CMMC Banner Markings: A Practical Guide to Reading and Applying CUI Labels

CMMC Banner Markings: A Practical Guide to Reading and Applying CUI Labels

A practical, regulation-grounded guide to reading and applying CUI banner markings: control, category, and dissemination, in the order they appear.

Deep Fathom Last verified

A CUI banner marking carries three answers in three elements, read left to right. (1) The control marking is “CUI” or “CONTROLLED” per 32 CFR § 2002.20 — DoD uses “CUI” per DoDI 5200.48. (2) The category marking follows after a double slash and identifies which CUI category from the NARA CUI Registry applies; CUI Specified categories get the “SP-” prefix because they carry handling rules beyond the Basic baseline. (3) Dissemination controls are optional and only appear when an authority has restricted distribution beyond the standard CUI rules — common values are NOFORN (no foreign nationals), FEDCON (federal employees and contractors), FED ONLY, NOCON, DL ONLY (named distribution list), and REL TO (releasable to named foreign partners). Slash convention: double slash between unlike elements (control-to-category, category-to-dissemination), single slash between like elements (multiple categories, multiple dissemination controls). Categories list alphabetically. The most common defense banner is CUI//SP-CTI//NOFORN for technical data with foreign-release restriction.

Three answers live in every CUI banner. What kind of information the document holds. What extra handling rules attach. Who’s allowed to see it.

The label at the top of a CUI document isn’t decoration. It’s a routing instruction, and it’s read in three parts. The structure is fixed. The vocabulary is small. Yet most contractors who handle these documents day to day still squint at unfamiliar banners and guess. Mismark a CUI document and you’ve violated the very handling rules the banner exists to communicate.

This piece walks the three elements in order, then closes with the habits that make banner literacy routine. The format is friendlier than the industry treats it.

Element One, The Control Marking

The control marking always comes first. It tells the reader, in one word, that the document is in scope for CUI handling rules. Two values are permitted under the federal CUI program per 32 CFR 2002.20. CUI and CONTROLLED. Either is valid. Most agencies use CUI. The Department of Defense uses CUI per DoDI 5200.48.

This marking appears at the top and bottom of every page. The repetition is intentional. A page photocopied, faxed, or scanned out of a stack should still carry the marking on its own. If the control marking is present, downstream handling rules apply. If it’s absent, the document is unmarked, and the reader has no way to know whether they’re holding sensitive information.

That’s the whole job of the control marking. It’s a flag.

Element Two, The Category Marking

The category marking sits after the control marking, separated by a double slash (//). It identifies which category of CUI the document falls under, drawn from the NARA CUI Registry. Categories tell the reader which underlying authority controls the information. Health records, controlled technical information, export-controlled material, and law-enforcement-sensitive material each carry distinct statutory bases. The category marking is how you find out which set of rules applies.

CUI breaks into two flavors here, and the rules diverge.

CUI Basic is the default. Handling rules are uniform across all Basic categories. The standard safeguarding and dissemination requirements in 32 CFR Part 2002 apply. For Basic, agencies vary on whether the category appears in the banner. The NARA Marking Handbook treats category identification as the expectation for designated CUI, and DoD documents on the defense side typically include it (CUI//PRVCY for privacy, for example). Some agency implementations permit a banner reading just CUI for Basic, but the safer default is to include the category.

CUI Specified is different. Specified categories carry handling rules that go beyond the Basic baseline, set by the law or regulation that authorized the category. The category marking is mandatory, and the abbreviation gets prefixed with SP-. Health records flagged as Specified appear as SP-HLTH. Privacy under specified authority appears as SP-PRVCY. The SP- prefix tells the reader that extra rules attach and the registry needs consulting.

Multiple categories get listed alphabetically, separated by a single slash. CUI//PRVCY/PROCURE covers both Privacy and Procurement & Acquisition. CUI//SP-HLTH/SP-PRVCY has both categories as Specified. Mix and match is allowed. Order is not.

Element Three, Dissemination Controls

The third element is optional. It appears only when an authority has restricted distribution beyond the standard CUI rules. It sits after the category marking, separated by another double slash.

Common dissemination controls a defense contractor will encounter:

  • NOFORN. No release to foreign nationals or foreign governments.
  • FEDCON. Disseminable to federal employees and contractors.
  • FED ONLY. Federal employees only, no contractors.
  • NOCON. No contractor access.
  • DL ONLY. Disseminable to a named distribution list.
  • REL TO. Releasable to named foreign partners, followed by country codes.

These are exclusive instructions, not advisory. A document marked NOFORN cannot be shared with a foreign national employee on your team, even if they hold a clearance and sit two desks away. Dissemination controls put further fences around information that’s already controlled.

