CMMC Level 2 · MP.L2-3.8.4 · Last verified
CMMC CUI Marking Requirement: What to Mark, How, and What Assessors Check
The CMMC CUI marking requirement is MP.L2-3.8.4: media containing Controlled Unclassified Information (CUI) must carry the applicable CUI markings and any distribution limitations. But CMMC doesn’t invent a single banner format — it checks that you applied the marking rules that already exist in 32 CFR Part 2002 and DoD Instruction 5200.48. For a DoD document, that baseline is the word CUI at the top and bottom of the first page and a CUI designation indicator block on the first or title page. What the assessor scores is whether the applicable markings are present and whether applicable distribution limitations are present. Those are two separate objectives — one for the marking content, one for the restriction notation — and both must be MET.
Here’s the part the competing guides we audited for this page don’t consistently separate — and the reason your team keeps arguing about it: the governing law, regulation, or policy defines what canbe CUI, and the designating agency designates or approves it. You mark the CUI you create in performance when the contract and governing authority give you that basis, and you preserve applicable markings on what you receive. What you can’t do is put CUIon unmarked or legacy documents without a CUI Registry authority, invent a distribution restriction, or strip a marking you think is wrong. And “we mark everything CUI just in case” is not a defense-in-depth strategy — it’s a governance problem that distorts your CUI footprint and your assessment scope.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
Marking at a glance
| The question you actually have | The bottom line |
|---|---|
| Is CUI marking assessed at CMMC Level 2? | Yes. MP.L2-3.8.4 checks two things: applicable CUI markings, and distribution limitations. |
| Does CMMC create the marking format? | No. 32 CFR Part 2002, the CUI Registry, DoDI 5200.48, your contract, and program instructions supply the format. |
| What's the DoD document baseline? | CUI in the banner (top and bottom of page 1) plus a designation indicator block on the first page. |
| Does every single page need 'CUI'? | Not as a flat rule. Current DoD guidance lets a genuinely non-CUI interior page be marked UNCLASSIFIED; some DoD training aids still say every page. We show both below. |
| Are portion markings required? | Optional but encouraged on an unclassified document; if you mark one portion you mark them all. Required when CUI is mixed with classified. |
| The mistake to stop first? | Marking every defense-related file 'CUI' just in case — or inventing a category or distribution statement you were never given. |
This page is for you if…
- Implementing CMMC Level 2 or Level 3 media marking
- Handling DoD CUI and need artifact-specific instructions
- Building evidence for MP.L2-3.8.4
- A prime sent you something unmarked and called it CUI
- Preparing templates for Word, email, CAD, spreadsheets, USB drives, or source code
Read something else if…
- Deciding which CMMC level your contract requires → Levels guide
- Need encryption or secure email transport → CUI email encryption for CMMC
- Handling classified information → contact your FSO
- Need legal advice on export controls or False Claims Act exposure → qualified federal-contracts attorney
What we actually verified for this page
We don’t ask you to take our word for any of it. Here’s what we read and cross-checked on , and what each source supports.
| Source we checked | What it supports |
|---|---|
| 32 CFR § 2002.20 (eCFR) | The government-wide marking rules: banner, designation indicator, packages, transmittals, working papers, the "each page that includes CUI" rule, alternate marking, and the concealment prohibition |
| 32 CFR § 2002.50 (eCFR) | How an authorized holder challenges suspected unmarked or improperly marked CUI, and the duty to keep protecting it while the challenge is resolved |
| CMMC Level 2 Assessment Guide, v2.13 (DoD CIO) | MP.L2-3.8.4's two assessment objectives; the examine / interview / test methods; the official USB-drive example |
| 32 CFR § 170.14 (eCFR) | CMMC Level 2 is assessed against NIST SP 800-171 Revision 2 — not Revision 3 — under the current rule; Level 3 incorporates the Feb 2021 edition of NIST SP 800-172 |
| 32 CFR § 170.21 and § 170.24 | POA&M scoring rules and the requirement that assessment evidence be final, not draft |
| DoD CUI Program — Banner Line & DI Block | Current DoD presentation rules, including the interior-page UNCLASSIFIED allowance and the "category/LDC go in the DI block, not the banner" instruction |
| DoD CUI Program — Email & FOUO FAQ | Body-vs-attachment email rules; FOUO is no longer valid and doesn't convert to CUI one-for-one |
| DFARS 252.204-7012 and 252.204-7021 | Covered-defense-information safeguarding duties; the CMMC clause tying eligibility to your CMMC Status and flow-down to subcontractors |
| DoD CIO — CMMC program page | Phase 1 dates and the current rollout emphasis |
What is the CMMC CUI marking requirement?
The CMMC CUI marking requirement is MP.L2-3.8.4, which requires media containing CUI to carry applicable CUI markings and distribution limitations. The official CMMC Level 2 Assessment Guide breaks that into two objectives: whether applicable CUI markings are present, and whether applicable distribution limitations are present. “Media” means both digital and non-digital — paper, drives, discs, and files alike.
The short requirement text reads: “Mark media with necessary CUI markings and distribution limitations.” That’s NIST SP 800-171 Revision 2 requirement 3.8.4, carried forward as practice MP.L2-3.8.4.
The two assessment objectives are worth memorizing, because they are exactly what an assessor scores:
| Objective | What it means |
|---|---|
| [a] | Media containing CUI is marked with applicable CUI markings. |
| [b] | Media containing CUI is marked with distribution limitations. |
Both must be satisfied for the requirement to be scored MET. Note the word doing all the work: applicable. There is no single string that goes on every artifact. What’s “applicable” depends on the CUI category, the governing authority, any special control or warning it requires, the applicable Limited Dissemination Control (LDC) or distribution statement, the artifact type, and any contract or program instruction.
