Training & Education

Updated January 2026 How to Properly Identify, Label, and Protect Controlled Unclassified Information Physical Marking: Best Practices by Media Type Executive Summary Controlled Unclassified Information (CUI) marking is one of the most misunderstood and under-implemented components of CMMC compliance. While organizations often invest heavily in cybersecurity, they frequently overlook the physical identification and marking of CUI — creating audit risk, operational confusion, and security gaps. This CUI Marking Guide outlines the requirements, best practices, and implementation steps necessary to properly identify and label Controlled Unclassified Information (CUI) based on the real-world practices auditors and assessors expect to see. It is designed for defense contractors, manufacturers, engineers, and regulated organizations that handle sensitive government information and must meet the requirements of NIST SP 800-171, DFARS 252.204-7012, and CMMC. Inside, you’ll find straightforward guidance, real-world examples, and implementation best practices to help your organization establish consistent CUI marking standards, reduce audit risk, and strengthen both physical and cybersecurity compliance. 1. What Is CUI — And Why Marking Matters Controlled Unclassified Information (CUI) is information the U.S. Government has determined requires safeguarding or dissemination controls, but does not meet the criteria for classification. CUI exists across: Engineering drawings Manufacturing travelers Technical manuals Specifications Contracts Emails Reports CAD files Quality records Test data Export-controlled materials Why marking matters: CUI marking is foundational to compliance and security. If information isn’t clearly identified as CUI, then: Employees don’t know how to handle it Security controls can’t be applied properly Auditors can’t verify compliance Cybersecurity protections become misaligned Organizations fail CMMC assessments You cannot protect what you cannot clearly identify. 2. What Regulations Require CUI Marking? CUI marking is governed by: 32 CFR Part 2002 – CUI Program NIST SP 800-171 – Protecting CUI in Nonfederal Systems DFARS 252.204-7012 CMMC 2.0 Key Requirements: Organizations must: Identify CUI Mark it clearly Protect it physically and digitally Control dissemination Train staff on handling Marking is the trigger point that activates all downstream safeguards. 3. What Must Be Marked as CUI? CUI applies to far more than just documents. Common CUI Examples: Physical Media Printed documents Drawings Blueprints Manuals Test reports Manufacturing travelers Quality inspection records Physical Artifacts Parts or items manufactured/modified to meet military / space technical specifications Digital Media Computers Servers Hard drives USB drives CDs/DVDs Backup tapes Electronic Information Emails Shared folders Cloud storage CAD files ERP systems Facilities & Workspaces CUI work areas Engineering labs Manufacturing floors Secure rooms If it provides access to CUI, it must be treated as CUI media. 4. Core CUI Marking Requirements At minimum, CUI must be clearly labeled with: Required Markings: “CUI” banner marking CUI category (e.g., ITAR, Export Controlled, Privacy) Placement Guidelines: Top and bottom of each page (documents) Exterior of folders Visible placement on storage media Entry points of controlled areas Key Rule: Markings must be: Clear Visible Durable Consistent 5. Physical Marking: Best Practices by Media Type Documents & Paper Files Header/footer “CUI” labels File folder labels Coversheets for easy and immediate identification of CUI Best Practice: Use CUI coversheets anytime documents leave controlled spaces. Recommended Marking Solutions:CUI Document Labels, File Folder Labels, Coversheets. Computers & Digital Media Computer asset labels USB / hard drive labels Server cabinet signage Best Practice: If a system stores, processes, or transmits CUI, it must be clearly labeled. Recommended Marking Solutions:Computer & Asset Labels, USB & Digital Media Labels, Equipment Signage. Manufacturing & Engineering Environments Drawing racks Workstation signage Controlled production area signs Traveler document labeling Best Practice: Mark zones, not just documents. Recommended Marking Solutions:Workstation Signs, Production Area Signage, Document & Traveler Labels. Facilities & Rooms Restricted area signage Door labels Access-controlled entry points Best Practice: Anyone entering should instantly know CUI is present. Recommended Marking Solutions:Restricted Area Signs, Door & Entryway Labels, Facility Signage. 6. Common CUI Marking Mistakes (That Cause Audit Failures) Marking only the cover page Forgetting digital assets Unlabeled engineering workstations No signage in CUI work areas Inconsistent labeling across departments Employees unsure what qualifies as CUI Many CMMC failures happen not due to cybersecurity — but poor identification and marking. 7. A Simple 5-Step CUI Marking Program Here’s a practical roadmap companies can actually follow: Step 1 — Identify CUI Flow Map: Where CUI enters Where it’s created Where it flows Where it’s stored Step 2 — Define Marking Standards Standardize: Label designs Placement rules Handling procedures Step 3 — Deploy Physical Marking Apply: Labels Signs Coversheets Facility signage Step 4 — Train Employees Ensure staff understands: What is CUI How to recognize it How to mark it How to protect it Step 5 — Self-Audit Regularly Quarterly checks: Spot inspections Workspace audits Document reviews 8. CUI Marking Checklist (Quick Reference) Documents labeled Folders labeled Digital media labeled Computers labeled CUI rooms signed Manufacturing areas signed Transport coversheets used Staff trained 9. How CUI Supply Simplifies Compliance CUI Supply provides ready-to-deploy physical compliance solutions: CUI document labels Digital media labels Computer labels Coversheets Restricted area signage Manufacturing workstation signage Full compliance kits Our goal: Make compliance simple, fast, and audit-ready. 10. Final Takeaway CUI marking is not a paperwork exercise or a compliance formality. It is the foundation of CMMC compliance, the trigger for cybersecurity and physical security controls, and the front line of defense for protecting national security information. When CUI is clearly identified and consistently marked, organizations gain control over information flow, reduce risk exposure, simplify audits, and dramatically improve security posture across both physical and digital environments. When CUI is poorly marked or inconsistently handled, even the strongest cybersecurity investments fail to deliver real protection. Data moves without guardrails. Employees guess. Auditors flag gaps. Risk multiplies. Clear marking creates clarity. Clarity creates accountability. Accountability creates security. Organizations that treat CUI marking as a strategic priority—not just a compliance task—position themselves to pass assessments faster, reduce operational friction, and build trust with prime contractors and government partners. If it is not clearly marked, it is not protected.And if it is not protected, it becomes a business, contractual, and national security risk.

