CUI Document Marking Requirements and CMMC 2.0

CUI Document Marking Requirements
Photo by Sora Shimazaki

Controlled Unclassified Information (CUI) document marking requirements apply to a wide range of users who access information related to the U.S. government. CUI  is unclassified information that requires safeguards or dissemination controls in accordance with governmental regulations and policies. CUI is categorized into 20 “Organizational Index Groupings” to address sectors such as Defense, Export Control, Legal, and Immigration. Each of these groupings is further divided into 124 specific “CUI Categories”.

CUI designated information can be shared for lawful government purposes only. Each agency can place additional limits on the dissemination of CUI beyond this scope. There are ten classifications of Limited Dissemination Controls, each with its own marking. For example, information designated for federal employees and contractors only is to be marked “FEDCON”.

Department of Defense CUI Marking Requirements

The Department of Defense (DoD) has requirements for the marking of the various types of CUI for government contractors and organizations in the defense industrial base. Information covered under these requirements includes information associated with DoD contracts, work products, and emails. Classified information and information not created by or under the control of the U.S. Government does not qualify as CUI.

The CUI designation replaces the DoD’s legacy For Official Use Only (FOUO) marking as an interagency standardized approach to information controls. CUI categories for defense include:

  • Controlled Technical Information
  • DoD Critical Infrastructure Security Information
  • Naval Nuclear Propulsion Information
  • Unclassified Controlled Nuclear Information – Defense

CMMC Requirements

DoD contractors under Defense Federal Acquisition Regulations (DFAR) 252.204.7021 are now required to achieve Cybersecurity Maturity Model Certification (CMMC) to protect CUI.  The current level, CMMC 2.0 utilizes NIST SP 800-171 to establish minimum requirements and guidelines for this protection.

NIST SP 800-171 requires CUI document marking requirements.  The standard states that visually identifying CUI is a basic tenet of information security so that authorized users understand which handling controls to apply.  Labeling is identified as the use of security attributes for internal system data structures. Labelling is to be applied to digital media and non-digital media such as paper and microfilm. 

CVG Strategy Information Security Management System Consultants

To assist businesses to meet the challenges in adopting CMMC 2.0 standards, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.

We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. 

Identify Areas With CUI with CVG Strategy Signs

CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.


Kevin Gholston

Share this post