Which CMMC levels this touches
MP.L2-3.8.4 is a Level 2 requirement. Level 3 includes the full Level 2 foundation plus 24 selected requirements from NIST SP 800-172 (the February 2021 edition incorporated by 32 CFR § 170.14), so marking rides along at Level 3 too. Level 1 covers Federal Contract Information (FCI) only and does not assess MP.L2-3.8.4.
Planning note for Level 3 teams
NIST finalized SP 800-172 Revision 3 in May 2026 and withdrew the February 2021 edition in its own catalog. That later edition is real, but it is notthe current CMMC Level 3 baseline unless and until DoD amends the CMMC rule. Build to the edition the rule incorporates, not the newest one on NIST’s site.
One more caution: “we only need Level 1” is not a marking strategy. If marked CUI is landing in your inbox, the honest question isn’t your marking template — it’s whether you’re actually in Level 2 territory. Our CMMC Level 1 vs Level 2 guide is the right next read before you build a single template.
Does CMMC actually tell you how to mark CUI?
No. CMMC tells the assessor what outcome to check. The marking format comes from 32 CFR Part 2002, the CUI Registry, DoDI 5200.48, applicable law, your contract, and program-specific instructions. For a private contractor, 32 CFR Part 2002 generally reaches you through your agreement with the government — the contract — rather than applying to your company directly in every situation.
The cleanest way to hold it is three separate decisions, each with a different authority:
| The decision | The question | Who answers it |
|---|---|---|
| Designation | Does this specific information qualify as CUI? | Governing law/regulation/policy, the CUI Registry, the designating agency, your contract or program instructions |
| Marking | How should this artifact show its CUI status? | 32 CFR § 2002.20, DoDI 5200.48 and component guidance, contract/program instructions |
| CMMC evidence | Can you prove the marking process runs consistently? | MP.L2-3.8.4, the Assessment Guide, 32 CFR Part 170 |
Get those three straight and most of your team’s disagreements evaporate. The engineer arguing about a banner and the compliance lead arguing about a category are answering two different questions with two different authorities.
Who is responsible for marking CUI — the government or the contractor?
The designating agency designates or approves the designation of specific information as CUI. An authorized contractor may create and mark CUI when the contract, program direction, CUI Registry, and governing authority supply that basis. Suspected unmarked CUI should be protected and escalated through the agency or program process — not redesignated by house rule.
Under 32 CFR § 2002.20(a)(4), the designating agencydetermines that information qualifies as CUI and applies the marking when it designates it. And under § 2002.20(a)(6), no one may mark information as CUI to conceal illegality, negligence, or embarrassment, or for any purpose other than to follow the law authorizing the control. Over-marking isn’t a safe habit — Part 2002 treats marking information as CUI when it doesn’t qualify as potential misuse.
Government-provided information
Follow the markings and program instructions you were given. Preserve applicable markings on copies and on new artifacts that still contain the controlled information — but don’t assume every derivative automatically stays CUI. If something looks obviously inconsistent, escalate; don’t quietly “fix” it.
Contractor-created information
You can create information for or on behalf ofthe government that qualifies as CUI, and as an authorized holder you may mark the documents you create. But the category and the handling basis have to trace back to a real authority — law, regulation, government-wide policy, the contract, a CDRL, program direction, or the originator’s instruction. Your own proprietary business information does notbecome federal CUI just because it relates to a defense customer. Mark proprietary information as proprietary. Reserve “CUI” for information that actually qualifies.
Derivative information — the question that never dies
Contractors debate this constantly: does a work order, traveler, bill of materials, inspection record, or a drawing derived from government CUI retain the marking? There is no safe blanket answer in either direction. Run the decision instead of guessing:
- What exact source information was reused, restated, transformed, or embedded?
- Was the new artifact created for or on behalf of the government?
- What contract, CDRL, program guide, category authority, or originator instruction applies?
- Does the new artifact independently disclose the protected information?
- Is written clarification available from the prime or program office?
- If it’s genuinely unresolved: what temporary protection and escalation applies while you get an answer?
What must appear on a DoD CUI document?
For current DoD use, a document containing CUI carries CUIas the control marking (banner top and bottom of the first page) and a CUI designation indicator block on the first or title page. The designation indicator identifies the controlling organization, the CUI category, an applicable distribution statement or LDC, and a point of contact — and those conditional fields must come from an authority, not employee guesswork.
The control marking
For DoD, the banner marking is the acronym CUI. The government-wide rule allows an agency to use either the word CONTROLLED or the acronym CUI (§ 2002.20(b)(1)) — but current DoD guidance uses CUI, so a DoD contractor should use CUI unless a controlling instruction says otherwise.
Things not to do
- Don’t use
U//CUI. Current DoD training says that string is not a valid marking. - Don’t add the CUI category or the LDC to the banner. Per DoD’s own Banner Line guidance, that information belongs in the designation indicator block, not the banner.
- Don’t rely on a vague “this document may contain CUI” disclaimer. It doesn’t identify whether the document actually contains CUI.
