Resource Guide — CUI

CUI Marking & Handling: A Contractor's Guide

Receiving a drawing from your prime is the easy part. Protecting it properly — marking it right, storing it securely, transmitting it safely, and destroying it correctly — is where most contractors have gaps. Here's the complete guide.

Properly marked CUI documents have "CUI" appearing as a header and/or footer on every page that contains controlled information. The marking goes in all caps: CUI. That's the baseline. Simple, clear, consistent.

But the CUI program has categories — and some categories require additional markings. If your document contains export-controlled technical data, it might say:

CUI // SP-ITAR

If it contains critical infrastructure security information:

CUI // PCII

For most defense contractors working with technical data, you'll see "CUI" alone or with a CTI (Controlled Technical Information) category marking. When you're generating your own documents from controlled data, mark them accordingly.

Distribution Statements

Distribution statements are a DoD-specific marking system that controls who can receive a document. They're separate from CUI markings but often appear together on the same document. Here are the most common ones you'll encounter:

  • Distribution Statement A — Approved for public release; distribution unlimited. (Not CUI if this is the only marking.)
  • Distribution Statement B — Distribution authorized to U.S. Government agencies only. If you receive this document as a contractor, you've received it under special authorization.
  • Distribution Statement C — Distribution authorized to U.S. Government agencies and their contractors only.
  • Distribution Statement D — Distribution authorized to DoD and U.S. DoD contractors only. This is the most common marking on contractor-received technical data.
  • Distribution Statement E — Distribution authorized to DoD components only.
  • Distribution Statement F — Further distribution only as directed by originator.

If a document says "Distribution Statement D" or "Distribution Statement C," that's a strong indicator of CUI even if "CUI" doesn't appear explicitly. Treat it as controlled.

What to Do When You Receive Unmarked CUI

One of the most common frustrations for defense contractors: you receive a package of engineering drawings from a prime, and they're not marked "CUI." Does that mean they're not controlled?

No. Marking requirements fall on the originator. If a prime sends you unmarked controlled data, that's their compliance problem — but you're still responsible for protecting the information. Here's the practical approach:

  1. Check your contract — Does it include DFARS 252.204-7012? If yes, assume all technical data you receive under that contract is CUI until you can confirm otherwise.
  2. Contact the prime's contracting representative — Ask them to confirm whether the drawings are CUI and to mark them appropriately. Document that you asked. This protects you.
  3. Treat it as CUI in the interim — While you're waiting for clarification, store and handle the drawings as if they're controlled. You can always relax controls if they turn out to be uncontrolled; you can't undo a breach.
  4. Apply your own markings if needed — If you're forwarding the data to a sub, add "CUI" markings to documents that should be marked but aren't. Document why you added markings.

The prime failing to mark their drawings doesn't give you a pass on protecting them. Your DFARS clause creates the obligation regardless of whether the documents are marked correctly.

Digital CUI Handling Requirements

Encryption at Rest

CUI stored digitally must be encrypted at rest. This means full-disk encryption on laptops and workstations (BitLocker on Windows, FileVault on Mac), encrypted storage volumes for servers containing CUI, and encrypted cloud storage using a FedRAMP-authorized platform. You cannot store CUI in an unencrypted folder on a shared drive that anyone can access.

Encryption in Transit

CUI transmitted electronically must be encrypted in transit. Email containing CUI must be sent via encrypted email (S/MIME or platform-level encryption like Microsoft 365 Message Encryption on GCC High). File transfers must use SFTP, HTTPS, or other encrypted protocols. Plain FTP is not acceptable. Unencrypted email is not acceptable.

Access Controls

Digital CUI must be protected by access controls — only authorized individuals can access it. Shared drives with no access controls are not compliant. Every person who can access your CUI must be individually authorized, and that authorization must be documented.

