to three elements, each separated by (//)...
The CUI Control Marking (mandatory) consists of either the word “CONTROLLED” or the acronym “CUI” at the top of the page. CUI Basic requires only the Control Marking.
Category Markings (mandatory only for CUI Specified) clarify what type is in a document. CUI Category Markings found on the Registry and preceded by “SP-”. When including more than one category or subcategory in a Banner Marking, separate them with a single forward-slash (/).
E.g. CUI//EMGT/WATER - indicates two types of CUI Basic including Emergency Management and Water Assessments.
E.g. CUI//SP-PRVCY - indicates one type of CUI Specified - General Privacy Information
A document with both category markings should list all Specified markings before all Basic markings. Alphabetize category marking if there are more than one for either CUI Specified or CUI Basic.
E.g. CUI//SP-HLTH/SP-PRVCY/DREC - indicates two types of CUI Specified (General Privacy Information & Health Information) and one type of CUI Basic (Death Records).
Limited Dissemination Control (LDC) Markings place limits on sharing CUI. When marked, LCDs are the last component in the banner. Alphabetize LCDs when including more than one and separate them by a single forward-slash (/).
E.g. CUI/SP-EXPT/NOFORN - indicates CUI Specified (Export Controlled) with a limited dissemination control NOFORN - dissemination only allowed to US citizens.
Limited Dissemination Controls (LDCS)
LDCs help control secondary sharing, decontrol, and release without the need to get secondary approval or authorization from the controlling DoD office.
LDCs also help with identifying those who should have an authorization to use CUI.
The Registry lists all LCDs…
Not releasable to foreign nationals (NOFORN or NF)” is an intelligence control marking used to identify information an originator has determined meets the criteria of Intelligence Community Directive 710 and Intelligence Community Policy Guidance 403.1.
Federal Employees Only (FED ONLY) authorizes only employees of the U.S. Government executive branch agencies or armed forces personnel of the U.S. or Active Guard and reserve.
Federal Employees and Contractors Only (FED CON) authorizes individuals or employees who enter into a contract with the U.S. to perform a specific job, supply labor and materials, or for the sale of products and services, so long as dissemination is in furtherance of the contractual purpose.
No Dissemination to Contractors (NOCON) is for use when dissemination is not permitted to federal contractors but permits dissemination to state, local, or tribal employees.
Dissemination List Controlled (DL ONLY) authorized only to those individuals, organizations, or entities included on an accompanying dissemination list.
Authorized for Release to Certain Foreign Nationals Only (REL TO USA, [LIST]) indicates the information is releasable only to the foreign country(ies) or international organization(s) indicated. This marking only applies when law, regulation, or government-wide (or DoD) policy, categorizes information as CUI with an export control or licensing requirement with a foreign disclosure agreement in place.
Display Only (DISPLAY ONLY) authorizes disclosure to a foreign recipient, but without providing them a physical copy for retention to the foreign country(ies) or international organization(s) indicated, through established foreign disclosure procedures and channels.
Attorney-Client (ATTORNEY-CLIENT) prohibits the dissemination of information beyond the attorney, the attorney’s agents, or the client unless the agency’s executive decision-makers decide to disclose the information outside the bounds of its protection.
Attorney Work Product (ATTORNEY-WP) prohibits the dissemination of information beyond the attorney, the attorney’s agents, or the client unless permitted by the overseeing attorney who originated the work product or their successor.
Deliberative Process (DELIBERATIVE) prohibits dissemination of information beyond the department, agency, or U.S. Government decision-maker who is part of the policy deliberation unless the executive decision-makers at the agency decide to disclose the information outside the bounds of its protection.
The absence of an LDC on a document permits anyone with an authorized lawful government purpose to access the document. This doesn’t imply it’s releasable to the public.
Portion Marking
Portion marking is optional but recommended because it indicates which parts of a document are CUI.
Portions include…
Subjects
Titles
Paragraphs and subparagraphs
Bullet points and sub-bullet points
Headings
Pictures
Graphs
Charts
Maps
Reference list
Etc.
Portion markings appear in parenthesis before each paragraph of the document.
A "(U)" means that a paragraph contains uncontrolled unclassified information. A "(CUI)" means that a paragraph contains controlled unclassified information.
You can also indicate the categories within the paragraph and any LDCs that apply. Separate these markings in the same way as discussed in the banner.
E.g. CUI/SP-EXPT/NOFORN - indicates CUI Specified (Export Controlled) with a limited dissemination control NOFORN - limiting dissemination to US citizens only.
Paragraphs marked with only “(CUI)” mean they contain Basic information.
If CUI exists in classified documents, its markings will appear in that sections where it exists. It’s important to point out that in this instance, additional markings won’t exist in the header or footer of the document.
Supplemental Administrative Markings
Mark all documents containing CUI, even those in draft form. Administrative markings can identify that the document is a draft but you cannot incorporate administrative markings into the banner. They should be separate from the CUI marking.