The designation indicator block
Every document containing CUI carries an indicator of who designated it. Under § 2002.20(d), it must identify the designating agency at a minimum, must be readily apparent, and may appear only on the first page or cover. A fictional example:
Controlled by: Example Defense Manufacturing / Engineering CUI Category: CTI Distribution Statement: B POC: Jane Example, 555-0100
Mandatory, conditional, and optional — at a glance
| Element | Status for DoD documents | The condition that matters |
|---|---|---|
| CUI control marking | Required | Use the current DoD format (CUI). |
| Designation indicator block | Required on first/title page | Populate with accurate source information. |
| CUI category | Required in the DoD DI block | Use an authorized category. Do NOT place the category in the banner line of an unclassified DoD document — current DoD guidance keeps categories and LDCs in the DI block. Apply any separate warning or handling instruction the governing CUI Specified authority requires. |
| Distribution statement | Conditional | Use only when it actually applies. |
| Limited Dissemination Control (LDC) | Conditional | Use an applicable LDC or a distribution statement — not both on the same document. |
| Warning statement | Conditional | Use when the governing authority requires it. |
| Portion marking | Optional / encouraged (unclassified doc) | If used, mark all portions. |
| Filename indicator | Optional internal control | Not a universal DoD requirement. |
| Subject-line indicator | Optional internal control | Not identified as a universal requirement on DoD's email page. |
Source conflict worth knowing
32 CFR § 2002.20 establishes the government-wide banner model, which includes category markings in the banner for CUI Specified. Current DoD guidance for unclassified DoD documents uses CUIalone in the banner and moves the category and LDC to the designation indicator block. For a DoD artifact, follow current DoD, component, contract, and program instructions. This is a distinct difference — not the same as the interior-page question below.
Does every page need a CUI marking, and are portion markings required?
Don’t treat “CUI must appear on every page” as a flat universal rule. The government-wide regulation requires the banner content to be the same on each page that includes CUI, and current DoD guidance lets a genuinely non-CUI interior page be marked UNCLASSIFIED. Some recent DoD training aids still teach CUIat the top and bottom of every page. Either can be defensible; the method just can’t conflict with a controlling instruction, and you have to apply it consistently.
Why different guides give you different answers
| Source | What it says |
|---|---|
| 32 CFR § 2002.20(c)(1) | The banner content must apply to the whole document and be the same on each page of the document that includes CUI. |
| DoD CUI Program — Banner Line (current) | CUI at the top and bottom of the first page or cover; interior pages or slides may be marked "CUI" or "UNCLASSIFIED" if they contain no CUI. |
| DoD marking training aids (2024–2025) | Instruct placing CUI at the top and bottom of each page. |
Notice the regulation and the current DoD web page actually agree: the banner is required on each page that includes CUI, and a page with no CUI can say UNCLASSIFIED. The friction comes from older training aids that give the simpler “every page” instruction.
The two defensible models
Model 1 — Conservative whole-document marking
Mark all pages CUI. Simplest for templates and printing. Reduces the chance of accidental under-marking. Tradeoff: a non-CUI page pulled out and shared separately stays over-marked until someone fixes it.
Model 2 — Page-specific marking
First/title page reflects the document’s overall CUI status; interior pages containing CUI show CUI; interior pages with no CUI may show UNCLASSIFIED. Matches current DoD web guidance and the regulation, but demands more document discipline.
The Defense Compliance Report editorial conclusion: Pick the model that fits your controlling contract or component instruction, write down the source basis for your choice, configure your templates to match, and spot-check that employees apply it consistently. What you should not do is silently decide one official source overrides another without documenting why. A documented, consistently applied method gives the assessor evidence to examine.
Portion marking
For a wholly unclassified DoD document, portion marking is optional but strongly encouraged under current DoD guidance; 32 CFR § 2002.20(f) governs how optional portion markings are used. The rules:
- CUI portions are marked
(CUI); uncontrolled portions are marked(U). - If you mark one portion, you mark all portions — including titles, headings, and bullets.
- Do not portion-mark the designation indicator block.
- Portion marking becomes mandatory when CUI is commingled with classified information (§ 2002.20(g)) — and a classified document is a security-office matter, not a do-it-yourself template exercise.
What are the CMMC CUI marking requirements by file and media type?
MP.L2-3.8.4 is one requirement, but its implementation changes with the artifact. A Word document, an attachment-only email, a technical drawing, a spreadsheet, a USB drive, a shipping package, and a source-code repository each require a different action — which is exactly why a single banner screenshot can’t satisfy this search.
| Artifact or situation | What to do | What’s conditional or unresolved | Evidence to prepare (DCR readiness guidance) |
|---|---|---|---|
| Word / PDF containing CUI | CUI top and bottom of the first/title page; designation indicator block on the first page; mark interior pages per your documented method | Category, LDC, distribution statement, and warning language depend on the controlling authority | Approved template, completed samples, marking procedure, template-version record |
| Multi-page doc with non-CUI interior pages | Choose and document Model 1 (whole-document) or Model 2 (page-specific UNCLASSIFIED interiors) per § 2002.20(c) and DoD Banner Line | DoD web guidance and older training aids differ; follow controlling instructions | Approved procedure citing your source hierarchy; samples proving consistent application |
| Slide deck | CUI at the top and bottom of each slide containing CUI; DI block on the first/title slide; an interior slide with no CUI may be CUI or UNCLASSIFIED under current DoD guidance | Portion marking optional for an unclassified deck unless another authority requires it | Approved template; sampled decks |
| Spreadsheet | Make the CUI marking conspicuous in normal view and in printed/PDF output; place the designation indicator where it's readily apparent | The format needs a different placement mechanism than Word — don't hide the marking outside normal view or print output | Approved workbook template; printed/PDF test; sampled worksheets |
| Email body contains CUI | CUI as the first and last line of the body; include a DI block | Encryption and transmission are separate controls from marking | Approved email template; sanitized sample; transmission procedure |
| Email — unclassified body, CUI attachment only | CUI first and last line; add a removal statement; mark the attachment itself; no DI block required in the email body | Internal policy may add a subject label; DoD's page doesn't require one | Approved transmittal template; sampled sent message |
