The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Level 2 · MP.L2-3.8.4 · Last verified

CMMC CUI Marking Requirement: What to Mark, How, and What Assessors Check

Independent Research · By The Defense Compliance Report Editorial Team · Last verified: · Methodology · Editorial & Advertising Policy

The CMMC CUI marking requirement is MP.L2-3.8.4: media containing Controlled Unclassified Information (CUI) must carry the applicable CUI markings and any distribution limitations. But CMMC doesn’t invent a single banner format — it checks that you applied the marking rules that already exist in 32 CFR Part 2002 and DoD Instruction 5200.48. For a DoD document, that baseline is the word CUI at the top and bottom of the first page and a CUI designation indicator block on the first or title page. What the assessor scores is whether the applicable markings are present and whether applicable distribution limitations are present. Those are two separate objectives — one for the marking content, one for the restriction notation — and both must be MET.

Here’s the part the competing guides we audited for this page don’t consistently separate — and the reason your team keeps arguing about it: the governing law, regulation, or policy defines what canbe CUI, and the designating agency designates or approves it. You mark the CUI you create in performance when the contract and governing authority give you that basis, and you preserve applicable markings on what you receive. What you can’t do is put CUIon unmarked or legacy documents without a CUI Registry authority, invent a distribution restriction, or strip a marking you think is wrong. And “we mark everything CUI just in case” is not a defense-in-depth strategy — it’s a governance problem that distorts your CUI footprint and your assessment scope.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

Marking at a glance

The question you actually haveThe bottom line
Is CUI marking assessed at CMMC Level 2?Yes. MP.L2-3.8.4 checks two things: applicable CUI markings, and distribution limitations.
Does CMMC create the marking format?No. 32 CFR Part 2002, the CUI Registry, DoDI 5200.48, your contract, and program instructions supply the format.
What's the DoD document baseline?CUI in the banner (top and bottom of page 1) plus a designation indicator block on the first page.
Does every single page need 'CUI'?Not as a flat rule. Current DoD guidance lets a genuinely non-CUI interior page be marked UNCLASSIFIED; some DoD training aids still say every page. We show both below.
Are portion markings required?Optional but encouraged on an unclassified document; if you mark one portion you mark them all. Required when CUI is mixed with classified.
The mistake to stop first?Marking every defense-related file 'CUI' just in case — or inventing a category or distribution statement you were never given.

This page is for you if…

  • Implementing CMMC Level 2 or Level 3 media marking
  • Handling DoD CUI and need artifact-specific instructions
  • Building evidence for MP.L2-3.8.4
  • A prime sent you something unmarked and called it CUI
  • Preparing templates for Word, email, CAD, spreadsheets, USB drives, or source code

Read something else if…

  • Deciding which CMMC level your contract requires → Levels guide
  • Need encryption or secure email transport → CUI email encryption for CMMC
  • Handling classified information → contact your FSO
  • Need legal advice on export controls or False Claims Act exposure → qualified federal-contracts attorney

What we actually verified for this page

We don’t ask you to take our word for any of it. Here’s what we read and cross-checked on , and what each source supports.

Source we checkedWhat it supports
32 CFR § 2002.20 (eCFR)The government-wide marking rules: banner, designation indicator, packages, transmittals, working papers, the "each page that includes CUI" rule, alternate marking, and the concealment prohibition
32 CFR § 2002.50 (eCFR)How an authorized holder challenges suspected unmarked or improperly marked CUI, and the duty to keep protecting it while the challenge is resolved
CMMC Level 2 Assessment Guide, v2.13 (DoD CIO)MP.L2-3.8.4's two assessment objectives; the examine / interview / test methods; the official USB-drive example
32 CFR § 170.14 (eCFR)CMMC Level 2 is assessed against NIST SP 800-171 Revision 2 — not Revision 3 — under the current rule; Level 3 incorporates the Feb 2021 edition of NIST SP 800-172
32 CFR § 170.21 and § 170.24POA&M scoring rules and the requirement that assessment evidence be final, not draft
DoD CUI Program — Banner Line & DI BlockCurrent DoD presentation rules, including the interior-page UNCLASSIFIED allowance and the "category/LDC go in the DI block, not the banner" instruction
DoD CUI Program — Email & FOUO FAQBody-vs-attachment email rules; FOUO is no longer valid and doesn't convert to CUI one-for-one
DFARS 252.204-7012 and 252.204-7021Covered-defense-information safeguarding duties; the CMMC clause tying eligibility to your CMMC Status and flow-down to subcontractors
DoD CIO — CMMC program pagePhase 1 dates and the current rollout emphasis
What’s still moving, and how we handled it. We found a real gap between current live DoD web pages and older DoD training aids on whether every page needs “CUI,” and a second gap between the government-wide banner rule and current DoD banner guidance on where category markings go. We show both rather than pretending the record is tidy. There is also a proposed government-wide FAR CUI acquisition rule (June 23, 2026) that could change obligations across agencies; we cover it below.

What is the CMMC CUI marking requirement?

The CMMC CUI marking requirement is MP.L2-3.8.4, which requires media containing CUI to carry applicable CUI markings and distribution limitations. The official CMMC Level 2 Assessment Guide breaks that into two objectives: whether applicable CUI markings are present, and whether applicable distribution limitations are present. “Media” means both digital and non-digital — paper, drives, discs, and files alike.

The short requirement text reads: “Mark media with necessary CUI markings and distribution limitations.” That’s NIST SP 800-171 Revision 2 requirement 3.8.4, carried forward as practice MP.L2-3.8.4.

The two assessment objectives are worth memorizing, because they are exactly what an assessor scores:

ObjectiveWhat it means
[a]Media containing CUI is marked with applicable CUI markings.
[b]Media containing CUI is marked with distribution limitations.

