3.8.4 — Mark Your CUI
What It Says
Section titled “What It Says”Mark media with necessary CUI markings and distribution limitations.
What It Actually Means
Section titled “What It Actually Means”All CUI media — paper and digital — must be clearly marked so that anyone handling it knows it contains CUI, what category it falls under, and what distribution limitations apply. Two things are assessed:
-
CUI markings applied. Paper documents: CUI banner marking in the header of every page (e.g., “CUI” or “CUI//SP-CTI”), category designation, and the controlling agency. Digital files: Microsoft 365 sensitivity labels (the modern approach) that apply visual markings and enforce handling rules. Physical media (USB drives, backup tapes, CDs): external labels clearly indicating CUI presence.
-
Distribution limitations applied. Each CUI document or media must indicate who can access it — “Distribution D: Authorized DoD contractors only” or the specific dissemination controls from the NARA CUI Registry for your categories. This tells the recipient how to handle the material.
Follow the NARA CUI Registry and your contract’s CDRLs for the specific CUI categories you handle. Common categories for DIB contractors: Controlled Technical Information (CTI), Export-Controlled (EXPT), and Proprietary Business Information (PROPIN).
ISOO’s standard CUI forms (introduced in ISOO CUI Notice 2019-01, under 32 CFR § 2002.32) back up your markings where your policy calls for them. The SF 901 coversheet identifies CUI, alerts anyone nearby from a distance that the material is controlled, and shields the attached paper from inadvertent disclosure while it’s in use or in transit; it stays attached until the document is secured, decontrolled, or destroyed. The SF 902 (standard size) and SF 903 (USB-drive size) labels identify and protect media — hard drives, CDs, USB sticks. These are risk-based: use them where your organization’s policy decides a coversheet or label is warranted, not on every page or device by default. All three are free downloadable forms in the GSA forms library, and they replace the legacy OF 901/902/903 forms, which have been rescinded.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Is CUI media marked with applicable CUI markings? | Documents: CUI header on every page. Physical media: external labels. Digital files: sensitivity labels applied |
| 2 | Is CUI media marked with distribution limitations? | Distribution statements on documents and media per NARA guidance and contract requirements |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: Media protection policy; CUI marking procedures; sample marked documents; sensitivity label configuration; physical media label examples; system security plan
People they’ll talk to: Personnel with media marking responsibilities; information security personnel; personnel who create CUI documents
Live demos they’ll ask for: “Show me a CUI document — where are the markings?” “Show me a USB drive with CUI — how is it labeled?” “Show me your M365 sensitivity label configuration.” “What CUI categories do you handle?”
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “Show me a CUI document. Where are the markings?”
- “What CUI categories does your organization handle?”
- “Show me how digital files are marked — sensitivity labels?”
- “Show me a physical media label. Does it include category and distribution?”
- “How do you ensure staff know how to mark CUI correctly?”
- “Are document templates pre-configured with CUI markings?”
Where Companies Trip Up
Section titled “Where Companies Trip Up”No markings at all. CUI documents circulating without headers, footers, or sensitivity labels. This is surprisingly common and an easy finding. Use document templates with pre-configured CUI banners and enforce sensitivity labels.
Incorrect categories. CUI marked generically (“CUI”) when specific categories should be used (“CUI//SP-CTI”). Check the NARA CUI Registry and your contract for required categories.
Digital media unmarked. USB drives and tapes without external labels. If it contains CUI, it needs a visible label — even if the data is also encrypted.
No distribution limitations. CUI markings applied but distribution statements missing. Every CUI document needs to state who can access it and under what conditions.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.8.1 — Lock Up CUI | Marked media must also be securely stored |
| 3.8.5 — Track Media in Transit | Markings help identify CUI media during transport |
| 3.1.3 — Where CUI Can Flow | Markings support information flow control by making CUI identifiable |