3.8.4 — Mark Your CUI

The One-Liner

If someone picks up a document or USB drive and can’t tell it contains CUI, your markings are failing.

What It Says

Mark media with necessary CUI markings and distribution limitations.

What It Actually Means

All CUI media — paper and digital — must be clearly marked so that anyone handling it knows it contains CUI, what category it falls under, and what distribution limitations apply. Two things are assessed:

1. CUI markings applied. Paper documents: CUI banner marking in the header of every page (e.g., “CUI” or “CUI//SP-CTI”), category designation, and the controlling agency. Digital files: Microsoft 365 sensitivity labels (the modern approach) that apply visual markings and enforce handling rules. Physical media (USB drives, backup tapes, CDs): external labels clearly indicating CUI presence.

2. Distribution limitations applied. Each CUI document or media must indicate who can access it — “Distribution D: Authorized DoD contractors only” or the specific dissemination controls from the NARA CUI Registry for your categories. This tells the recipient how to handle the material.

Follow the NARA CUI Registry and your contract’s CDRLs for the specific CUI categories you handle. Common categories for DIB contractors: Controlled Technical Information (CTI), Export-Controlled (EXPT), and Proprietary Business Information (PROPIN).

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is CUI media marked with applicable CUI markings?	Documents: CUI header on every page. Physical media: external labels. Digital files: sensitivity labels applied
2	Is CUI media marked with distribution limitations?	Distribution statements on documents and media per NARA guidance and contract requirements

---

What to Have Ready on Assessment Day

Documents they’ll review: Media protection policy; CUI marking procedures; sample marked documents; sensitivity label configuration; physical media label examples; system security plan

People they’ll talk to: Personnel with media marking responsibilities; information security personnel; personnel who create CUI documents

Live demos they’ll ask for: “Show me a CUI document — where are the markings?” “Show me a USB drive with CUI — how is it labeled?” “Show me your M365 sensitivity label configuration.” “What CUI categories do you handle?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me a CUI document. Where are the markings?”
• “What CUI categories does your organization handle?”
• “Show me how digital files are marked — sensitivity labels?”
• “Show me a physical media label. Does it include category and distribution?”
• “How do you ensure staff know how to mark CUI correctly?”
• “Are document templates pre-configured with CUI markings?”

Real-World Example

A defense contractor handles CTI (Controlled Technical Information) under their DoD contracts. Microsoft 365 sensitivity labels are configured: a “CUI // CTI” label auto-applies the CUI banner header and footer to Word, Excel, and PowerPoint documents, adds a “DISTRIBUTION D” watermark, and restricts external sharing. Document templates are pre-configured with the CUI banner. Physical USB drives have printed adhesive labels: “CUI // CTI // DISTRIBUTION D — Authorized DoD Contractors Only” with the company name and a unique media ID. Staff are trained on correct marking during annual security awareness training, with a quick-reference card posted in the CUI work area. The assessor reviews: a sample document with correct markings, the sensitivity label configuration in the M365 compliance portal, and a labeled USB drive.

---

Where Companies Trip Up

No markings at all. CUI documents circulating without headers, footers, or sensitivity labels. This is surprisingly common and an easy finding. Use document templates with pre-configured CUI banners and enforce sensitivity labels.

Incorrect categories. CUI marked generically (“CUI”) when specific categories should be used (“CUI//SP-CTI”). Check the NARA CUI Registry and your contract for required categories.

Digital media unmarked. USB drives and tapes without external labels. If it contains CUI, it needs a visible label — even if the data is also encrypted.

No distribution limitations. CUI markings applied but distribution statements missing. Every CUI document needs to state who can access it and under what conditions.

---

How to Talk About This

To a CEO or Board

All CUI is clearly marked — digital files with sensitivity labels, paper with CUI headers and footers, physical media with external labels. Anyone handling our CUI knows exactly what it is and how to treat it.

To an Engineering Team

M365 sensitivity labels: “CUI // CTI” label auto-applies header/footer/watermark and restricts sharing. Document templates pre-configured. Physical media: printed labels with category, distribution, and media ID. Label configuration in M365 Compliance Center. Annual training includes marking procedures. Quick-reference card in CUI work area.

---

Connected Requirements

Requirement	Why it matters here
3.8.1 — Lock Up CUI	Marked media must also be securely stored
3.8.5 — Track Media in Transit	Markings help identify CUI media during transport
3.1.3 — Where CUI Can Flow	Markings support information flow control by making CUI identifiable

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: MP.L2-3.8.4 | SPRS Weight: 1 point | POA&M Eligible: Yes