Most Controlled Unclassified Information marking guidance tells you to add the banner and portion marks. The marking that fails contractors is the over-marking, specifically a portion mark on the Designation Indicator block, which DoD Instruction 5200.48 explicitly prohibits. A federal-contractor compliance officer who is “marking everything” so the assessor cannot find a gap discovers during her organization’s CUI self-inspection program (or during a DCMA Defense Industrial Base Cybersecurity Assessment Center review under DFARS 252.204-7020) that her over-marked CUI Designation Indicator is itself a finding, and the over-marking is dispersed across 200 templates her team has been using for three years.
The marking failure is not a missing banner. It is a portion mark in the wrong place, a Limited Dissemination Control marker applied without authority, or a Designation Indicator that confuses the originating agency with the contractor. Each of these is correctable in a single document and disastrous when propagated across the document inventory. The four mark layers are independent; getting three right and one wrong produces a finding.
This article walks the four mark layers in the order an assessor reads them: the CUI banner, portion marks across the document body, Limited Dissemination Control markers, and the Designation Indicator block. It is the operational guide to CUI marking and dissemination controls written for the contractor compliance officer who has already marked everything once and now needs to know what to un-mark.
Bottom Line Up Front. Most CUI marking guidance tells you to add the banner and portion marks. The marking that fails contractors is the over-marking, specifically a portion mark on the Designation Indicator block, which DoDI 5200.48 explicitly prohibits. This article walks the four mark layers in the order an assessor reads them: CUI banner, portion marks across the document body, Limited Dissemination Control markers, and the Designation Indicator block. It is written for the contractor compliance officer who has already marked everything once and now needs to know what to un-mark.
The Four Mark Layers, In Order
An assessor reading a CUI document checks the banner first, the portion marks second, the Limited Dissemination Control markers third, and the Designation Indicator block last. The order matters because each layer presupposes the layer above. A document with a missing banner cannot be saved by perfect portion marks. A document with perfect portion marks but a malformed Designation Indicator fails because the originating authority is unclear.
| Layer | What It Is | Where It Goes | Common Failure |
|---|---|---|---|
| CUI Banner | Top-of-page identifier showing CUI status and any LDC markers | Top of every page (header) and bottom of every page (footer) | Missing on attachments; format inconsistent |
| Portion Marks | Per-element identifier (CUI) on portions containing CUI | Subjects, titles, paragraphs, sub-paragraphs, bullets, headings, tables, graphs | Applied to the Designation Indicator block (prohibited) |
| LDC Markers | Limited Dissemination Control labels (e.g., NOFORN, FED ONLY, FEDCON) | Banner and portion marks where applicable | Applied without underlying authority; confused with classification |
| Designation Indicator | Identification of the agency and authority that designated the CUI | Achieved via letterhead, signature block, or a “Controlled by:” line; placement is in the lower right of the first page or cover per DCSA Marking Job Aid and CDSE guidance (32 CFR 2002.20(a)(3)(d)) | Portion-marked (prohibited); names contractor instead of originating agency |
Layer One: The CUI Banner
Per the ISOO/NARA CUI Marking Handbook (32 CFR 2002.20(b)), the CUI Banner Marking is mandatory at the top portion of every page that contains CUI; placement at the bottom of the page is an optional best practice. The banner reads “CUI” by itself when no Specified Category and no Limited Dissemination Controls apply. When a Specified Category and an LDC both apply, a canonical defense-contractor banner reads “CUI//SP-CTI//FEDCON”. The CUI control marking comes first, the Specified Category marking second (here, SP-CTI for Controlled Technical Information), and the LDC marking last (here, FEDCON for federal personnel and federal contractors), each separated by double forward slashes. SP-FED is not a NARA CUI Registry Specified Category; FED ONLY and FEDCON are Limited Dissemination Controls, not Specified Categories.
The most common banner failure is inconsistency across attachments. The cover document is banner-marked correctly; the appendix is not. The PowerPoint is banner-marked; the Excel attachment that the PowerPoint references is not. The fix is procedural: every document in a CUI submission must be banner-marked, and the submission package itself should include a manifest that lists every component and confirms its banner status.
The second common banner failure is format drift. Different teams produce documents from different templates, and the banner format varies. CUI banners must be formatted consistently with National Archives CUI Marking Handbook guidance. The fix is a single approved template per document type with the banner pre-populated.
Layer Two: Portion Marks
Portion marks identify which portions of the document contain CUI. Per DoDI 5200.48, if portion marks are used, they must be applied to all portions: subjects, titles, paragraphs, sub-paragraphs, bullets and sub-bullets, headings, pictures, graphs, charts, maps, and reference list entries. Portion marks are not required, but if they are present, they must be present everywhere they apply.