| Technical drawing / spec / other CTI | CUI top and bottom; DI block wherever it stays visible; reproduce only the distribution statement or restriction the controlling authority supplied | Do NOT guess which distribution statement applies just because it's a drawing | Marked samples; source instruction; CDRL/contract record; escalation correspondence |
| Contractor-created traveler, BOM, work order, derivative drawing | Determine whether the new artifact itself contains or restates qualifying CUI; if it does, mark it per the applicable rule | No safe blanket rule that every derivative is (or isn't) CUI | Documented decision criteria; program guidance; samples; unresolved-question log |
| Printed hardcopy | Preserve all visible document markings. When DoD CUI is hand-carried outside the office, place in an opaque envelope with SF 901 on top; at a desk, the cover sheet is optional | A cover sheet does not replace the markings on the document itself | Printed sample; physical-handling procedure; inspection record |
| USB / removable digital media | Apply a readable CUI label and applicable distribution limitation when practicable; when the device's nature or size makes individual marking impractical, use an authorized alternate method | Ownership info may help but is not a substitute for the CUI marking | Labeled sample; removable-media inventory; alternate-marking procedure; process test |
| Working paper / draft / completed form with CUI | Mark it the way the finished product containing that CUI would be marked (§ 2002.20(k)) | "Draft" is an administrative label — it does not replace CUI markings | Marked sample; working-paper procedure; final template |
| Package or envelope containing CUI | Address to a specific recipient; put the markings and instructions on the internal transmittal or enclosed materials (§ 2002.20(i)) | Do NOT put a CUI marking on the outside or otherwise reveal externally that CUI is enclosed | Shipping procedure; fictional training example; shipment inspection record |
| Transmittal document accompanying CUI | CUI on its face, plus a removal statement (e.g., "When enclosure is removed, this document is Uncontrolled Unclassified Information") (§ 2002.20(j)) | The enclosed artifact still needs its own correct marking | Approved transmittal template; sample |
| Incoming — looks like CUI but is unmarked | Protect it per your intake procedure, log the issue, and seek clarification or a corrected copy from the disseminating/designating entity (§ 2002.50) | Lack of a marking does NOT automatically make it uncontrolled; don't casually redesignate it | Intake ticket; correspondence; quarantine/handling record; resolution log |
| Incoming — marked incorrectly | Notify the disseminating agency and request a corrected document (§ 2002.50). Don't silently fix the sender's file | Keep safeguarding while it's resolved; log the correction path | Correction request; response; replacement copy; issue log |
| Legacy FOUO / SBU / other old marking | Determine whether the information currently qualifies as CUI under the CUI Registry and applicable authority | FOUO is invalid for current DoD use and does not convert automatically to CUI | Review record; controlling-authority response; new marked version where needed |
| Classified document containing CUI portions | Apply classified-document rules and portion-mark all CUI so it's distinguishable (§ 2002.20(g)) | Route to your FSO or qualified security authority — not a template exercise | Approved classified-marking procedure; qualified review |
| Source code / repository containing CUI | Determine whether the code, embedded data, documentation, or combination qualifies; use approved program direction or a documented alternate-marking method when per-file marking is impractical | No universal source-code comment-header syntax was found in the primary sources verified for this page as of July 11, 2026 — don't call one "the CMMC-required format" | Repository notice; access banner; documented alternate method; code sample without CUI; decision record; process test |
| Large database / repository / controlled area where individual marking is impractical | Use an authorized alternate method: access agreement, digital splash screen, container label, or controlled-area sign (§ 2002.20(a)(8)) | The alternate method must make CUI status readily apparent — it's not permission to leave the status invisible | Screenshot; access agreement; area sign; procedure; user test |
Two anchors under this table, straight from the sources. For removable media, the CMMC Assessment Guide says hardcopy and digital media must be properly marked and gives an official USB example: a project team labels the outside of each drive with an appropriate CUI label following NARA guidance, and the label notes that distribution is limited to employees supporting the DoD program. And on alternate marking, § 2002.20(a)(8) permits a “readily apparent” alternate method — user access agreements, a computer splash screen, or signs on storage areas or containers — when individual marking is impractical or a limited marking waiver applies.
You’ve now seen that the answer genuinely depends on the artifact in front of you. That’s the moment a checklist stops helping and a decision aid starts. If you’re not sure whether your situation needs an RPO, an MSSP, a GRC platform, or a CUI enclave to get this and the other 109 requirements done, that’s exactly what the path tool sorts out.
How do you mark a CUI email?
When the email body contains CUI, current DoD guidance calls for CUIas the first and last line of the body plus a designation indicator block. When the body is unclassified and only the attachment contains CUI, the email still gets first/last-line markings and a removal statement — but no DI block in the email itself — and the attachment must be marked correctly on its own. (Source: DoD email marking guidance, verified .)
| Question | Body contains CUI | Attachment-only contains CUI |
|---|---|---|
| First and last line of the body | CUI | CUI |
| DI block in the email body | Required | Not required |
| Removal statement | Not applicable | Required (e.g., "This email is unclassified when the CUI attachment is removed") |
| Attachment marking | The attachment is marked on its own | The attachment is marked on its own |
| Subject-line CUI | Not a universal DoD requirement | Not a universal DoD requirement |
Body contains CUI — fictional example:
CUI [Fictional email body] Controlled by: Example Company / Program Office CUI Category: [Applicable category] LDC or Distribution Statement: [Applicable entry] POC: [Name and contact] CUI
Body is unclassified; attachment contains CUI — fictional example:
CUI Please see the attached document. This email is unclassified when the CUI attachment is removed. CUI
What not to do
- Don’t rely on “may contain CUI”.
- Don’t leave the attachment unmarked (a correctly marked email with an unmarked CUI attachment is not compliant).
- Don’t assume
CUIin the subject line encrypts or protects anything. - Don’t treat marking and transmission as the same requirement.
Marking tells an authorized holder whatthey’re looking at. It does nothing to secure the message in transit. If your real question is encryption and secure delivery, read CUI email encryption for CMMC, which owns that topic.