If you work with the Department of Defense (DoD) or support the Defense Industrial Base (DIB), you’ve almost certainly heard the term CUI—but it’s also one of the most misunderstood concepts in compliance. Understanding Controlled Unclassified Information (CUI) is foundational to DFARS, NIST SP 800-171, and CMMC compliance. This guide breaks it down clearly and practically.

Prepared by DTCGlobal.us for CUISupply.com Summary: Yes. When ITAR or EAR-controlled technical data or technology is used, created, or required to perform a U.S. Department of Defense (DoD) contract or subcontract at all tiers, it qualifies as Controlled Unclassified Information (CUI) and must be protected accordingly. The most direct answer comes from: See DoD Procurement Toolbox, Cybersecurity FAQ #22.and Question #28. Look below to learn how CUI Supply products can help you meet these requirements. CUI Supply products support compliance by helping organizations clearly identify and protect export-controlled CUI during the performance of the contract in controlled environments or CUI zones such as: Engineering offices Manufacturing floors Quality and test areas Visitor and customer access zones Through signage, labeling, zoning, and visual-control mechanisms, CUI Supply helps prevent unauthorized disclosure of ITAR- and EAR-restricted information, aligning day-to-day operations with DoD CUI and export-control requirements. What This Means for Manufacturing Companies Many manufacturing organizations mistakenly treat export control (ITAR/EAR) and CUI/CMMC as separate compliance efforts. Under DoD contracts, they are closely connected. ITAR and EAR determine who is allowed access to technical data and technology. CUI requirements determine how that information must be identified, marked, and protected. When export-controlled information supports DoD contract performance, both sets of requirements apply at the same time. When ITAR / EAR Information Becomes CUI Export-controlled information qualifies as CUI when it is: Provided by the DoD, or Generated by your company while performing a DoD contract, and Required to be protected by law, regulation, or government-wide policy. In these cases, the information is typically categorized as: CUI // Export Control (EXPT) Often overlapping with Controlled Technical Information (CTI) Common Examples in Manufacturing This includes, but is not limited to: Engineering drawings and CAD files Technical data packages Manufacturing and process instructions Specifications, tolerances, and test data Quality and inspection documentation If these materials are ITAR- or EAR-restricted and tied to a DoD contract, they must be treated as CUI. What You Are Expected to Do When DFARS 252.204-7012 is included in your contract, your organization must: Identify export-controlled information involved in contract performance Mark it as CUI in accordance with DoD guidance Protect it using appropriate physical, visual, procedural, and system safeguards Control access, including preventing unauthorized foreign-person exposure This applies whether the information was: Received from the government, or Created by your company during contract performance CUI Zones and Manufacturing Environments In manufacturing settings, CUI protection is not limited to IT systems. Export-controlled CUI often exists in physical spaces, such as: Engineering offices Manufacturing floors Quality and test areas Areas where visitors or customers may be present These areas commonly require CUI Zones, which use signage, labeling, access controls, and visual barriers to prevent unauthorized disclosure. Why This Matters Failing to treat ITAR- or EAR-controlled information as CUI can result in: Compliance gaps under DFARS 252.204-7012 CMMC assessment or DoD audit failures Yes – the DoD does audit subcontractors Export-control violations Increased contractual and regulatory risk Treating export control and CUI as a single, coordinated compliance obligation helps prevent these issues. IMPORTANT: You must also fully meet all ITAR/EAR export control program (minimum) requirements under DDTC and BIS guidance. See disclaimer below.  Authoritative References (Basic Set) 32 CFR Part 2002 – Controlled Unclassified Information DoDI 5200.48 – DoD CUI Policy DoDI 5230.24 – Controlled Technical Information DFARS 252.204-7012 – Safeguarding CUI NARA CUI Registry – Export Control (EXPT) ITAR (22 CFR Parts 120–130) EAR (15 CFR Parts 730–774)  LEARN MORE: For detailed regulatory analysis and citation mapping, see the “Advanced” FAQ version of this guidance How CUI Supply Products Help Meet CUI, ITAR, and EAR Safeguarding Requirements  CUI Supply products support the identification, awareness, and safeguarding of Controlled Unclassified Information (CUI), including export-controlled technical data subject to ITAR and EAR. By providing clear visual indicators, standardized markings, and reusable protection systems, CUI Supply helps organizations communicate access restrictions, warn unauthorized individuals, and reduce the risk of