Non-Traditional CUI Marking
The following describes alternative methods to satisfy marking or identification requirements.
CUI Cover Sheet
In some instances, it’s more convenient to use a cover sheet, which can replace CUI banner headings.
This is helpful when limited on space at the top of a document or form. Whereas previous markings involved many different types of cover sheets, the CUI program instituted a single standard cover sheet.
Choosing to go the cover sheet route is static. In other words, it must be the CUI EA-approved coversheet Standard Form 901.
As a coversheet, SF 901 goes on the top of a document. It then stays there until the document no longer needs its protection. If the condition of the cover page is still in good shape after it’s intial use, you can reuse it.
Standard Form (SF) 901 replaced forms OF901, OF902 and OF903 on December 14, 2018. Agencies may continue to use Forms OF901, OF902, and OF903 while supplies last.
The cover page will include a CUI designation indicator, as shown below:
The first line must identify the name of the DoD Component who determined that the information is CUI. You may omit this if you are using letterhead or another standard indicator of origination.
The second line must identify the office making the determination.
The third line must identify all types of CUI contained in the document.
The fourth line must contain the distribution statement or the dissemination controls applicable to the document.
The fifth line must contain the phone number or office mailbox for the originating DoD Component or authorized CUI holder.
CUI Labels
SF 902 is a standard size label used to identify and protect electronic media such as hard drives or CD-ROMs, (approximate size 2.125” x 1.25”).
SF 903 is a label used to identify and protect electronic media such as USB drives, (approximate size 2.125” x .625”).
Do not remove either label after applying them.
While it may not be practical to include the full designation of the category of CUI, when possible there must be a clear label of “Controlled” or “CUI” and the designating agency on the outside of these storage devices.
Marking Forms with CUI
Use a CUI banner marking to identify forms filled in with information that qualifies as CUI. If there isn’t enough space you may use a cover sheet instead.
Emailing CUI
Marking CUI in an email is the same as marking CUI in other contexts.
As a best practice, the subject line may also state the email contains CUI. To mark CUI in the subject line of an email, add “[Contains CUI]” at the end of the subject line.
Banner markings must appear above the email text containing CUI.
File names for any attachments containing CUI may also include an indicator that alerts the recipient of the presence of CUI.
E.g. including “[Contains CUI]” in the file name.
Be sure to include carry forward all applicable markings when forwarding or responding to emails that contain CUI.
E.g. moving the banner marking back to the top of the email.
Emails can also be portion marked in the same manner as in a document (optional).
Marking Presentations
Mark PowerPoint or Slide presentations if the content contains CUI. The basic rules of marking CUI apply.
Two mandatory components that you must include are...
Designation Indicator
Banner Marking
As with a document containing CUI, add Category Markings if the slides contain Specified.
Marking Transmittal Documents
When sending faxes that contain CUI, the document should contain a transmittal message as an indication.
The document must also have a clear message of either...
“When enclosure is removed, this document is Uncontrolled Unclassified Information” or
“When enclosure is removed, this document (CUI Category); upon removal, this document does not contain CUI”.
When reproducing or faxing, you may use agency-approved equipment. Agencies may put signs on agency-approved equipment.
Marking Audio/Video/Image Files
There are various ways to mark that CUI contained in audio or video files or in photographs. If applicable, include categories, subcategories, and limited dissemination markings.
For digital photographs...
Insert a watermark with the photo with the appropriate markings
Only mark pictures containing CUI within a document if they are removable or in an unmarked section of the document
For photos in the physical form
Label the back of the photo
Place the photo in a marked envelope or folder
If you cannot alter a photo cannot use tape, frames or envelopes with appropriate markings
For video files...
Include in the opening section of the video a black screen with text stating “This Video Contains Controlled Unclassified Information.”; and
If the video contains CUI Specified, place the appropriate CUI marking below the disclaimer.
Only use this method if permitted by law or government policy
Mark the storage media with the appropriate CUI marking
For audio files...
Include in the opening section a statement that reads “This Recording Contains Controlled Unclassified Information.”; and
Include a reading of the appropriate marking
Mark the storage media with the appropriate marking
Shipping CUI
As a best practice, use in-transit automated tracking to record the progress of your shipment from departure to arrival. Mark the contents of packages but do not place markings on the outside of packages or envelopes.
CUI may be shipping through the following…
Interagency mail systems
United States Postal Service (USPS)
Other commercial delivery services
Conclusion
Marking CUI is the first step towards protecting it.
As organizations prepare for CMMC, taking inventory of the CUI they possess or create is the first step towards scoping your environment that handles this sensitive information.
If you have any further questions regarding how to mark or interpret a CUI, please contact your agency’s CUI program, download the Marking Handbook or visit the Registry website.
Organizations should identify the roles assigned to each statement within the policy. Mapping policy commitments to requirements and roles creates a shared responsibility matrix.