Both must be satisfied for the requirement to be scored MET. Note the word doing all the work: applicable. There is no single string that goes on every artifact. What’s “applicable” depends on the CUI category, the governing authority, any special control or warning it requires, the applicable Limited Dissemination Control (LDC) or distribution statement, the artifact type, and any contract or program instruction.

Which CMMC levels this touches

MP.L2-3.8.4 is a Level 2 requirement. Level 3 includes the full Level 2 foundation plus 24 selected requirements from NIST SP 800-172 (the February 2021 edition incorporated by 32 CFR § 170.14), so marking rides along at Level 3 too. Level 1 covers Federal Contract Information (FCI) only and does not assess MP.L2-3.8.4.

Planning note for Level 3 teams

NIST finalized SP 800-172 Revision 3 in May 2026 and withdrew the February 2021 edition in its own catalog. That later edition is real, but it is notthe current CMMC Level 3 baseline unless and until DoD amends the CMMC rule. Build to the edition the rule incorporates, not the newest one on NIST’s site.

One more caution: “we only need Level 1” is not a marking strategy. If marked CUI is landing in your inbox, the honest question isn’t your marking template — it’s whether you’re actually in Level 2 territory. Our CMMC Level 1 vs Level 2 guide is the right next read before you build a single template.

Does CMMC actually tell you how to mark CUI?

No. CMMC tells the assessor what outcome to check. The marking format comes from 32 CFR Part 2002, the CUI Registry, DoDI 5200.48, applicable law, your contract, and program-specific instructions. For a private contractor, 32 CFR Part 2002 generally reaches you through your agreement with the government — the contract — rather than applying to your company directly in every situation.

The cleanest way to hold it is three separate decisions, each with a different authority:

The decisionThe questionWho answers it
DesignationDoes this specific information qualify as CUI?Governing law/regulation/policy, the CUI Registry, the designating agency, your contract or program instructions
MarkingHow should this artifact show its CUI status?32 CFR § 2002.20, DoDI 5200.48 and component guidance, contract/program instructions
CMMC evidenceCan you prove the marking process runs consistently?MP.L2-3.8.4, the Assessment Guide, 32 CFR Part 170

Get those three straight and most of your team’s disagreements evaporate. The engineer arguing about a banner and the compliance lead arguing about a category are answering two different questions with two different authorities.

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and don’t submit CUI, drawings, or sensitive contract details.
Map my CMMC path →Free · 2-minute triage · No CUI required.

Provider matching may generate referral or lead-routing compensation; any relationship is disclosed at the point of recommendation.

Who is responsible for marking CUI — the government or the contractor?

The designating agency designates or approves the designation of specific information as CUI. An authorized contractor may create and mark CUI when the contract, program direction, CUI Registry, and governing authority supply that basis. Suspected unmarked CUI should be protected and escalated through the agency or program process — not redesignated by house rule.

Under 32 CFR § 2002.20(a)(4), the designating agencydetermines that information qualifies as CUI and applies the marking when it designates it. And under § 2002.20(a)(6), no one may mark information as CUI to conceal illegality, negligence, or embarrassment, or for any purpose other than to follow the law authorizing the control. Over-marking isn’t a safe habit — Part 2002 treats marking information as CUI when it doesn’t qualify as potential misuse.

Government-provided information

Follow the markings and program instructions you were given. Preserve applicable markings on copies and on new artifacts that still contain the controlled information — but don’t assume every derivative automatically stays CUI. If something looks obviously inconsistent, escalate; don’t quietly “fix” it.

Contractor-created information

You can create information for or on behalf ofthe government that qualifies as CUI, and as an authorized holder you may mark the documents you create. But the category and the handling basis have to trace back to a real authority — law, regulation, government-wide policy, the contract, a CDRL, program direction, or the originator’s instruction. Your own proprietary business information does notbecome federal CUI just because it relates to a defense customer. Mark proprietary information as proprietary. Reserve “CUI” for information that actually qualifies.

Derivative information — the question that never dies

Contractors debate this constantly: does a work order, traveler, bill of materials, inspection record, or a drawing derived from government CUI retain the marking? There is no safe blanket answer in either direction. Run the decision instead of guessing:

  1. What exact source information was reused, restated, transformed, or embedded?
  2. Was the new artifact created for or on behalf of the government?
  3. What contract, CDRL, program guide, category authority, or originator instruction applies?
  4. Does the new artifact independently disclose the protected information?
  5. Is written clarification available from the prime or program office?
  6. If it’s genuinely unresolved: what temporary protection and escalation applies while you get an answer?

This is a real gray zone, the community argues about it because the answer genuinely depends on facts specific to your contract, and the defensible move is documented criteria plus escalation — not a house rule invented on the shop floor.

What must appear on a DoD CUI document?

For current DoD use, a document containing CUI carries CUIas the control marking (banner top and bottom of the first page) and a CUI designation indicator block on the first or title page. The designation indicator identifies the controlling organization, the CUI category, an applicable distribution statement or LDC, and a point of contact — and those conditional fields must come from an authority, not employee guesswork.

The control marking

For DoD, the banner marking is the acronym CUI. The government-wide rule allows an agency to use either the word CONTROLLED or the acronym CUI (§ 2002.20(b)(1)) — but current DoD guidance uses CUI, so a DoD contractor should use CUI unless a controlling instruction says otherwise.

Things not to do

  • Don’t use U//CUI. Current DoD training says that string is not a valid marking.
  • Don’t add the CUI category or the LDC to the banner. Per DoD’s own Banner Line guidance, that information belongs in the designation indicator block, not the banner.
  • Don’t rely on a vague “this document may contain CUI” disclaimer. It doesn’t identify whether the document actually contains CUI.

The designation indicator block

Every document containing CUI carries an indicator of who designated it. Under § 2002.20(d), it must identify the designating agency at a minimum, must be readily apparent, and may appear only on the first page or cover. A fictional example:

Controlled by:        Example Defense Manufacturing / Engineering
CUI Category:         CTI
Distribution Statement: B
POC:                  Jane Example, 555-0100

Fictional example only. Do not copy the category or distribution line unless it applies to your information. If an LDC applies instead of a distribution statement, use a separate line such as LDC: FEDCON— current DoD guidance says use the applicable distribution statement or LDC, not both on the same document.

