
To protect your organization, it's essential to follow best practices when emailing CUI. CUI, or Controlled Unclassified Information, requires special handling to prevent unauthorized access.
Use a secure email system that uses encryption and two-factor authentication to protect CUI in transit. This is a must-have for organizations that handle sensitive information.
Limit access to CUI to only those who need it, and use role-based access controls to ensure that employees can only view the information they're authorized to see. This helps prevent accidental disclosure.
Use secure protocols like S/MIME or PGP to encrypt CUI in emails.
Broaden your view: Email Addresses to Use
What Is
Emails are considered Controlled Unclassified Information (CUI) if they require a CUI designation from Federal government entities or entities working on behalf of the federal government.
The CUI designation is usually marked in the subject line and body of an email, and if Proofpoint detects these markings, it will flag the email as CUI and apply certain policies.
Federal government entities or entities working on behalf of the federal government are responsible for including a CUI designation in electronic communications if required.
Proofpoint checks the subject line and body of an email for CUI-related markings, which can trigger a CUI flag and specific policies.
If this caught your attention, see: Why Is Cui Important
Marking and Flagging
CUI flagged emails won't be delivered directly to your mailbox, instead, they'll come in from the original sender with the original subject line.
Additional processing for CUI emails can slow down delivery, so it may take a few moments for the email to show up in your quarantined mailbox.
If you get an error trying to access a CUI email, wait a few minutes before trying again.
To mark CUI in emails, a banner marking will be placed at the top of the email body and the email must carry a CUI Designation Indicator.
When forwarding an email that contains CUI, you must include all the original CUI markings.
NARA recommends terminating the subject line with the phrase "[Contains CUI]".
If an email includes an attachment that contains CUI, NARA recommends indicating the presence of CUI in the file name, such as "FileName[CONTAINS CUI].docx".
Suggestion: Print Emails
Controls
Emailing CUI requires special handling to ensure confidentiality and security.
Incoming CUI emails will be quarantined, encrypted, and restricted from forwarding.
The encrypted email portal will automatically log out after a period of inactivity.
Decryption keys have an expiration time, after which the emails will no longer be available.
Here are some key controls to keep in mind when emailing CUI:
- Quarantine: Incoming CUI emails will be quarantined.
- Encryption: Incoming CUI emails will be encrypted.
- Restrictions: CUI emails will be restricted from forwarding.
- Internal flags: CUI emails, both incoming and outgoing, will be flagged internally.
- Tracking: CUI emails will be tracked.
Please exercise caution and good judgement in storage and sharing of emails labeled as CUI.
Challenges and Awareness
The DoD Inspector General recently released a highly critical report about the Department's implementation of the CUI program, highlighting the problems with CUI warnings.
Ironically, unwarranted CUI warnings can themselves constitute a policy violation, obstructing public transparency and congressional oversight.
A generic CUI warning is insufficient to comply with marking requirements, which demand headers, footers, and portion markings like classified information.
The CUI program is becoming a potent tool for whistleblower reprisal and exercising personal vendettas, as I wrote about earlier this year.
Why Are Emails Considered Spam?
Some emails are considered spam because they contain certain keywords or phrases that trigger spam filters.
See what others are reading: Emailing Spam
Spam filters often check the subject line and body of an email for these keywords, just like Proofpoint checks for CUI-related markings in emails.
Emails that are flagged as CUI are also often considered spam, as they may contain sensitive information that shouldn't be shared widely.
Spam filters can be overly sensitive and flag emails that are not actually spam, which can be frustrating for senders and recipients alike.
Certain email senders, like Federal government entities or entities working on behalf of the federal government, are more likely to send emails that are flagged as spam due to their use of CUI-related markings.
Challenges with Warning
Ironically, using a CUI warning can itself be a policy violation if it's unwarranted. CUI warnings can't be used to obstruct public transparency or congressional oversight, which is exactly what happens when they're misapplied.
The DoD Inspector General recently released a highly critical report about the Department's implementation of the CUI program, highlighting the problems with CUI warnings. This issue is not new and is not limited to the DoD context.
A generic CUI warning is insufficient to comply with marking requirements that demand specific headers, footers, and portion markings, similar to those used for classified information.
Designation and Indicators
To indicate that an email contains Controlled Unclassified Information (CUI), you must include a CUI Designation Indicator. This can be done through a letterhead, a signature block that includes the agency, or a "Controlled by" line.
The CUI Designation Indicator is required to ensure that the recipient knows the email contains sensitive information. This is a crucial step in maintaining the security and integrity of the information.
You can use a letterhead that includes the agency's name and logo to indicate CUI, or add a "Controlled by" line to the email.
Designation Indicator: All Documents Must Indicate Agency
The designation indicator is a crucial part of marking documents that contain Controlled Unclassified Information (CUI). It requires the use of a letterhead that includes the agency's name.
To accomplish this, you can also include the agency's name in a signature block. This is a common practice that helps ensure compliance.
The CUI Designation Indicator is required by law, and its purpose is to clearly indicate that the document contains sensitive information.
Determine the Category

Determining the category of Controlled Unclassified Information (CUI) is a crucial step in ensuring its proper handling and protection.
The originator of media that contains CUI is responsible for determining its category at origination.
You should consult relevant contract documents, the Prime contractor, or government program management office for guidance on identifying and marking media with necessary CUI markings and distribution limitations.
Laws, policies, and regulations associated with how information is produced or used determine whether information is deemed CUI.
For example, if a company produces a widget for the DoD, the engineering drawings, research data, and process sheets are considered CUI and must be marked as such.
But if the same widget is produced for commercial use, those same engineering drawings, research data, and process sheets are not CUI.
On a similar theme: Cold Emailing for Research
Federal Contractors and Employees
If you're a federal contractor or employee dealing with Controlled Unclassified Information (CUI), it's essential to know where to start. Go straight to the source and read 32 CFR Part 2002, Executive Order 13556, and the National Archives and Records Administration's (NARA's) CUI Registry.
To get the most up-to-date information, access all of this through NARA's CUI website. Inquire with your organization's security office whether your department or agency has implemented the CUI program yet. There are a handful of outliers that haven't yet done so.
If your organization has implemented the CUI program, ask your security office for any agency-specific trainings or policy memoranda that supplement the primary authorities identified above. DoD Instruction 5200.48 is a significant one to be aware of.
Featured Images: pexels.com