How do distribution statements and limited dissemination controls change the marking?
A DoD distribution statement and a CUI limited dissemination control (LDC) are not interchangeable labels for the same thing. Current DoD guidance says to use the applicable distribution statement or LDC — not both on the same document — and the absence of an LDC does not authorize public release. (Source: DoD DI Block guidance.)
An LDClimits or specifies who may receive CUI. It must come from authorized criteria — you don’t add one just because you’d prefer tighter control. Critically: no LDC does not mean the document is public.
A distribution statement commonly appears on controlled technical, export-controlled, and other qualifying scientific/technical information, governed by DoDI 5230.24. It must be reproduced exactly as supplied. Current DoD guidance says the full distribution statement is written out on the first page and its letter is annotated in the designation indicator block.
| Question | LDC | DoD distribution statement |
|---|---|---|
| Main purpose | Controls/specifies dissemination | Controls distribution of qualifying technical information |
| Source | CUI Program / agency policy | DoDI 5230.24 and the controlling authority |
| Can an employee invent it? | No | No |
| Does its absence mean public release? | No | No |
| Where identified | DI block when applicable | Full first-page statement plus DI-block notation |
If an incoming restriction looks wrong, preserve the source artifact, request clarification, don’t silently swap one restriction for another, and record how you resolved it. That record is assessment evidence.
What should you do with unmarked, incorrectly marked, or legacy CUI?
Missing CUI markings do not erase your handling obligations, and improperly marked or unmarked information should be challenged back to the disseminating agency. Legacy labels like FOUO are not automatically CUI — the information must be evaluated against current authority before it’s reused or shared outside DoD.
Incoming unmarked information
Under 32 CFR § 2002.20(a)(7), lack of a marking on information that qualifies as CUI does not exempt an authorized holder from the handling requirements. And under § 2002.50, an authorized holder that believes CUI is unmarked or improperly marked should notify the disseminating agency — and keeps protecting the information while the challenge is resolved. The steps:
- Don’t distribute it casually.
- Put it in your documented review path.
- Identify the source contract/program and the possible category.
- Notify the disseminating agency. When received through a prime, follow the contract or program escalation path.
- Record the answer.
- Replace or correct the artifact where appropriate.
- Keep the record as assessment evidence.
Incorrectly marked information
Notify the disseminating agency and request a corrected document (§ 2002.50). Don’t silently fix the sender’s file. Keep safeguarding the challenged information at the indicated level while it’s resolved, and log the correction path.
Over-marked information
Treat obvious over-marking as a governance problem, not a habit to copy. Request clarification rather than stripping controls. Indiscriminate marking expands operational friction, erodes trust in the markings that matter, and can distort the CUI footprint you assert.
Legacy FOUO and SBU
FOUO is not a valid current DoD marking, and there is no automatic FOUO-to-CUI conversion. Evaluate the information against current CUI authority, not the old label. One nuance worth knowing: previously marked FOUO material does not have to be re-marked while it remains under DoD control or is downloaded for use within DoD. But if the information is reused in a new document or shared outside DoD, assess it against the CUI Registry and mark it appropriately if it qualifies. (Source: DoD FOUO FAQ.)
Log every unmarked or mismarked item — the paper trail becomes your assessment evidence
Download the CMMC Readiness Checklist →What will a CMMC assessor look for under MP.L2-3.8.4?
The Assessment Guide lets the assessor examine your policies, procedures, SSP, marking attributes, controlled-area records, and samples; interview the people responsible for marking; and test the process or mechanism you use to apply markings. A polished template with no consistent samples, no knowledgeable staff, and no working process is not enough.
The damaging admission: MP.L2-3.8.4 is worth one point out of 110. You can mark every document flawlessly and still fail a Level 2 assessment badly. This control will not save an unready environment.
But that one point matters more than its weight suggests. When you already know your designation basis and where CUI flows, marking is a comparatively bounded task — controlled templates, an approved procedure, role-based training, and testing. And inconsistent markings can prompt broader questions about whether the organization understands its CUI inventory and data flows. Marking is the thread; scope is the sweater.
If reading this makes you suspect your real problem is bigger than marking — that you’re not actually sure what’s in scope — good instinct. Don’t force a marking fix onto a scoping problem. Start with the CMMC scoping guide instead.
Evidence for objective [a] — applicable CUI markings
Approved media-marking policy; artifact-specific procedure; current Word, PowerPoint, spreadsheet, and email templates; samples across your actual artifact types; removable-media examples; unmarked-intake log; template change control; training and acknowledgment records; test results.
Evidence for objective [b] — distribution limitations
Distribution-statement source records; the LDC decision authority; DI-block examples; the technical-data procedure; contract/CDRL/program references; escalation records; samples proving restrictions are reproduced accurately.
How the three methods actually play out
| Method | What the official method can cover | What you prepare | Failure condition to test |
|---|---|---|---|
| Examine | Examines selected policies, procedures, the SSP, marking attributes, controlled-area records, and other relevant objects | Final approved procedure, template library, sample index, exception log | Only a draft policy exists |
| Interview | Interviews personnel responsible for media protection, media marking, or information security | Role-specific interview prep; trained artifact creators | Only the consultant understands the process |
| Test | Tests the organizational marking process or supporting mechanism | Demonstrate creating a properly marked document/email and handling an unmarked intake | Template exists but users don't follow it |
One rule that trips people at the finish line: under 32 CFR § 170.24 and the Assessment Guide, evidence must be final— drafts, working papers, and unofficial or unapproved policies don’t count. Approve and deploy your documentation before the assessment, not during it.