Mandatory, conditional, and optional — at a glance

ElementStatus for DoD documentsThe condition that matters
CUI control markingRequiredUse the current DoD format (CUI).
Designation indicator blockRequired on first/title pagePopulate with accurate source information.
CUI categoryRequired in the DoD DI blockUse an authorized category. Do NOT place the category in the banner line of an unclassified DoD document — current DoD guidance keeps categories and LDCs in the DI block. Apply any separate warning or handling instruction the governing CUI Specified authority requires.
Distribution statementConditionalUse only when it actually applies.
Limited Dissemination Control (LDC)ConditionalUse an applicable LDC or a distribution statement — not both on the same document.
Warning statementConditionalUse when the governing authority requires it.
Portion markingOptional / encouraged (unclassified doc)If used, mark all portions.
Filename indicatorOptional internal controlNot a universal DoD requirement.
Subject-line indicatorOptional internal controlNot identified as a universal requirement on DoD's email page.

Source conflict worth knowing

32 CFR § 2002.20 establishes the government-wide banner model, which includes category markings in the banner for CUI Specified. Current DoD guidance for unclassified DoD documents uses CUIalone in the banner and moves the category and LDC to the designation indicator block. For a DoD artifact, follow current DoD, component, contract, and program instructions. This is a distinct difference — not the same as the interior-page question below.

Does every page need a CUI marking, and are portion markings required?

Don’t treat “CUI must appear on every page” as a flat universal rule. The government-wide regulation requires the banner content to be the same on each page that includes CUI, and current DoD guidance lets a genuinely non-CUI interior page be marked UNCLASSIFIED. Some recent DoD training aids still teach CUIat the top and bottom of every page. Either can be defensible; the method just can’t conflict with a controlling instruction, and you have to apply it consistently.

Why different guides give you different answers

SourceWhat it says
32 CFR § 2002.20(c)(1)The banner content must apply to the whole document and be the same on each page of the document that includes CUI.
DoD CUI Program — Banner Line (current)CUI at the top and bottom of the first page or cover; interior pages or slides may be marked "CUI" or "UNCLASSIFIED" if they contain no CUI.
DoD marking training aids (2024–2025)Instruct placing CUI at the top and bottom of each page.

Notice the regulation and the current DoD web page actually agree: the banner is required on each page that includes CUI, and a page with no CUI can say UNCLASSIFIED. The friction comes from older training aids that give the simpler “every page” instruction.

The two defensible models

Model 1 — Conservative whole-document marking

Mark all pages CUI. Simplest for templates and printing. Reduces the chance of accidental under-marking. Tradeoff: a non-CUI page pulled out and shared separately stays over-marked until someone fixes it.

Model 2 — Page-specific marking

First/title page reflects the document’s overall CUI status; interior pages containing CUI show CUI; interior pages with no CUI may show UNCLASSIFIED. Matches current DoD web guidance and the regulation, but demands more document discipline.

The Defense Compliance Report editorial conclusion: Pick the model that fits your controlling contract or component instruction, write down the source basis for your choice, configure your templates to match, and spot-check that employees apply it consistently. What you should not do is silently decide one official source overrides another without documenting why. A documented, consistently applied method gives the assessor evidence to examine.

Portion marking

For a wholly unclassified DoD document, portion marking is optional but strongly encouraged under current DoD guidance; 32 CFR § 2002.20(f) governs how optional portion markings are used. The rules:

What are the CMMC CUI marking requirements by file and media type?

MP.L2-3.8.4 is one requirement, but its implementation changes with the artifact. A Word document, an attachment-only email, a technical drawing, a spreadsheet, a USB drive, a shipping package, and a source-code repository each require a different action — which is exactly why a single banner screenshot can’t satisfy this search.

Status key:

  • Required — stated in a controlling regulation or current DoD instruction
  • Conditional — applies when category, artifact, contract, or LDC triggers it
  • Optional — permitted or encouraged, not universally mandatory

The final column is The Defense Compliance Report’s readiness guidance, not a mandatory DoD artifact checklist.