The portion-mark failure that fails contractors most often is the over-mark. DoDI 5200.48 explicitly states: “Do not apply portion marks to the CUI Designation Indicator.” The Designation Indicator is metadata about the document; it is not itself CUI content. Portion-marking the Designation Indicator confuses the metadata with the content and is treated as a marking error in assessment.
The second portion-mark failure is the under-mark. A document marked at the banner level without portion marks is acceptable. A document marked at the banner level with portion marks on some elements but not others is not acceptable. The contractor must choose: portion-mark every applicable portion or no portion. Mixed marking signals confusion about what is CUI within the document.
The third portion-mark failure is the wrong indicator. Portion marks for CUI use the literal string “CUI” or “(CUI)” depending on the template. Some contractors use “(U/CUI)” to mimic classification marking syntax; this is non-standard and is treated as a marking error.
Layer Three: Limited Dissemination Control Markers
Limited Dissemination Control markers restrict who may receive the CUI within the federal community. The most common LDCs in defense contracting are NOFORN (no foreign nationals), FED ONLY (federal personnel only), FEDCON (federal personnel and federal contractors), DL ONLY (specified distribution list), and DISPLAY ONLY (no further dissemination beyond display). LDCs are applied at the banner and at the portion-mark level where applicable.
The LDC application failure is applying a marker the contractor does not have authority to apply. LDCs are designated by the originating agency, not by the contractor handling the CUI. A contractor receiving a document marked NOFORN must continue to mark it NOFORN; the contractor cannot remove the marker. A contractor producing a document derived from CUI must mark the derived document with the same LDCs that applied to the source. A contractor cannot add new LDCs to a derived document unless the contractor’s contract authorizes the contractor to designate at that level.
The second LDC failure is confusing LDC markers with classification markers. LDCs (NOFORN, FED ONLY) are formatted similarly to classification dissemination controls but are not classification markings. CUI is unclassified. A contractor that applies classification-style marking to CUI documents creates a different problem from missing CUI marks; the document looks classified but is not, which can produce inappropriate handling and reporting.
Layer Four: The Designation Indicator Block
The Designation Indicator identifies the agency that designated the information as CUI, the office that designated it, the contact information for that office, and the legal authority for the designation. Per 32 CFR 2002.20(a)(3)(d) and the ISOO/NARA CUI Marking Handbook, this requirement may be satisfied through letterhead, a signature block that includes the agency, or an explicit “Controlled by:” line. Per DCSA Marking Job Aid and CDSE Quick Marking Tips guidance, the Designation Indicator is placed in the lower right of the first page or cover, not at the top of the page. The ISOO/NARA CUI Marking Handbook example places the “Controlled by:” block after the body content of a letter, consistent with lower-right footer placement. Whichever form a contractor selects, the indicator should include lines for “Controlled by,” “Categories,” “Limited Dissemination Control,” and a point of contact.
The Designation Indicator must name the originating agency, not the contractor. A contractor handling DoD CUI does not put the contractor’s name in the “Controlled by” field; the contractor puts the DoD office that designated the information. A contractor that names itself as the controller is asserting designation authority the contractor does not have.
The Designation Indicator must not be portion-marked, as discussed in Layer Two. The Designation Indicator must include the legal authority for the CUI designation; the authority is the specific category in the National Archives CUI Registry, not a generic citation to DoDI 5200.48 or to FISMA.
The most common Designation Indicator failure is the partial block. A contractor includes “Controlled by: DoD” without naming the office and without including a POC. The Designation Indicator must be complete; partial blocks create downstream uncertainty about who can answer questions about the designation.
Dissemination Controls Beyond the Markings
Markings establish that the document contains CUI; dissemination controls govern what can be done with the document. Per DoDI 5200.48, CUI dissemination is limited to authorized individuals with a lawful government purpose. Contractors and partners may access CUI only when contractually permitted and when the access aligns with mission objectives.
The contract is the source of authority. A contractor’s authority to handle CUI derives from the specific contract clauses that govern the engagement, typically DFARS 252.204-7012 for defense contractors. A contractor receiving CUI outside the scope of the contract has a problem: the receipt may be unauthorized even if the marking is correct.
The dissemination control language in the contractor’s internal policy should mirror the contract language. Three operational rules should appear in any contractor CUI policy. First, CUI may be handled only by personnel with documented need-to-know and the appropriate background determination. Second, CUI may be transmitted only through approved channels (encrypted email, approved file-sharing, secure document handling). Third, CUI may be disposed of only through approved methods (cross-cut shredding for paper, sanitization following NIST SP 800-88 Rev 1 guidance for electronic media).
The Self-Inspection Approach
Most contractors discover marking failures during their own internal CUI self-inspection program (or during a DCMA-DIBCAC assessment under DFARS 252.204-7020 in CMMC-scoped environments). The self-inspection is most effective when it tests the four layers separately. A contractor inspecting all four at once produces a finding list too long to remediate efficiently. A contractor inspecting one layer at a time produces a remediation list that can be cleared in a defined window.