See where 3.8.4 sits among the other 109 requirements
Get the CMMC Readiness Checklist →Can MP.L2-3.8.4 be placed on a CMMC Level 2 POA&M?
Generally yes, under the current rule. MP.L2-3.8.4 is a one-point requirement and is not on the Level 2 list of practices barred from a Plan of Action and Milestones (POA&M), so it can be included when all Conditional-status conditions are met. You still have to hit the minimum score ratio, document the NOT MET requirement, and close the POA&M within 180 days. A POA&M is not a substitute for implementation.
Why it’s one point: MP.L2-3.8.4 is a derived requirement that isn’t on the five-point or three-point lists, so under 32 CFR § 170.24 it carries one point.
Conditions for Conditional Level 2 (32 CFR § 170.21):
- Assessment score divided by 110 must be at least 0.8 (at least 88 of 110).
- No POA&M item may exceed one point, with the rule’s narrow FIPS-encryption exception.
- None of the named prohibited requirements may be on the POA&M.
- Closeout must occur within 180 days.
- For a certification assessment, the closeout must be performed by an authorized/accredited C3PAO.
Closeout evidence should show the final approved procedure, deployed templates or mechanisms, corrected artifact samples, completed training, interview-ready staff, a successful process test, closure of internal tickets, and an updated SSP description.
The honest warning: one point does not make this optional. It only affects scoring and Conditional-status eligibility. Leave it NOT MET at the deadline and your Conditional status expires.
How do you build a repeatable marking process without marking everything?
A defensible marking program starts with your contracts, categories, CUI flows, and source instructions — not a label purchase or a Word template. You translate those authorities into artifact-specific procedures, train the people who create and transmit CUI, sample your actual media, and keep evidence that the process keeps running.
- Map the authority. Record the contract and subcontract, applicable clauses, program, government/prime contact, CUI category, distribution statement or LDC, program guide or CDRL, source artifact, and your required CMMC level and assessment status.
- Map where CUI is created and reused. Incoming portal, email, file shares, CAD, ERP/MRP, shop-floor travelers, quality records, source repositories, printed documents, removable media, external collaboration.
- Define rules by artifact.Use the artifact matrix above to write your internal procedure — one row per artifact you actually produce.
- Build controlled templates and mechanisms. Word, PowerPoint, spreadsheet, email, technical drawing, transmittal, working paper, USB label, and an alternate repository or controlled-area marking.
- Assign roles (RACI). Who identifies the program/category basis? Who creates markings? Who approves templates? Who answers ambiguous cases? Who samples? Who maintains evidence? Who talks to the prime or program POC?
- Train by role, not one generic deck. Engineering on drawings and derivative data; quality on inspection records and travelers; program management on source instructions and escalation; IT on repositories and alternate marking; everyone on email and hardcopy; security/compliance on evidence and sampling.
- Sample and correct.Use a cadence your organization can defend. We recommend quarterly or risk-triggered sampling against your actual artifact set — checking applicable markings, distribution limitations, artifact format, template version, employee understanding, unmarked-intake handling, and corrective action. That recurring check is itself evidence of an operating control. (MP.L2-3.8.4 itself does not prescribe a quarterly frequency.)
What CUI marking mistakes create CMMC assessment risk?
The costly marking failures usually aren’t font or alignment problems. They’re failures to establish the designation basis, reproduce applicable distribution limitations, cover every artifact type you actually use, train the responsible people, and prove with final evidence that the documented process runs consistently.
| Mistake | Why it matters | The fix |
|---|---|---|
| Marking every defense-related file "CUI" | Confuses contract relevance with CUI status; expands handling and can distort your asserted CUI footprint | Require an authority/category basis and an escalation path |
| Using CONTROLLED in a DoD template | Doesn't follow current DoD-specific guidance | Use CUI |
| Using U//CUI | DoD training says it's not valid | Use the authorized DoD control marking |
| Putting the category or LDC in the banner | DoD guidance puts that in the DI block | Keep the banner as CUI; populate the DI block |
| Missing the DI block | Removes designation, category, restriction, and POC context | Put it on the first/title page |
| Inventing a distribution statement | Creates an unsupported restriction | Obtain it from the controlling authority |
| Using both an LDC and a distribution statement | Conflicts with current DoD DI guidance | Use the applicable entry; request clarification where sources conflict |
| Relying on "may contain CUI" | Doesn't identify whether it actually contains CUI | Apply the correct body or attachment-only format |
| Treating the filename as the marking | A filename isn't a substitute for document markings | Mark the artifact itself |
| Requiring CUI in every subject line as a federal rule | DoD email guidance doesn't state that universal rule | Label it an internal convention if you adopt it |
| Ignoring derivative artifacts | CUI may be restated in travelers, work orders, or drawings | Apply documented derivative-data criteria and escalation |
| Relabeling every derivative automatically | Over-marks without an authority analysis | Evaluate the new artifact itself |
| Putting CUI on the outside of a package | Reveals externally that CUI is enclosed | Keep the outside unmarked; mark the internal transmittal |
| Leaving working papers unmarked | The rule requires working papers with CUI to be marked like the finished product | Include drafts and forms in the procedure |
| Treating FOUO as automatically CUI | FOUO is invalid and not a one-for-one conversion | Reevaluate the information |
| Having only a template | Doesn't prove interviews, use, sampling, or testing | Build the complete evidence set |
| Using draft policies as evidence | The scoring rule rejects draft or unofficial evidence | Approve and deploy final documentation |
| Inventing a source-code comment rule | Presents an internal convention as a federal requirement | Use approved program direction or an alternate-marking method |
What does a CUI marking not do?