Artifact or situationWhat to doWhat’s conditional or unresolvedEvidence to prepare (DCR readiness guidance)
Word / PDF containing CUICUI top and bottom of the first/title page; designation indicator block on the first page; mark interior pages per your documented methodCategory, LDC, distribution statement, and warning language depend on the controlling authorityApproved template, completed samples, marking procedure, template-version record
Multi-page doc with non-CUI interior pagesChoose and document Model 1 (whole-document) or Model 2 (page-specific UNCLASSIFIED interiors) per § 2002.20(c) and DoD Banner LineDoD web guidance and older training aids differ; follow controlling instructionsApproved procedure citing your source hierarchy; samples proving consistent application
Slide deckCUI at the top and bottom of each slide containing CUI; DI block on the first/title slide; an interior slide with no CUI may be CUI or UNCLASSIFIED under current DoD guidancePortion marking optional for an unclassified deck unless another authority requires itApproved template; sampled decks
SpreadsheetMake the CUI marking conspicuous in normal view and in printed/PDF output; place the designation indicator where it's readily apparentThe format needs a different placement mechanism than Word — don't hide the marking outside normal view or print outputApproved workbook template; printed/PDF test; sampled worksheets
Email body contains CUICUI as the first and last line of the body; include a DI blockEncryption and transmission are separate controls from markingApproved email template; sanitized sample; transmission procedure
Email — unclassified body, CUI attachment onlyCUI first and last line; add a removal statement; mark the attachment itself; no DI block required in the email bodyInternal policy may add a subject label; DoD's page doesn't require oneApproved transmittal template; sampled sent message
Technical drawing / spec / other CTICUI top and bottom; DI block wherever it stays visible; reproduce only the distribution statement or restriction the controlling authority suppliedDo NOT guess which distribution statement applies just because it's a drawingMarked samples; source instruction; CDRL/contract record; escalation correspondence
Contractor-created traveler, BOM, work order, derivative drawingDetermine whether the new artifact itself contains or restates qualifying CUI; if it does, mark it per the applicable ruleNo safe blanket rule that every derivative is (or isn't) CUIDocumented decision criteria; program guidance; samples; unresolved-question log
Printed hardcopyPreserve all visible document markings. When DoD CUI is hand-carried outside the office, place in an opaque envelope with SF 901 on top; at a desk, the cover sheet is optionalA cover sheet does not replace the markings on the document itselfPrinted sample; physical-handling procedure; inspection record
USB / removable digital mediaApply a readable CUI label and applicable distribution limitation when practicable; when the device's nature or size makes individual marking impractical, use an authorized alternate methodOwnership info may help but is not a substitute for the CUI markingLabeled sample; removable-media inventory; alternate-marking procedure; process test
Working paper / draft / completed form with CUIMark it the way the finished product containing that CUI would be marked (§ 2002.20(k))"Draft" is an administrative label — it does not replace CUI markingsMarked sample; working-paper procedure; final template
Package or envelope containing CUIAddress to a specific recipient; put the markings and instructions on the internal transmittal or enclosed materials (§ 2002.20(i))Do NOT put a CUI marking on the outside or otherwise reveal externally that CUI is enclosedShipping procedure; fictional training example; shipment inspection record
Transmittal document accompanying CUICUI on its face, plus a removal statement (e.g., "When enclosure is removed, this document is Uncontrolled Unclassified Information") (§ 2002.20(j))The enclosed artifact still needs its own correct markingApproved transmittal template; sample
Incoming — looks like CUI but is unmarkedProtect it per your intake procedure, log the issue, and seek clarification or a corrected copy from the disseminating/designating entity (§ 2002.50)Lack of a marking does NOT automatically make it uncontrolled; don't casually redesignate itIntake ticket; correspondence; quarantine/handling record; resolution log
Incoming — marked incorrectlyNotify the disseminating agency and request a corrected document (§ 2002.50). Don't silently fix the sender's fileKeep safeguarding while it's resolved; log the correction pathCorrection request; response; replacement copy; issue log
Legacy FOUO / SBU / other old markingDetermine whether the information currently qualifies as CUI under the CUI Registry and applicable authorityFOUO is invalid for current DoD use and does not convert automatically to CUIReview record; controlling-authority response; new marked version where needed
Classified document containing CUI portionsApply classified-document rules and portion-mark all CUI so it's distinguishable (§ 2002.20(g))Route to your FSO or qualified security authority — not a template exerciseApproved classified-marking procedure; qualified review
Source code / repository containing CUIDetermine whether the code, embedded data, documentation, or combination qualifies; use approved program direction or a documented alternate-marking method when per-file marking is impracticalNo universal source-code comment-header syntax was found in the primary sources verified for this page as of July 11, 2026 — don't call one "the CMMC-required format"Repository notice; access banner; documented alternate method; code sample without CUI; decision record; process test
Large database / repository / controlled area where individual marking is impracticalUse an authorized alternate method: access agreement, digital splash screen, container label, or controlled-area sign (§ 2002.20(a)(8))The alternate method must make CUI status readily apparent — it's not permission to leave the status invisibleScreenshot; access agreement; area sign; procedure; user test

Two anchors under this table, straight from the sources. For removable media, the CMMC Assessment Guide says hardcopy and digital media must be properly marked and gives an official USB example: a project team labels the outside of each drive with an appropriate CUI label following NARA guidance, and the label notes that distribution is limited to employees supporting the DoD program. And on alternate marking, § 2002.20(a)(8) permits a “readily apparent” alternate method — user access agreements, a computer splash screen, or signs on storage areas or containers — when individual marking is impractical or a limited marking waiver applies.

You’ve now seen that the answer genuinely depends on the artifact in front of you. That’s the moment a checklist stops helping and a decision aid starts. If you’re not sure whether your situation needs an RPO, an MSSP, a GRC platform, or a CUI enclave to get this and the other 109 requirements done, that’s exactly what the path tool sorts out.

Map my CMMC provider category →Tell it your level, scope, environment, and timeline. No CUI required.

How do you mark a CUI email?

When the email body contains CUI, current DoD guidance calls for CUIas the first and last line of the body plus a designation indicator block. When the body is unclassified and only the attachment contains CUI, the email still gets first/last-line markings and a removal statement — but no DI block in the email itself — and the attachment must be marked correctly on its own. (Source: DoD email marking guidance, verified .)

QuestionBody contains CUIAttachment-only contains CUI
First and last line of the bodyCUICUI
DI block in the email bodyRequiredNot required
Removal statementNot applicableRequired (e.g., "This email is unclassified when the CUI attachment is removed")
Attachment markingThe attachment is marked on its ownThe attachment is marked on its own
Subject-line CUINot a universal DoD requirementNot a universal DoD requirement

Body contains CUI — fictional example:

CUI

[Fictional email body]

Controlled by: Example Company / Program Office
CUI Category: [Applicable category]
LDC or Distribution Statement: [Applicable entry]
POC: [Name and contact]

CUI

Body is unclassified; attachment contains CUI — fictional example:

CUI

Please see the attached document.

This email is unclassified when the CUI attachment is removed.

CUI

Fictional training examples only. Do not use with real CUI categories, real program names, or real distribution statements unless you have the governing authority.

What not to do

  • Don’t rely on “may contain CUI”.
  • Don’t leave the attachment unmarked (a correctly marked email with an unmarked CUI attachment is not compliant).
  • Don’t assume CUI in the subject line encrypts or protects anything.
  • Don’t treat marking and transmission as the same requirement.