Email Best Practices

  • Mark the subject line with "CUI" when emailing controlled content
  • Only send CUI to verified government or contractor addresses
  • Don't forward CUI to personal email accounts
  • Don't send CUI via consumer platforms (Gmail, Yahoo, standard Outlook.com)
  • Use your compliant email platform (M365 GCC High, GovCloud email) for all CUI email

Physical CUI Handling Requirements

Storage

Physical CUI (printed drawings, paper documents, removable media) must be stored in a controlled location when not in use. A locked filing cabinet in a controlled-access room is the standard. You can't leave printed controlled drawings in the break room or on an open desk when you go home for the night.

Shipping and Mailing

Physical CUI shipped or mailed must be double-wrapped:

  • Inner opaque envelope or wrapper, marked "CUI" (or the specific category)
  • Outer plain envelope or wrapper with no CUI markings
  • Only approved carriers: FedEx, UPS, USPS Express/Priority for domestic
  • International shipments may require State Department authorization under ITAR

Destruction

Physical CUI that is no longer needed must be destroyed in a manner that prevents recovery. Cross-cut shredding (NSA/CSS EPL-listed shredders produce 1mm x 5mm particles) is standard. Strip shredding is not sufficient. Burning is acceptable. You cannot simply throw controlled documents in the trash or recycling bin.

Visitor Controls

When visitors — including customers, auditors, or vendor representatives — come to your facility, they should not have access to areas where CUI is visible or accessible without supervision. Practical requirements:

  • Visitors must be escorted by authorized personnel at all times in areas where CUI may be present
  • Computer screens in CUI areas should face away from visitor paths or use privacy screens
  • Printed CUI should be placed face-down or out of view when visitors are present
  • Visitor logs must be maintained for secure areas
Want to know which CUI handling gaps matter most for your operation?

Our free readiness check identifies your specific CUI environment and the handling requirements that apply to you.

Take the Free Readiness Check →

Frequently Asked Questions

If you generate a document — an inspection report, a work order, a process specification — from or about controlled technical data, that document is also CUI. Mark it in the header and footer: 'CUI' in all caps. If you know the specific CUI category (Controlled Technical Information, ITAR, etc.), add the category designation. Date the document and document its distribution. Keep it in your CUI environment.

Yes, but only using a compliant email platform. If you're on Microsoft 365 GCC High or a comparable FedRAMP-authorized environment, and you're sending to a verified prime contractor address, you can transmit CUI by email. The email should note 'CUI' in the subject line. Do not send CUI via standard commercial email (regular Outlook, Gmail, etc.).

This is a reportable incident under DFARS 252.204-7012. You have 72 hours to report the incident to DoD via the DIBNet Portal (dibnet.dod.mil). Immediately notify the recipient that they've received CUI and ask them to destroy it and confirm destruction. Internally, document what happened, who sent it, who received it, what was in the email, and when you discovered the error. This is the same process for any CUI breach, digital or physical.

If those drawings are CUI, yes. Every physical copy of a CUI document needs to carry the CUI marking. That said, common practice for shop floor use is to ensure the original drawing package is properly marked, and to treat all prints from that package as CUI — even if the print itself doesn't have a header/footer due to how it printed. Put the marked cover sheet with the print set, and control access to the print set appropriately.

Retention requirements for CUI are set by the applicable regulations for the specific CUI category and the terms of your contract. For most technical data, the DoD contract will specify a retention period — commonly 3-7 years after contract completion. ITAR-controlled data has specific retention requirements under 22 CFR 130. Consult your contract and your legal counsel for specifics. When retention periods expire, destroy CUI following approved destruction methods.

Both. Electronic files should be named and/or have metadata indicating they're CUI, and ideally should have CUI marked in the file itself (document header, drawing title block, spreadsheet header row). Many organizations use document management systems that apply CUI classifications and watermarks automatically. At minimum, your electronic CUI should be stored in a folder or system that's clearly designated as the CUI environment, with documented access controls.

Know how to handle your CUI before an assessor asks.

Our free readiness check identifies your CUI environment and gives you a prioritized action list for handling requirements.

Start Free Readiness Check →

2 minutes. No email required to see results.

Or see pricing & packages →

Related Guides

Beginner Guide
CMMC for Beginners: Everything You Need to Know in 2026
Resource Guide
What Is CUI? A Plain-English Guide
Resource Guide
How to Scope Your CUI Environment