A CUI marking communicates status and handling information. It does not, by itself, make information CUI, set your CMMC level, encrypt a file, authorize public release, or prove you satisfy MP.L2-3.8.4. Each of those is a separate authority or evidence question.
| The question | What actually decides it |
|---|---|
| Does marking make information CUI? | No — the governing authority and the designation decision do |
| Does marking set your CMMC level? | No — the solicitation, contract, or subcontract requirement does |
| Does marking set your assessment scope? | No — 32 CFR § 170.19 and CMMC scoping guidance do |
| Does marking encrypt the artifact? | No — separate NIST/DFARS security requirements do |
| Does marking authorize release? | No — the designating agency and a public-release process do |
| Does one marked sample prove the practice is MET? | No — assessment evidence under § 170.24 and the Assessment Guide does |
When should you escalate instead of guessing?
Escalate when the uncertainty is about whether information qualifies as CUI, which category applies, whether a derivative artifact retains CUI, which dissemination restriction belongs, whether an alternate marking is acceptable, or whether information can be decontrolled. Those decisions can change contractual obligations, scope, export-control exposure, and your assessment evidence.
Ask the originating or controlling organization when…
The category is missing or questionable, a distribution statement looks inconsistent, a file is called CUI but is unmarked, the prime marks every order CUI, derivative data is unresolved, or public-release/decontrol status is unclear.
Ask a Registered Practitioner, RPO, or readiness professional when…
You need to turn the authority into a procedure, your templates and evidence don’t cover all artifact types, employees can’t explain the process consistently, or you want a readiness review before a C3PAO assessment.
Ask qualified federal-contracts or export-control counsel when…
Contract interpretation is disputed, export-control law is involved, the prime won’t clarify material flow-down language, there’s potential False Claims Act or disclosure exposure, or you need a legal conclusion rather than implementation help.
Ask a C3PAO when…
You need to understand the formal assessment process or you’re selecting or scheduling an authorized assessment organization. Keep readiness and assessment separate: under the CMMC rule, an ecosystem member is prohibited from participating in a Level 2 certification assessment of an organization it served as a consultant to prepare for any CMMC assessment within the prior three years.
The CMMC Path Frameworkmaps a contractor’s required level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline to the provider category that fits the situation. It routes to a category — not a named provider— and is not a score, ranking, certification guarantee, or a substitute for compliance or legal advice.
What could the proposed 2026 FAR CUI acquisition rule change?
On June 23, 2026, the FAR Council published a proposed rule containing a revised government-wide CUI acquisition framework, with comments due July 23, 2026. It is proposed, not law. The government-wide CUI Program already exists under 32 CFR Part 2002; if finalized, this proposal would establish FAR clauses and a standard form for covered federal contracts that involve CUI.
| Topic | Where it stands today | What the proposal would change |
|---|---|---|
| Contract identification of CUI | No single government-wide FAR mechanism | A standard form ("SF XXX") in which the contracting officer identifies what CUI is involved and specifies whether and how the contractor must identify and mark it |
| Unmarked / mismarked CUI | Handle per 32 CFR § 2002.50 and program direction | Contractor must notify the contracting officer within 72 hours after discovering potential CUI that is unmarked, improperly marked, or omitted from the SF; contractor safeguards information it has evidence is potentially CUI while awaiting the CO's decision |
| Nonfederal-system safeguarding baseline | CMMC Level 2 uses NIST SP 800-171 Revision 2 under 32 CFR § 170.14 | Proposed FAR 52.240-7 would require NIST SP 800-171 Revision 3 for covered nonfederal systems under that clause, and could add selected NIST SP 800-172 requirements for critical programs or high-value assets |
| Incident reporting timeline | DFARS 252.204-7012 uses 72 hours | The proposal uses 72 hours, aligning with that framework (down from the 8-hour window in the January 2025 proposal) |
| Status as of July 11, 2026 | In force: the existing CUI Program and CMMC rule | Proposed only; comments due July 23, 2026; text can change before any final rule |
The single most important interaction for CMMC: a finalized FAR rule requiring Rev. 3 would not, by itself, change the CMMC assessment baseline. CMMC Level 2 remains tied to NIST SP 800-171 Revision 2 under 32 CFR § 170.14 unless DoD amends the CMMC rule. Two obligations could end up sitting side by side — a FAR clause on Rev. 3 and a CMMC assessment on Rev. 2 — which is exactly why you build a documented marking-and-escalation process now rather than after the dust settles. We track this docket for changes.
What should you do next?
You don’t need to memorize a marking manual today. You need three moves, in order: know what CUI you actually handle, adopt and train one documented marking method, and keep the final evidence.
- Inventory where CUI enters and is created. Start with the CMMC scoping guide if scope is fuzzy.
- Build controlled templates, an approved marking procedure, and role-based training sized to your workforce and artifact set. The artifact matrix above is your source material.
- Describe the implementation in your SSP and retain the final procedure, sampled artifacts, training records, and process-test evidence in your assessment evidence set.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Frequently asked questions about the CMMC CUI marking requirement
- Does CMMC Level 1 require CUI marking?
- MP.L2-3.8.4 is a Level 2 practice. A system that processes, stores, or transmits CUI generally raises a Level 2 question, while Level 1 addresses FCI only. DoD specifies the required CMMC Status for a prime contract in the solicitation and resulting contract; the prime or next-higher-tier contractor specifies the required status for a subcontract based on the information involved (DFARS 252.204-7021).
- Does every page of a DoD CUI document need to say 'CUI'?
- Not as an unqualified yes. Current DoD guidance allows a genuinely non-CUI interior page to be marked UNCLASSIFIED, while some recent DoD training aids teach CUI on every page. The regulation requires the banner on each page that includes CUI. Follow your controlling instructions and apply one documented method consistently.
- Does CUI Specified change the banner on an unclassified DoD document?