Marking tells an authorized holder whatthey’re looking at. It does nothing to secure the message in transit. If your real question is encryption and secure delivery, read CUI email encryption for CMMC, which owns that topic.

How do distribution statements and limited dissemination controls change the marking?

A DoD distribution statement and a CUI limited dissemination control (LDC) are not interchangeable labels for the same thing. Current DoD guidance says to use the applicable distribution statement or LDC — not both on the same document — and the absence of an LDC does not authorize public release. (Source: DoD DI Block guidance.)

An LDClimits or specifies who may receive CUI. It must come from authorized criteria — you don’t add one just because you’d prefer tighter control. Critically: no LDC does not mean the document is public.

A distribution statement commonly appears on controlled technical, export-controlled, and other qualifying scientific/technical information, governed by DoDI 5230.24. It must be reproduced exactly as supplied. Current DoD guidance says the full distribution statement is written out on the first page and its letter is annotated in the designation indicator block.

QuestionLDCDoD distribution statement
Main purposeControls/specifies disseminationControls distribution of qualifying technical information
SourceCUI Program / agency policyDoDI 5230.24 and the controlling authority
Can an employee invent it?NoNo
Does its absence mean public release?NoNo
Where identifiedDI block when applicableFull first-page statement plus DI-block notation

If an incoming restriction looks wrong, preserve the source artifact, request clarification, don’t silently swap one restriction for another, and record how you resolved it. That record is assessment evidence.

What should you do with unmarked, incorrectly marked, or legacy CUI?

Missing CUI markings do not erase your handling obligations, and improperly marked or unmarked information should be challenged back to the disseminating agency. Legacy labels like FOUO are not automatically CUI — the information must be evaluated against current authority before it’s reused or shared outside DoD.

Incoming unmarked information

Under 32 CFR § 2002.20(a)(7), lack of a marking on information that qualifies as CUI does not exempt an authorized holder from the handling requirements. And under § 2002.50, an authorized holder that believes CUI is unmarked or improperly marked should notify the disseminating agency — and keeps protecting the information while the challenge is resolved. The steps:

  1. Don’t distribute it casually.
  2. Put it in your documented review path.
  3. Identify the source contract/program and the possible category.
  4. Notify the disseminating agency. When received through a prime, follow the contract or program escalation path.
  5. Record the answer.
  6. Replace or correct the artifact where appropriate.
  7. Keep the record as assessment evidence.

Incorrectly marked information

Notify the disseminating agency and request a corrected document (§ 2002.50). Don’t silently fix the sender’s file. Keep safeguarding the challenged information at the indicated level while it’s resolved, and log the correction path.

Over-marked information

Treat obvious over-marking as a governance problem, not a habit to copy. Request clarification rather than stripping controls. Indiscriminate marking expands operational friction, erodes trust in the markings that matter, and can distort the CUI footprint you assert.

Legacy FOUO and SBU

FOUO is not a valid current DoD marking, and there is no automatic FOUO-to-CUI conversion. Evaluate the information against current CUI authority, not the old label. One nuance worth knowing: previously marked FOUO material does not have to be re-marked while it remains under DoD control or is downloaded for use within DoD. But if the information is reused in a new document or shared outside DoD, assess it against the CUI Registry and mark it appropriately if it qualifies. (Source: DoD FOUO FAQ.)

Log every unmarked or mismarked item — the paper trail becomes your assessment evidence

Download the CMMC Readiness Checklist →

Mapped to all 14 NIST 800-171 Rev. 2 control families. Do not upload CUI.

What will a CMMC assessor look for under MP.L2-3.8.4?

The Assessment Guide lets the assessor examine your policies, procedures, SSP, marking attributes, controlled-area records, and samples; interview the people responsible for marking; and test the process or mechanism you use to apply markings. A polished template with no consistent samples, no knowledgeable staff, and no working process is not enough.

The damaging admission: MP.L2-3.8.4 is worth one point out of 110. You can mark every document flawlessly and still fail a Level 2 assessment badly. This control will not save an unready environment.

But that one point matters more than its weight suggests. When you already know your designation basis and where CUI flows, marking is a comparatively bounded task — controlled templates, an approved procedure, role-based training, and testing. And inconsistent markings can prompt broader questions about whether the organization understands its CUI inventory and data flows. Marking is the thread; scope is the sweater.

If reading this makes you suspect your real problem is bigger than marking — that you’re not actually sure what’s in scope — good instinct. Don’t force a marking fix onto a scoping problem. Start with the CMMC scoping guide instead.

Evidence for objective [a] — applicable CUI markings

The official guide identifies potential assessment objects. These are The Defense Compliance Report’s readiness recommendations, not a mandatory DoD artifact checklist.

Approved media-marking policy; artifact-specific procedure; current Word, PowerPoint, spreadsheet, and email templates; samples across your actual artifact types; removable-media examples; unmarked-intake log; template change control; training and acknowledgment records; test results.

Evidence for objective [b] — distribution limitations

Distribution-statement source records; the LDC decision authority; DI-block examples; the technical-data procedure; contract/CDRL/program references; escalation records; samples proving restrictions are reproduced accurately.

How the three methods actually play out

MethodWhat the official method can coverWhat you prepareFailure condition to test
ExamineExamines selected policies, procedures, the SSP, marking attributes, controlled-area records, and other relevant objectsFinal approved procedure, template library, sample index, exception logOnly a draft policy exists
InterviewInterviews personnel responsible for media protection, media marking, or information securityRole-specific interview prep; trained artifact creatorsOnly the consultant understands the process
TestTests the organizational marking process or supporting mechanismDemonstrate creating a properly marked document/email and handling an unmarked intakeTemplate exists but users don't follow it

One rule that trips people at the finish line: under 32 CFR § 170.24 and the Assessment Guide, evidence must be final— drafts, working papers, and unofficial or unapproved policies don’t count. Approve and deploy your documentation before the assessment, not during it.