inadvertent disclosure in real-world environments. CUI Supply products: Support implementation and enforcement of CUI requirements Provide observable evidence of safeguarding practices for customer visits,  assessments, and audits. Do not replace policies, training, legal determinations, or system security controls CUI Supply products provide physical, visual, and procedural enforcement mechanisms that support an organization’s obligation to identify, mark, restrict access to, and prevent unauthorized disclosure of Controlled Unclassified Information (CUI), including export-controlled technical data subject to ITAR and EAR. These products do not replace policies or information system controls. Instead, they enable practical, observable compliance in real-world engineering, manufacturing, and visitor-access environments. CUI Identification, Awareness, and Safeguarding (How CUI Supply Products Support These Objectives)  Requirement Objectives Organizations handling Controlled Unclassified Information (CUI), including export-controlled technical data subject to ITAR and EAR, must ensure that: Personnel can readily recognize CUI and understand when special handling, access, and safeguarding requirements apply. CUI is properly identified, marked, and communicated so that authorized individuals understand applicable distribution restrictions and handling requirements. Individuals who are not authorized to access CUI are clearly warned of restricted content and associated regulatory requirements, helping prevent inadvertent or unauthorized disclosure. These objectives apply across offices, engineering spaces, manufacturing floors, test areas, and visitor-accessible environments, where CUI may be present even when not immediately visible. How CUI Supply Helps Meet These Objectives CUI Supply products provide practical, visual, and repeatable mechanisms that help organizations operationalize CUI identification and safeguarding requirements in day-to-day environments. Clear CUI Identification & Awareness CUI category signage and labels (e.g., CTI, EXPT / ITAR / EAR) reinforce correct recognition of export-controlled CUI. Standardized terminology and iconography align personnel understanding with DoD and federal CUI categories. Persistent visual cues reduce reliance on memory or training alone. Outcome: Personnel can immediately recognize when CUI is present and understand that special handling applies. Area-Level Marking & Environmental Awareness Area-level markings (e.g., CUI Zones, Controlled Viewing Areas) indicate that CUI may be present even when individual documents, screens, or workpieces are not visible. Boundary and transition indicators help distinguish public, controlled, and restricted spaces. Color-coded and standardized visual cues reduce ambiguity for employees, visitors, and escorts.  Outcome: Unauthorized individuals are warned before entering or observing restricted environments, reducing inadvertent exposure.  Communication of Distribution & Access Restrictions Export-control warning signage communicates ITAR/EAR access limitations, including foreign-person restrictions. “Authorized Access Only” and “Escort Required” indicators reinforce distribution controls at the point of use. Consistent labeling language supports uniform understanding across shifts, facilities, and sites. Outcome: Distribution restrictions are clearly communicated to both authorized and unauthorized individuals, supporting compliance and enforcement. Rapid Document Identification & Protection Document covers, sleeves, and reusable marking systems allow organizations to quickly identify, mark, and protect CUI. Reusable and durable solutions support high-tempo environments where documents are frequently created, moved, or reviewed. Temporary protection mechanisms help prevent unauthorized disclosure during reviews, meetings, audits, or production activities. Outcome: CUI is protected quickly and efficiently without disrupting operational workflows. Disclaimer This material is provided for general informational and educational purposes only and does not constitute legal advice, export control advice, cybersecurity advice, or a definitive compliance determination. The identification and handling of Controlled Unclassified Information (CUI), including export-controlled technical data subject to the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR), is fact-specific and contract-dependent. Obligations may arise from statutes, regulations, DoD policy, contract clauses, program direction, or written Government authorization. Organizations are responsible for reviewing their specific contracts, regulatory obligations, and applicable Government guidance, and for consulting with qualified legal counsel, export compliance professionals, or contracting officers as appropriate. Use of CUI Supply products or materials does not by itself ensure compliance with CUI, export control, DFARS, or CMMC requirements. You can do this. Roll up your sleeves and get to work. Our mission is to help YOU #ProtectCUI