- The government-wide rule places CUI Specified category markings in the banner, but current DoD guidance for unclassified DoD documents keeps the banner as CUI and puts the category and LDC in the designation indicator block. You still apply any special warning or handling instruction the governing CUI Specified authority requires. Follow current DoD, component, contract, and program instructions.
- Is the CUI designation indicator block mandatory?
- For a current DoD document containing CUI, yes. Under 32 CFR § 2002.20(d), every document containing CUI must carry a designation indicator identifying the designating agency, and it may appear only on the first page or cover.
- Are CUI portion markings required?
- They're optional but encouraged on a wholly unclassified DoD document. If you mark one portion, you mark all portions. Portion marking becomes mandatory when CUI is commingled with classified information (32 CFR § 2002.20(f)–(g)).
- Does a CUI banner have to be purple?
- No. Current DoD guidance does not impose a purple banner-text requirement. Purple is associated with official CUI cover sheets and labels, but the banner line itself is the CUI control marking placed and formatted per current DoD guidance.
- Can a contractor apply a CUI marking?
- An authorized contractor can create and mark CUI documents when acting under an applicable government agreement and authority — when the contract, program direction, CUI Registry, and governing authority supply the basis. That is not permission for employees to invent a category or restriction on their own (32 CFR § 2002.20).
- Is "CONTROLLED" acceptable for DoD CUI?
- The government-wide rule lets an agency choose CONTROLLED or CUI, but current DoD-specific guidance uses CUI. A DoD contractor should therefore use CUI unless controlling instructions say otherwise (32 CFR § 2002.20(b)).
- Is "CUI" required in the filename?
- No, it is not a universal DoD requirement. An organization may adopt a filename convention as an internal control, but it shouldn't describe that convention as a CMMC requirement.
- Does the email subject line have to start with "CUI"?
- DoD's current email guidance requires first- and last-line markings in the body but does not state a universal subject-line requirement. A subject convention can be adopted by internal procedure.
- When is SF 901 used?
- SF 901 is the CUI cover sheet. Current DoD guidance calls for placing DoD CUI in an opaque envelope with SF 901 on top when the material is hand-carried outside the office or an approved telework location; at a desk or within an office the cover sheet is optional. A cover sheet never replaces the markings on the document itself.
- What if CUI arrives without a marking?
- The lack of a marking does not eliminate your handling obligations. Protect and challenge suspected CUI: notify the disseminating agency (through your prime's contract/program path if that's how you received it), keep safeguarding it while the challenge is resolved, and request clarification or a corrected copy (32 CFR § 2002.50).
- What if a customer marked something CUI that doesn't appear to qualify?
- Don't silently strip the marking. Notify the disseminating agency, request a correction, and continue safeguarding the challenged information at the indicated level while the challenge is resolved (32 CFR § 2002.50).
- Is a distribution statement the same as an LDC?
- No. They come from different frameworks. Current DoD guidance says to use the applicable distribution statement or LDC — not both on the same document.
- Does "no LDC" mean the document is public?
- No. Current DoD guidance is explicit that the absence of an LDC does not imply or authorize public release.
- Does a CUI marking encrypt the file?
- No. Marking alerts authorized holders to the information's status and handling requirements. Encryption, access control, and secure transmission are separate safeguards.
- Do working papers and drafts need CUI markings?
- If they contain CUI, working papers are marked the way the finished product containing that CUI would be marked. A "draft" label does not replace a CUI marking (32 CFR § 2002.20(k)).
- Should CUI be written on the outside of an envelope?
- No. The government-wide rule says not to put a CUI marking on the outside of a package or otherwise indicate externally that it contains CUI (32 CFR § 2002.20(i)).
- Does old FOUO automatically become CUI?
- No. FOUO is not a valid current DoD marking and does not convert one-for-one to CUI. Legacy FOUO material doesn't have to be re-marked while it stays under DoD control, but if it's reused in a new document or shared outside DoD it must be assessed against the CUI Registry and marked appropriately if it qualifies.
- Can MP.L2-3.8.4 go on a POA&M?
- Generally yes under the current Level 2 rule, because it is a one-point requirement and is not on the prohibited list. All Conditional-status conditions and the 180-day closeout requirement still apply (32 CFR § 170.21).
- Does a properly marked sample prove the practice is MET?
- Not by itself. Assessors may examine records, interview personnel, and test processes, and the scoring rule requires final evidence (CMMC Level 2 Assessment Guide; 32 CFR § 170.24).
How this page was produced
By The Defense Compliance Report Editorial Team.We cross-checked the current CMMC Program Rule in 32 CFR Part 170, the CMMC Level 2 Assessment Guide (v2.13), NIST SP 800-171 Revision 2, 32 CFR §§ 2002.20 and 2002.50, current DoD artifact-specific CUI pages and training aids, DFARS 252.204-7012 and 252.204-7021, and the June 2026 proposed FAR CUI rule. We separated regulatory requirements, current agency instructions, and our own editorial implementation conclusions rather than presenting them as the same kind of authority.
We found two material differences among official sources: current live DoD pages allow a non-CUI interior page to say UNCLASSIFIED while some DoD training aids direct CUIon every page, and the government-wide banner rule places CUI Specified category markings in the banner while current DoD guidance keeps them in the designation indicator block. We’ve shown both rather than silently picking the answer that would have made this article easier to write.
Related reading
- CMMC Scoping Guide
- CMMC Levels Guide
- CMMC Level 1 vs Level 2
- FCI vs. CUI Explained
- CUI Email Encryption for CMMC
- CMMC Encryption Requirements
- CMMC MFA Requirements
- CMMC Readiness Checklist
- Self-Assessment vs. C3PAO
- CMMC Provider Categories
- CMMC Privileged Access Management
- CMMC Password Requirements
- Editorial & Advertising Policy