See where 3.8.4 sits among the other 109 requirements

Get the CMMC Readiness Checklist →

Mapped to all 14 NIST 800-171 Rev. 2 control families. Do not upload CUI.

Can MP.L2-3.8.4 be placed on a CMMC Level 2 POA&M?

Generally yes, under the current rule. MP.L2-3.8.4 is a one-point requirement and is not on the Level 2 list of practices barred from a Plan of Action and Milestones (POA&M), so it can be included when all Conditional-status conditions are met. You still have to hit the minimum score ratio, document the NOT MET requirement, and close the POA&M within 180 days. A POA&M is not a substitute for implementation.

Why it’s one point: MP.L2-3.8.4 is a derived requirement that isn’t on the five-point or three-point lists, so under 32 CFR § 170.24 it carries one point.

Conditions for Conditional Level 2 (32 CFR § 170.21):

  • Assessment score divided by 110 must be at least 0.8 (at least 88 of 110).
  • No POA&M item may exceed one point, with the rule’s narrow FIPS-encryption exception.
  • None of the named prohibited requirements may be on the POA&M.
  • Closeout must occur within 180 days.
  • For a certification assessment, the closeout must be performed by an authorized/accredited C3PAO.

Closeout evidence should show the final approved procedure, deployed templates or mechanisms, corrected artifact samples, completed training, interview-ready staff, a successful process test, closure of internal tickets, and an updated SSP description.

The honest warning: one point does not make this optional. It only affects scoring and Conditional-status eligibility. Leave it NOT MET at the deadline and your Conditional status expires.

How do you build a repeatable marking process without marking everything?

A defensible marking program starts with your contracts, categories, CUI flows, and source instructions — not a label purchase or a Word template. You translate those authorities into artifact-specific procedures, train the people who create and transmit CUI, sample your actual media, and keep evidence that the process keeps running.

The sequence below is The Defense Compliance Report’s editorial implementation framework; neither 32 CFR Part 170 nor the CMMC Assessment Guide prescribes this exact order.

  1. Map the authority. Record the contract and subcontract, applicable clauses, program, government/prime contact, CUI category, distribution statement or LDC, program guide or CDRL, source artifact, and your required CMMC level and assessment status.
  2. Map where CUI is created and reused. Incoming portal, email, file shares, CAD, ERP/MRP, shop-floor travelers, quality records, source repositories, printed documents, removable media, external collaboration.
  3. Define rules by artifact.Use the artifact matrix above to write your internal procedure — one row per artifact you actually produce.
  4. Build controlled templates and mechanisms. Word, PowerPoint, spreadsheet, email, technical drawing, transmittal, working paper, USB label, and an alternate repository or controlled-area marking.
  5. Assign roles (RACI). Who identifies the program/category basis? Who creates markings? Who approves templates? Who answers ambiguous cases? Who samples? Who maintains evidence? Who talks to the prime or program POC?
  6. Train by role, not one generic deck. Engineering on drawings and derivative data; quality on inspection records and travelers; program management on source instructions and escalation; IT on repositories and alternate marking; everyone on email and hardcopy; security/compliance on evidence and sampling.
  7. Sample and correct.Use a cadence your organization can defend. We recommend quarterly or risk-triggered sampling against your actual artifact set — checking applicable markings, distribution limitations, artifact format, template version, employee understanding, unmarked-intake handling, and corrective action. That recurring check is itself evidence of an operating control. (MP.L2-3.8.4 itself does not prescribe a quarterly frequency.)

What CUI marking mistakes create CMMC assessment risk?

The costly marking failures usually aren’t font or alignment problems. They’re failures to establish the designation basis, reproduce applicable distribution limitations, cover every artifact type you actually use, train the responsible people, and prove with final evidence that the documented process runs consistently.

MistakeWhy it mattersThe fix
Marking every defense-related file "CUI"Confuses contract relevance with CUI status; expands handling and can distort your asserted CUI footprintRequire an authority/category basis and an escalation path
Using CONTROLLED in a DoD templateDoesn't follow current DoD-specific guidanceUse CUI
Using U//CUIDoD training says it's not validUse the authorized DoD control marking
Putting the category or LDC in the bannerDoD guidance puts that in the DI blockKeep the banner as CUI; populate the DI block
Missing the DI blockRemoves designation, category, restriction, and POC contextPut it on the first/title page
Inventing a distribution statementCreates an unsupported restrictionObtain it from the controlling authority
Using both an LDC and a distribution statementConflicts with current DoD DI guidanceUse the applicable entry; request clarification where sources conflict
Relying on "may contain CUI"Doesn't identify whether it actually contains CUIApply the correct body or attachment-only format
Treating the filename as the markingA filename isn't a substitute for document markingsMark the artifact itself
Requiring CUI in every subject line as a federal ruleDoD email guidance doesn't state that universal ruleLabel it an internal convention if you adopt it
Ignoring derivative artifactsCUI may be restated in travelers, work orders, or drawingsApply documented derivative-data criteria and escalation
Relabeling every derivative automaticallyOver-marks without an authority analysisEvaluate the new artifact itself
Putting CUI on the outside of a packageReveals externally that CUI is enclosedKeep the outside unmarked; mark the internal transmittal
Leaving working papers unmarkedThe rule requires working papers with CUI to be marked like the finished productInclude drafts and forms in the procedure
Treating FOUO as automatically CUIFOUO is invalid and not a one-for-one conversionReevaluate the information
Having only a templateDoesn't prove interviews, use, sampling, or testingBuild the complete evidence set
Using draft policies as evidenceThe scoring rule rejects draft or unofficial evidenceApprove and deploy final documentation
Inventing a source-code comment rulePresents an internal convention as a federal requirementUse approved program direction or an alternate-marking method

Your marking procedure won’t eliminate every ambiguous CUI designation. Its job is to make the ambiguity controlled, escalated, documented, and consistently handled— instead of leaving each employee to improvise.

What does a CUI marking not do?

