Skip to main content
govconCyber — Federal Cybersecurity Law Reference
Compliance Guidance

Reading the Banner: How CUI Marking and Handling Actually Work Under 32 CFR Part 2002

Knowing that you hold Controlled Unclassified Information is only half the job. The federal rulebook also dictates how that information gets marked, shared, and eventually let go — and contractors are bound by those rules the moment a marked document lands in their inbox.

Brandon Hancock, J.D., CMMC-RPPublished June 18, 2026Updated June 18, 20266 min read

# Reading the Banner: How CUI Marking and Handling Actually Work Under 32 CFR Part 2002

*Knowing that you hold Controlled Unclassified Information is only half the job. The federal rulebook also dictates how that information gets marked, shared, and eventually let go — and contractors are bound by those rules the moment a marked document lands in their inbox.*

Controlled Unclassified Information is not a label any one agency invented; it is a government-wide program with a single rulebook, and the markings on a document carry legal weight you are expected to honor. If your team protects CUI but can't read the banner line at the top of a file, you are flying half-blind. Here is how the system is built and what the markings are actually telling you to do.

One Program, One Executive Agent

The CUI Program traces to Executive Order 13556, signed November 4, 2010, which replaced a patchwork of agency-specific labels ("For Official Use Only," "Sensitive But Unclassified," and dozens more) with one standard. The Order names the National Archives and Records Administration (NARA) as the Executive Agent, and NARA delegated that role to its Information Security Oversight Office (ISOO).

The implementing regulation is 32 CFR Part 2002, issued in 2016. It establishes uniform policy for designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI across the executive branch. Alongside the rule sits the CUI Registry — NARA's public, online catalog of every approved CUI category and the legal authority behind it. If a category isn't in the Registry, it isn't CUI.

Basic vs. Specified: The Distinction That Drives Handling

The regulation splits CUI into two control levels. CUI Basic is the default: information that a law, regulation, or government-wide policy says must be protected, but without prescribing how. CUI Specified applies when that underlying authority *does* impose specific handling or dissemination controls — think export-controlled technical data or certain health, tax, or law-enforcement information.

The practical consequence shows up in the markings. Both are marked simply "CUI" in the banner — you do not write "CUI Basic" or "CUI Specified." But Specified information requires the relevant category marking and obligates you to apply whatever additional controls the governing authority demands. Treating Specified material like Basic is a common and avoidable compliance failure.

What the Markings Are Telling You

A properly marked CUI document carries three things worth learning to read. First, a banner at the top of each page reading "CUI" (and, for Specified, the category). Second, a designation indicator — a line identifying the agency that designated the information, so you know who to ask if you need to disseminate or decontrol it. Third, any limited dissemination controls (LDCs), which restrict who may receive the information even within authorized audiences. NARA's *CUI Marking Handbook* is the working reference for getting this right.

Two failure modes matter equally. Under-marking (or no marking) means safeguards never get applied — you can't protect what you didn't recognize. Over-marking is also a violation: the rule prohibits using CUI controls to conceal information or as a substitute for classification. When markings look wrong, the disciplined move is to follow them while questioning the designating agency, not to quietly ignore them.

Where Contractors Fit In

Contractors rarely *designate* CUI, but they constantly *receive, create, and store* it — and the obligations flow down through your contract. On nonfederal systems, the protection baseline is DFARS 252.204-7012 paired with NIST SP 800-171. The FAR Council's proposed government-wide CUI rule (still in rulemaking) would extend standardized identification, marking, and handling expectations to contractors across all federal agencies, not just DoD.

The takeaway for compliance teams: marking is not clerical. It is the trigger that tells your people which safeguards, which dissemination limits, and which decontrol path apply. Build the banner-reading skill into onboarding, and tie it to your safeguarding controls.

Key Takeaways

  • CUI is a single government-wide program under EO 13556 and 32 CFR Part 2002, administered by NARA/ISOO, with the CUI Registry as the authoritative list of categories.
  • "Basic" vs. "Specified" determines your handling burden. Both are marked "CUI," but Specified requires category markings and the extra controls its governing authority imposes — don't conflate them.
  • Markings are operative instructions. The banner, designation indicator, and any limited dissemination controls tell contractors exactly how to safeguard, share, and decontrol the information — and both under-marking and over-marking are violations.

Confirm what governs your work with Find My Requirements, see how CUI fits the broader standards on Frameworks, and review the federal authorities behind it on Statutes. For the threshold question of whether you even hold CUI, read our companion post on the CUI vs. FCI distinction.

---

*Sources (primary): eCFR — 32 CFR Part 2002, Controlled Unclassified Information; Federal Register — Controlled Unclassified Information final rule (Sept. 14, 2016); National Archives — About CUI and CUI Registry. Supplementary: agency CUI program guides. Informational only, not legal advice.*

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Compliance GuidanceCISA Reopened the CIRCIA Comment Window — and the Defense Industrial Base Has a Seat on June 18CISA reopened CIRCIA stakeholder input with town halls June 15-18, 2026; the defense industrial base is scheduled June 18. The 72-hour reporting rule isn't final — its scope and burden are still open for comment.June 14, 2026 · 5 min readCompliance GuidanceDoD's Cyber-Harmonization Deadline Has Passed: What NDAA Section 866 Means for Defense ContractorsNDAA Section 866 required DoD to harmonize and trim defense-industrial-base cyber requirements by June 1, 2026. Relief will roll out gradually, but the security bar stays in place.June 9, 2026 · 6 min readCompliance GuidanceYour SPRS Score: How DoD's NIST 800-171 Self-Assessment Actually WorksBefore CMMC verifies anything, most DoD contractors already owe a NIST 800-171 self-assessment score posted in SPRS — and on covered contracts, a current score is a condition of award. Here's how the number is built and why it matters.June 8, 2026 · 6 min read