Layer-one self-inspection (banners) tests a sample of documents from the CUI inventory for banner presence and consistency. Sample size: 30 to 50 documents from each of the major document types (briefings, technical reports, correspondence, forms). The inspection produces a banner-compliance percentage and a list of templates that need correction.
Layer-two self-inspection (portion marks) tests the same sample (or an expanded sample) for portion-mark consistency. The inspection asks: are portion marks present where required, absent where prohibited, and consistent in format? Common findings: missing portion marks on table cells, inconsistent indicator format, prohibited marks on Designation Indicators.
Layer-three self-inspection (LDCs) tests the sample for appropriate LDC application. The inspection asks: do the LDCs match the originating agency’s intent, are they preserved in derived documents, are they correctly formatted? Common findings: LDCs added by the contractor without authority, LDCs dropped in derived documents, LDC formatting inconsistent.
Layer-four self-inspection (Designation Indicators) tests the sample for complete Designation Indicators. The inspection asks: does each document have a Designation Indicator, does it name the originating agency, does it include a POC, is it portion-marked (which would be a finding)? Common findings: missing Designation Indicators, incorrect controllers, prohibited portion marks.
The Template Remediation Plan
A contractor with three years of accumulated marking errors faces a remediation problem more than a marking problem. Two hundred templates may be in use across the organization, each producing dozens to hundreds of documents per month. The remediation plan must address the templates and the in-flight document inventory separately.
Step one is the template inventory. Identify every template in use that produces CUI documents. The list typically includes briefing templates, technical report templates, correspondence templates, statements of work, and form templates. Centralize the list in a single registry.
Step two is the template correction. Correct each template against the four-layer model. The corrections produce v2 versions of each template; the v1 versions are retired.
Step three is the template publication. Publish the v2 templates through the channels users actually access (SharePoint, document management systems, internal portals). Communicate the change to template users.
Step four is the in-flight document handling. Existing documents produced from v1 templates are not retroactively re-marked unless they are re-issued. New issuances use v2 templates. The in-flight inventory ages out as documents are revised through normal workflows.
Step five is the verification cycle. Re-run the self-inspection 90 days after template publication. The compliance percentage should rise materially. Findings remaining at 90 days indicate template adoption gaps or specific documents still produced from v1 templates.
Frequently Asked Questions
Are portion marks required?
Portion marks are not required by DoDI 5200.48. If they are used, they must be applied consistently across all portions. Many contractors use portion marks because the agency requesting the work expects them, even when the contract does not require them.
What is the difference between FED ONLY and FEDCON?
FED ONLY restricts dissemination to federal personnel only; FEDCON allows dissemination to federal personnel and federal contractors. FEDCON is the more common LDC in contractor environments because it permits handling by the contractor’s own staff. The difference matters because the contractor cannot upgrade FED ONLY to FEDCON; the originating agency makes the determination.
Can I mark a document CUI if I am not sure?
Cautious over-marking is preferable to under-marking when the question is whether the document contains CUI. The over-mark is the prohibited application of CUI marks where the underlying content is not CUI; that is a different concern. When a contractor genuinely cannot determine whether content is CUI, the contractor should consult the originating agency or the Information Security Manager.
How do I mark CUI in email?
The email subject line should begin with “(CUI)” and the body should include the CUI banner at the top and the Designation Indicator at the bottom. Email transmitting CUI must use approved encrypted channels per the contract.
Do I need to mark CUI in chat or messaging applications?
CUI should not be transmitted through chat or messaging applications unless the application is specifically approved for CUI handling. Most consumer messaging applications are not approved. Microsoft Teams in GCC High and similar government cloud environments are typically approved — a consideration that bears directly on the SPRS score controls addressing access to CUI systems.
What is the legal basis for CUI?
Executive Order 13556 established the CUI Program in 2010. The National Archives Information Security Oversight Office maintains the CUI Registry, which lists categories and subcategories. DoDI 5200.48 is the DoD-specific implementation. Each contract that requires CUI handling cites the relevant authorities, typically including DFARS 252.204-7012 for defense contractors.
The verdict. CUI marking is one of the few compliance disciplines where over-doing it produces failure. The four mark layers are designed to be applied with precision, not enthusiasm. The contractor whose marking program is mature inspects layer by layer, corrects templates centrally, and treats the Designation Indicator with the discipline it deserves. The contractor whose marking program is immature marks everything and gets a finding for marking the wrong thing. A DCMA-DIBCAC assessor (or an internal self-inspection lead) reads the four layers in order. The same assessor will review the CUI handling controls inside the CMMC enclave or GCC High environment your organization has chosen for CUI storage. The contractor whose marks pass that read produces a clean assessment; the contractor whose marks fail produces a finding list that takes longer to remediate than the original marking would have taken to do correctly.