A CUI marking communicates status and handling information. It does not, by itself, make information CUI, set your CMMC level, encrypt a file, authorize public release, or prove you satisfy MP.L2-3.8.4. Each of those is a separate authority or evidence question.

The questionWhat actually decides it
Does marking make information CUI?No — the governing authority and the designation decision do
Does marking set your CMMC level?No — the solicitation, contract, or subcontract requirement does
Does marking set your assessment scope?No — 32 CFR § 170.19 and CMMC scoping guidance do
Does marking encrypt the artifact?No — separate NIST/DFARS security requirements do
Does marking authorize release?No — the designating agency and a public-release process do
Does one marked sample prove the practice is MET?No — assessment evidence under § 170.24 and the Assessment Guide does

When should you escalate instead of guessing?

Escalate when the uncertainty is about whether information qualifies as CUI, which category applies, whether a derivative artifact retains CUI, which dissemination restriction belongs, whether an alternate marking is acceptable, or whether information can be decontrolled. Those decisions can change contractual obligations, scope, export-control exposure, and your assessment evidence.

Ask the originating or controlling organization when…

The category is missing or questionable, a distribution statement looks inconsistent, a file is called CUI but is unmarked, the prime marks every order CUI, derivative data is unresolved, or public-release/decontrol status is unclear.

Ask a Registered Practitioner, RPO, or readiness professional when…

You need to turn the authority into a procedure, your templates and evidence don’t cover all artifact types, employees can’t explain the process consistently, or you want a readiness review before a C3PAO assessment.

Ask qualified federal-contracts or export-control counsel when…

Contract interpretation is disputed, export-control law is involved, the prime won’t clarify material flow-down language, there’s potential False Claims Act or disclosure exposure, or you need a legal conclusion rather than implementation help.

Ask a C3PAO when…

You need to understand the formal assessment process or you’re selecting or scheduling an authorized assessment organization. Keep readiness and assessment separate: under the CMMC rule, an ecosystem member is prohibited from participating in a Level 2 certification assessment of an organization it served as a consultant to prepare for any CMMC assessment within the prior three years.

The CMMC Path Frameworkmaps a contractor’s required level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline to the provider category that fits the situation. It routes to a category — not a named provider— and is not a score, ranking, certification guarantee, or a substitute for compliance or legal advice.

Do not submit CUI, drawings, source code, or sensitive contract details. Provider matching may generate referral compensation when disclosed.

What could the proposed 2026 FAR CUI acquisition rule change?

Proposed rule — not currently binding

On June 23, 2026, the FAR Council published a proposed rule containing a revised government-wide CUI acquisition framework, with comments due July 23, 2026. It is proposed, not law. The government-wide CUI Program already exists under 32 CFR Part 2002; if finalized, this proposal would establish FAR clauses and a standard form for covered federal contracts that involve CUI.

TopicWhere it stands todayWhat the proposal would change
Contract identification of CUINo single government-wide FAR mechanismA standard form ("SF XXX") in which the contracting officer identifies what CUI is involved and specifies whether and how the contractor must identify and mark it
Unmarked / mismarked CUIHandle per 32 CFR § 2002.50 and program directionContractor must notify the contracting officer within 72 hours after discovering potential CUI that is unmarked, improperly marked, or omitted from the SF; contractor safeguards information it has evidence is potentially CUI while awaiting the CO's decision
Nonfederal-system safeguarding baselineCMMC Level 2 uses NIST SP 800-171 Revision 2 under 32 CFR § 170.14Proposed FAR 52.240-7 would require NIST SP 800-171 Revision 3 for covered nonfederal systems under that clause, and could add selected NIST SP 800-172 requirements for critical programs or high-value assets
Incident reporting timelineDFARS 252.204-7012 uses 72 hoursThe proposal uses 72 hours, aligning with that framework (down from the 8-hour window in the January 2025 proposal)
Status as of July 11, 2026In force: the existing CUI Program and CMMC ruleProposed only; comments due July 23, 2026; text can change before any final rule

The single most important interaction for CMMC: a finalized FAR rule requiring Rev. 3 would not, by itself, change the CMMC assessment baseline. CMMC Level 2 remains tied to NIST SP 800-171 Revision 2 under 32 CFR § 170.14 unless DoD amends the CMMC rule. Two obligations could end up sitting side by side — a FAR clause on Rev. 3 and a CMMC assessment on Rev. 2 — which is exactly why you build a documented marking-and-escalation process now rather than after the dust settles. We track this docket for changes.

What should you do next?

You don’t need to memorize a marking manual today. You need three moves, in order: know what CUI you actually handle, adopt and train one documented marking method, and keep the final evidence.

  1. Inventory where CUI enters and is created. Start with the CMMC scoping guide if scope is fuzzy.
  2. Build controlled templates, an approved marking procedure, and role-based training sized to your workforce and artifact set. The artifact matrix above is your source material.
  3. Describe the implementation in your SSP and retain the final procedure, sampled artifacts, training records, and process-test evidence in your assessment evidence set.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Do not submit CUI, drawings, source code, export-controlled information, contract attachments, or sensitive program details. Provider matching may generate referral compensation when disclosed.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Frequently asked questions about the CMMC CUI marking requirement

