Training & Education

Controlled Unclassified Information (CUI) can be confusing, especially for organizations trying to understand what it is, who must protect it, and how physical marking fits into compliance. This FAQ answers common questions about CUI, including safeguarding requirements, physical CUI risks, marking practices, controlled environments, visitor access, and the practical steps organizations can take to improve compliance readiness.

If you are marking computers, monitors, hard drives, or other devices that store or display Controlled Unclassified Information, one of the most common questions is: What’s the difference between the SF 902 and SF 905 CUI labels? The answer is simple: both labels are used to mark CUI on computers and digital media, but SF 902 includes “U.S. Government Property,” while SF 905 does not. What is the SF 902 label? The SF 902 is a CUI computer and digital media label used to identify devices and media that contain Controlled Unclassified Information. It's used to identify and protect electronic media and other equipment that contain CUI, and to alert holders to the presence of CUI stored on the device. The label includes the phrase “U.S. Government Property.” The SF 902 label is available in: 100-label rolls 500-label rolls Approximate size 2.125" x 1.25" What is the SF 905 label? The SF 905 serves the same general purpose as the SF 902: it is used for marking digital media and equipment associated with CUI. The key difference is that it is a generic version and does not include “U.S. Government Property” on the label. This version is intended for organizations that need a CUI media label without that government-property wording. Like the SF 902, the SF 905 is also available in: 100-label rolls 500-label rolls Approximate size 2.125" x 1.25" The main difference: government property wording This is the real deciding factor. Choose SF 902 if: You want the label to include “U.S. Government Property” and your environment prefers that wording. CUI Supply specifically says this version is recommended for many Defense Industrial Base contractors. Choose SF 905 if: You need a generic CUI label for computers or digital media, but do not want the label to say “U.S. Government Property.” What do SF 902 and SF 905 have in common? Both labels are designed to support clear visual marking of devices or media that contain CUI. These labels are used to alert holders to the presence of CUI on the device, referencing DFARS and 32 CFR 2002.20 requirements. In practical terms, both can be used on items such as: laptops desktop computers monitors external hard drives other digital media or equipment containing CUI Which one should you buy? For many defense contractors, SF 902 is often the better fit because it includes the more explicit “U.S. Government Property” language. For commercial organizations, mixed environments, or teams that want a cleaner generic format, SF 905 may make more sense. A simple way to think about it: SF 902 = CUI media label with “U.S. Government Property”SF 905 = CUI media label without “U.S. Government Property” Final takeaway If you are comparing SF 902 vs. SF 905, you are not really choosing between two completely different label types. You are choosing between the same general CUI media-marking function with two wording options. If your organization wants or expects “U.S. Government Property” on the label, go with SF 902. If you need the same style of label without that language, go with SF 905. This blog is designed to help readers understand the difference between SF 902 and SF 905 CUI labels and choose the right option for their environment. Many people searching for answers are looking for terms like SF 902 vs SF 905, SF 902 label, SF 905 label, CUI computer labels, CUI digital media labels, and CUI device labels. The article should also naturally address common questions such as when to use SF 902, when to use SF 905, which CUI label should I use, and what the difference is between a CUI label that includes U.S. Government Property and a more general CUI label. Since these labels are commonly used on computers, monitors, hard drives, laptops, and other digital media, related phrases like CUI labels for computers, digital media marking, CUI media identification, and device marking for CUI also fit well. Including this kind of language helps the post align with search intent from defense contractors and other organizations trying to properly mark devices and media that contain Controlled Unclassified Information.

If you work with the Department of Defense (DoD) or support the Defense Industrial Base (DIB), you’ve almost certainly heard the term CUI—but it’s also one of the most misunderstood concepts in compliance. Understanding Controlled Unclassified Information (CUI) is foundational to DFARS, NIST SP 800-171, and CMMC compliance. This guide breaks it down clearly and practically.