Multiple dissemination controls appear separated by a single slash, in the order specified by the NARA CUI Marking Handbook.

Decoding a Banner

Take the banner CUI//SP-HLTH/PHYS//NOFORN and walk it left to right.

  • CUI. Control marking. The document is CUI.
  • //. Separator before the category block.
  • SP-HLTH. First category, Specified Health Information. Extra rules from health-specific authority apply beyond the Basic baseline.
  • /. Separator between categories.
  • PHYS. Second category, Physical Security. Listed alphabetically after HLTH because P follows H.
  • //. Separator before dissemination controls.
  • NOFORN. No release to foreign nationals.

In plain English. This document holds Specified Health Information and Physical Security information, and it can’t be shared with anyone who isn’t a U.S. person. One of the two categories carries enhanced rules. Distribution is restricted.

Most banners a defense contractor encounters are simpler. CUI alone is common. CUI//SP-CTI (Specified Controlled Technical Information) is the most common form on the defense side. CUI//SP-CTI//NOFORN adds a foreign-release restriction, the typical pattern on technical data delivered under defense contracts.

Common Mistakes

The mistakes we see in audit and pre-publication review work fall into a small set.

Wrong order. Control marking first, category second, dissemination third. A banner reading NOFORN//CUI//SP-HLTH is wrong even though all three elements are present. The structure carries meaning. A reader scanning quickly relies on position.

Missing the SP- prefix. Writing HLTH instead of SP-HLTH treats a Specified category as Basic. The prefix signals that additional authority applies. Drop it and you’ve understated the controls.

Alphabetization errors. CUI//PHYS/HLTH reads as if it’s correct because both abbreviations are present. It isn’t. HLTH comes before PHYS. The handbook specifies alphabetical order, and assessors check.

Slash-count confusion. Single slash between like elements (two categories, two dissemination controls). Double slash between unlike elements (control to category, category to dissemination). Get the count wrong and a marking tool will reject the banner, or a human reader will misread the structure.

What This Means Operationally

Three habits do most of the work for an OSC handling marked documents.

Read the banner before the body. It determines where you can store the document, who you can share it with, and how you transmit it. Reading body first and banner second is the wrong sequence.

When you generate a new document derived from CUI source material, it inherits the markings of the most restrictive source. Summarize three documents marked CUI, CUI//SP-CTI, and CUI//SP-CTI//NOFORN and the summary banner is CUI//SP-CTI//NOFORN. Derivative marking is routine and an easy place to lose accuracy under deadline pressure.

When source marking is ambiguous or missing, stop. Don’t guess at categories. Contact the originating authority or your facility security officer and confirm. A missing banner isn’t permission to invent one.

A few cross-references for the surrounding work. Our CUI boundary scoping guide, the DFARS 252.204-7012 guide for the clause that creates the obligation, what is CMMC 2.0 for program context, and how to write an SSP for documenting how marked information moves through your environment.

Marking is part of how proof shows up at the artifact level. A clean banner is evidence that the producer understood the handling rules and applied them. A wrong banner is evidence of the opposite. Assessors read banners with the same attention they give to access logs.

Treat the banner the way you’d treat a chain-of-custody label. Three parts, in order, every time. Read the control marking to confirm CUI applies. Read the category to know which authority governs. Read the dissemination controls to know who can see it. Then handle accordingly.

The format is small enough to memorize in an afternoon. The cost of getting it wrong is high enough that the afternoon returns itself many times over. Train it once across the team, apply it consistently, and banner reading stops being a guessing game.


References · 6 official sources
SourceWhat it coversType
32 CFR Part 2002 (Controlled Unclassified Information)32 CFR Part 2002 — federal CUI program; § 2002.20 authorizes the “CUI” or “CONTROLLED” control markingRegulation
NARA CUI RegistryNARA CUI Registry — authoritative list of CUI categories, abbreviations, and which categories are Basic vs SpecifiedGuidance
NARA CUI Marking HandbookNARA CUI Marking Handbook — banner element order, slash conventions, dissemination-control list, derivative marking rulesGuidance
DoDI 5200.48 (Controlled Unclassified Information)DoDI 5200.48 — DoD-specific CUI marking guidance; specifies “CUI” usage on the defense sideGuidance
32 CFR Part 170 (CMMC Program Rule)32 CFR Part 170 — the CMMC Program Rule under which CUI handling triggers Level 2 obligationsRegulation
DFARS 252.204-7012 (Safeguarding Covered Defense Information)DFARS 252.204-7012 — the contractual obligation that flows the CUI handling requirement to defense contractorsRegulation