Does CMMC Level 1 require CUI marking?
MP.L2-3.8.4 is a Level 2 practice. A system that processes, stores, or transmits CUI generally raises a Level 2 question, while Level 1 addresses FCI only. DoD specifies the required CMMC Status for a prime contract in the solicitation and resulting contract; the prime or next-higher-tier contractor specifies the required status for a subcontract based on the information involved (DFARS 252.204-7021).
Does every page of a DoD CUI document need to say 'CUI'?
Not as an unqualified yes. Current DoD guidance allows a genuinely non-CUI interior page to be marked UNCLASSIFIED, while some recent DoD training aids teach CUI on every page. The regulation requires the banner on each page that includes CUI. Follow your controlling instructions and apply one documented method consistently.
Does CUI Specified change the banner on an unclassified DoD document?
The government-wide rule places CUI Specified category markings in the banner, but current DoD guidance for unclassified DoD documents keeps the banner as CUI and puts the category and LDC in the designation indicator block. You still apply any special warning or handling instruction the governing CUI Specified authority requires. Follow current DoD, component, contract, and program instructions.
Is the CUI designation indicator block mandatory?
For a current DoD document containing CUI, yes. Under 32 CFR § 2002.20(d), every document containing CUI must carry a designation indicator identifying the designating agency, and it may appear only on the first page or cover.
Are CUI portion markings required?
They're optional but encouraged on a wholly unclassified DoD document. If you mark one portion, you mark all portions. Portion marking becomes mandatory when CUI is commingled with classified information (32 CFR § 2002.20(f)–(g)).
Does a CUI banner have to be purple?
No. Current DoD guidance does not impose a purple banner-text requirement. Purple is associated with official CUI cover sheets and labels, but the banner line itself is the CUI control marking placed and formatted per current DoD guidance.
Can a contractor apply a CUI marking?
An authorized contractor can create and mark CUI documents when acting under an applicable government agreement and authority — when the contract, program direction, CUI Registry, and governing authority supply the basis. That is not permission for employees to invent a category or restriction on their own (32 CFR § 2002.20).
Is "CONTROLLED" acceptable for DoD CUI?
The government-wide rule lets an agency choose CONTROLLED or CUI, but current DoD-specific guidance uses CUI. A DoD contractor should therefore use CUI unless controlling instructions say otherwise (32 CFR § 2002.20(b)).
Is "CUI" required in the filename?
No, it is not a universal DoD requirement. An organization may adopt a filename convention as an internal control, but it shouldn't describe that convention as a CMMC requirement.
Does the email subject line have to start with "CUI"?
DoD's current email guidance requires first- and last-line markings in the body but does not state a universal subject-line requirement. A subject convention can be adopted by internal procedure.
When is SF 901 used?
SF 901 is the CUI cover sheet. Current DoD guidance calls for placing DoD CUI in an opaque envelope with SF 901 on top when the material is hand-carried outside the office or an approved telework location; at a desk or within an office the cover sheet is optional. A cover sheet never replaces the markings on the document itself.
What if CUI arrives without a marking?
The lack of a marking does not eliminate your handling obligations. Protect and challenge suspected CUI: notify the disseminating agency (through your prime's contract/program path if that's how you received it), keep safeguarding it while the challenge is resolved, and request clarification or a corrected copy (32 CFR § 2002.50).
What if a customer marked something CUI that doesn't appear to qualify?
Don't silently strip the marking. Notify the disseminating agency, request a correction, and continue safeguarding the challenged information at the indicated level while the challenge is resolved (32 CFR § 2002.50).
Is a distribution statement the same as an LDC?
No. They come from different frameworks. Current DoD guidance says to use the applicable distribution statement or LDC — not both on the same document.
Does "no LDC" mean the document is public?
No. Current DoD guidance is explicit that the absence of an LDC does not imply or authorize public release.
Does a CUI marking encrypt the file?
No. Marking alerts authorized holders to the information's status and handling requirements. Encryption, access control, and secure transmission are separate safeguards.
Do working papers and drafts need CUI markings?
If they contain CUI, working papers are marked the way the finished product containing that CUI would be marked. A "draft" label does not replace a CUI marking (32 CFR § 2002.20(k)).
Should CUI be written on the outside of an envelope?
No. The government-wide rule says not to put a CUI marking on the outside of a package or otherwise indicate externally that it contains CUI (32 CFR § 2002.20(i)).
Does old FOUO automatically become CUI?
No. FOUO is not a valid current DoD marking and does not convert one-for-one to CUI. Legacy FOUO material doesn't have to be re-marked while it stays under DoD control, but if it's reused in a new document or shared outside DoD it must be assessed against the CUI Registry and marked appropriately if it qualifies.
Can MP.L2-3.8.4 go on a POA&M?
Generally yes under the current Level 2 rule, because it is a one-point requirement and is not on the prohibited list. All Conditional-status conditions and the 180-day closeout requirement still apply (32 CFR § 170.21).
Does a properly marked sample prove the practice is MET?
Not by itself. Assessors may examine records, interview personnel, and test processes, and the scoring rule requires final evidence (CMMC Level 2 Assessment Guide; 32 CFR § 170.24).

How this page was produced

By The Defense Compliance Report Editorial Team.We cross-checked the current CMMC Program Rule in 32 CFR Part 170, the CMMC Level 2 Assessment Guide (v2.13), NIST SP 800-171 Revision 2, 32 CFR §§ 2002.20 and 2002.50, current DoD artifact-specific CUI pages and training aids, DFARS 252.204-7012 and 252.204-7021, and the June 2026 proposed FAR CUI rule. We separated regulatory requirements, current agency instructions, and our own editorial implementation conclusions rather than presenting them as the same kind of authority.

We found two material differences among official sources: current live DoD pages allow a non-CUI interior page to say UNCLASSIFIED while some DoD training aids direct CUIon every page, and the government-wide banner rule places CUI Specified category markings in the banner while current DoD guidance keeps them in the designation indicator block. We’ve shown both rather than silently picking the answer that would have made this article easier to write.

Last verified: · CMMC Level 2 Assessment Guide v2.13 · NIST SP 800-171 Rev. 2 baseline.

This report is educational research and is not legal, contractual, export-control, or compliance advice. CMMC and CUI requirements vary by contract, scope, and CUI handling specifics. Confirm scope and applicability with a Registered Practitioner (RP), a Registered Provider Organization (RPO), or a qualified federal-contracts or export-control attorney before acting. The contract clause and CUI handling set your level, not a checklist.

The Defense Compliance Report is not affiliated with the Cyber AB, the U.S. Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

Found an error? Corrections policy. Research approach: Methodology and Editorial Standards.