Prepared by DTCGlobal.us for CUISupply.com Summary: Yes. When ITAR or EAR-controlled technical data or technology is used, created, or required to perform a U.S. Department of Defense (DoD) contract or subcontract at all tiers, it qualifies as Controlled Unclassified Information (CUI) and must be protected accordingly. The most direct answer comes from: See DoD Procurement Toolbox, Cybersecurity FAQ #22.and Question #28. Look below to learn how CUI Supply products can help you meet these requirements. CUI Supply products support compliance by helping organizations clearly identify and protect export-controlled CUI during the performance of the contract in controlled environments or CUI zones such as: Engineering offices Manufacturing floors Quality and test areas Visitor and customer access zones Through signage, labeling, zoning, and visual-control mechanisms, CUI Supply helps prevent unauthorized disclosure of ITAR- and EAR-restricted information, aligning day-to-day operations with DoD CUI and export-control requirements. What This Means for Manufacturing Companies Many manufacturing organizations mistakenly treat export control (ITAR/EAR) and CUI/CMMC as separate compliance efforts. Under DoD contracts, they are closely connected. ITAR and EAR determine who is allowed access to technical data and technology. CUI requirements determine how that information must be identified, marked, and protected. When export-controlled information supports DoD contract performance, both sets of requirements apply at the same time. When ITAR / EAR Information Becomes CUI Export-controlled information qualifies as CUI when it is: Provided by the DoD, or Generated by your company while performing a DoD contract, and Required to be protected by law, regulation, or government-wide policy. In these cases, the information is typically categorized as: CUI // Export Control (EXPT) Often overlapping with Controlled Technical Information (CTI) Common Examples in Manufacturing This includes, but is not limited to: Engineering drawings and CAD files Technical data packages Manufacturing and process instructions Specifications, tolerances, and test data Quality and inspection documentation If these materials are ITAR- or EAR-restricted and tied to a DoD contract, they must be treated as CUI. What You Are Expected to Do When DFARS 252.204-7012 is included in your contract, your organization must: Identify export-controlled information involved in contract performance Mark it as CUI in accordance with DoD guidance Protect it using appropriate physical, visual, procedural, and system safeguards Control access, including preventing unauthorized foreign-person exposure This applies whether the information was: Received from the government, or Created by your company during contract performance CUI Zones and Manufacturing Environments In manufacturing settings, CUI protection is not limited to IT systems. Export-controlled CUI often exists in physical spaces, such as: Engineering offices Manufacturing floors Quality and test areas Areas where visitors or customers may be present These areas commonly require CUI Zones, which use signage, labeling, access controls, and visual barriers to prevent unauthorized disclosure. Why This Matters Failing to treat ITAR- or EAR-controlled information as CUI can result in: Compliance gaps under DFARS 252.204-7012 CMMC assessment or DoD audit failures Yes – the DoD does audit subcontractors Export-control violations Increased contractual and regulatory risk Treating export control and CUI as a single, coordinated compliance obligation helps prevent these issues. IMPORTANT: You must also fully meet all ITAR/EAR export control program (minimum) requirements under DDTC and BIS guidance. See disclaimer below.  Authoritative References (Basic Set) 32 CFR Part 2002 – Controlled Unclassified Information DoDI 5200.48 – DoD CUI Policy DoDI 5230.24 – Controlled Technical Information DFARS 252.204-7012 – Safeguarding CUI NARA CUI Registry – Export Control (EXPT) ITAR (22 CFR Parts 120–130) EAR (15 CFR Parts 730–774)  LEARN MORE: For detailed regulatory analysis and citation mapping, see the “Advanced” FAQ version of this guidance How CUI Supply Products Help Meet CUI, ITAR, and EAR Safeguarding Requirements  CUI Supply products support the identification, awareness, and safeguarding of Controlled Unclassified Information (CUI), including export-controlled technical data subject to ITAR and EAR. By providing clear visual indicators, standardized markings, and reusable protection systems, CUI Supply helps organizations communicate access restrictions, warn unauthorized individuals, and reduce the risk of inadvertent disclosure in real-world environments. CUI Supply products: Support implementation and enforcement of CUI requirements Provide observable evidence of safeguarding practices for customer visits,  assessments, and audits. Do not replace policies, training, legal determinations, or system security controls CUI Supply products provide physical, visual, and procedural enforcement mechanisms that support an organization’s obligation to identify, mark, restrict access to, and prevent unauthorized disclosure of Controlled Unclassified Information (CUI), including export-controlled technical data subject to ITAR and EAR. These products do not replace policies or information system controls. Instead, they enable practical, observable compliance in real-world engineering, manufacturing, and visitor-access environments. CUI Identification, Awareness, and Safeguarding (How CUI Supply Products Support These Objectives)  Requirement Objectives Organizations handling Controlled Unclassified Information (CUI), including export-controlled technical data subject to ITAR and EAR, must ensure that: Personnel can readily recognize CUI and understand when special handling, access, and safeguarding requirements apply. CUI is properly identified, marked, and communicated so that authorized individuals understand applicable distribution restrictions and handling requirements. Individuals who are not authorized to access CUI are clearly warned of restricted content and associated regulatory requirements, helping prevent inadvertent or unauthorized disclosure. These objectives apply across offices, engineering spaces, manufacturing floors, test areas, and visitor-accessible environments, where CUI may be present even when not immediately visible. How CUI Supply Helps Meet These Objectives CUI Supply products provide practical, visual, and repeatable mechanisms that help organizations operationalize CUI identification and safeguarding requirements in day-to-day environments. Clear CUI Identification & Awareness CUI category signage and labels (e.g., CTI, EXPT / ITAR / EAR) reinforce correct recognition of export-controlled CUI. Standardized terminology and iconography align personnel understanding with DoD and federal CUI categories. Persistent visual cues reduce reliance on memory or training alone. Outcome: Personnel can immediately recognize when CUI is present and understand that special handling applies. Area-Level Marking & Environmental Awareness Area-level markings (e.g., CUI Zones, Controlled Viewing Areas) indicate that CUI may be present even when individual documents, screens, or workpieces are not visible. Boundary and transition indicators help distinguish public, controlled, and restricted spaces. Color-coded and standardized visual cues reduce ambiguity for employees, visitors, and escorts.  Outcome: Unauthorized individuals are warned before entering or observing restricted environments, reducing inadvertent exposure.  Communication of Distribution & Access Restrictions Export-control warning signage communicates ITAR/EAR access limitations, including foreign-person restrictions. “Authorized Access Only” and “Escort Required” indicators reinforce distribution controls at the point of use. Consistent labeling language supports uniform understanding across shifts, facilities, and sites. Outcome: Distribution restrictions are clearly communicated to both authorized and unauthorized individuals, supporting compliance and enforcement. Rapid Document Identification & Protection Document covers, sleeves, and reusable marking systems allow organizations to quickly identify, mark, and protect CUI. Reusable and durable solutions support high-tempo environments where documents are frequently created, moved, or reviewed. Temporary protection mechanisms help prevent unauthorized disclosure during reviews, meetings, audits, or production activities. Outcome: CUI is protected quickly and efficiently without disrupting operational workflows. Disclaimer This material is provided for general informational and educational purposes only and does not constitute legal advice, export control advice, cybersecurity advice, or a definitive compliance determination. The identification and handling of Controlled Unclassified Information (CUI), including export-controlled technical data subject to the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR), is fact-specific and contract-dependent. Obligations may arise from statutes, regulations, DoD policy, contract clauses, program direction, or written Government authorization. Organizations are responsible for reviewing their specific contracts, regulatory obligations, and applicable Government guidance, and for consulting with qualified legal counsel, export compliance professionals, or contracting officers as appropriate. Use of CUI Supply products or materials does not by itself ensure compliance with CUI, export control, DFARS, or CMMC requirements. You can do this. Roll up your sleeves and get to work. Our mission is to help YOU #ProtectCUI