In the world of federal contracting, few topics generate as much confusion and debate as Controlled Unclassified Information (CUI). Contractors frequently encounter this scenario: A Statement of Work (SOW) arrives unmarked. Technical deliverables—such as technology designs or site plans—are created based on requirements stated in that SOW. When the question of CUI marking arises, pushback often follows: “Only the government can mark CUI.”
This creates a genuine gray area that leaves primes, subcontractors, and compliance teams uncertain about their obligations. Here’s a clear-eyed look at what the rules actually say and how contractors should respond when the government doesn’t provide explicit markings.
The Government’s Role vs. the Contractor’s Role
The government (through the requiring activity or Contracting Officer) bears primary responsibility for initially designating what information qualifies as CUI and identifying it in the contract or when furnishing data. DoDI 5200.48 makes this expectation clear: the DoD Component should identify CUI via the contracting vehicle and provide appropriate guidance.
However, once work begins, contractors become authorized holders of information created or derived in performance of the contract. At that point, responsibility shifts in a meaningful way.
DoDI 5200.48, Section 3.6.a states: “The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly.”
Section 5.1 of the same instruction reinforces a shared responsibility between DoD and industry—when established by contract—for the “identification, creation, sharing, [and] marking” of CUI documents and materials.
32 CFR Part 2002 (the foundational CUI regulation) similarly requires safeguarding and dissemination controls for information created or possessed for or on behalf of the government that falls under a CUI category, such as Physical Security (PHYS) or Controlled Technical Information (CTI). Facility-related technical drawings often fit these categories.
DFARS 252.204-7012 (Safeguarding Covered Defense Information) defines Covered Defense Information to include unclassified controlled technical information or other CUI that is collected, developed, received, transmitted, used, or stored by the contractor in support of the performance of the contract. The clause imposes safeguarding obligations regardless of whether the government pre-marked every source document.
In short: The government should mark or identify CUI upfront, but contractors cannot simply ignore the content of what they produce simply because the SOW lacked banners.
When the SOW Is Unmarked: Does That Clear Everything?
No. The absence of markings on the SOW does not automatically exempt derivative work.
Many agencies are still maturing their CUI programs, and unmarked sensitive information is unfortunately common. Contractors must still evaluate whether the information they generate meets a CUI category definition.
This is where the Christian Doctrine enters the discussion. Originating from the 1963 Court of Claims decision in G.L. Christian & Associates v. United States, the doctrine holds that certain mandatory requirements reflecting a “significant and deeply ingrained strand of public procurement policy” are read into federal contracts by operation of law—even if omitted from the written document.
Protecting CUI, grounded in national security policy under 32 CFR Part 2002 and Executive Order 13556, arguably qualifies as such a strand. The government’s administrative oversight or failure to mark the SOW does not waive the underlying legal and policy obligation to safeguard sensitive unclassified information.
Practical Response: What Contractors Should Do
When you find yourself in this gray area, follow these steps:
1. Treat the material as sensitive by default — Limit distribution, store it securely, and apply NIST SP 800-171-level protections if CUI is suspected. Over-protection is far safer than under-protection.
2. Document your analysis — Note that the deliverable was created from SOW requirements and appears to fall under a CUI category (e.g., Physical Security for facility plans or Controlled Technical Information for technical infrastructure details).
3. Escalate internally and up the chain — Notify the prime (if you are a sub) and recommend they seek written clarification from the government Contracting Officer. Better yet, request a Security Classification Guide (SCG) or equivalent CUI-specific guidance early in the contract. DoDI 5200.48 supports providing contractors with clear protective instructions when CUI will be produced.
4. Mark conservatively once guidance is received — Apply standard CUI banners (“CUI” at top and bottom), a designation indicator block (including “Controlled by,” category, and point of contact), and any dissemination controls. Do not unilaterally mark without direction unless your internal compliance process and legal counsel approve.
5. Build it into your process — Include CUI identification and marking reviews in your proposal and execution workflows. Train teams on derivative document responsibilities. Proactively ask for CUI guidance during kickoff or when SOWs appear silent on the topic.
The Bottom Line
Clear communication up the contract chain, combined with a proactive request for a Security Classification Guide or CUI marking instructions, is the most effective way to resolve ambiguity and reduce compliance risk for everyone involved.
The CUI gray area exists because government contracting is complex and implementation varies across agencies. However, the policy framework is not ambiguous on contractor obligations for information created under the contract.
When the government doesn’t mark it, contractors cannot treat that silence as permission to ignore potential CUI. Shared responsibility means contractors must act as responsible authorized holders—protect first, seek clarification second, and document everything.
Disclaimer: This article is for educational purposes only and is not legal advice. Contractors should consult their Facility Security Officer, compliance team, or legal counsel for guidance specific to their contracts and circumstances. Policies and interpretations can evolve—always refer to the latest versions of DoDI 5200.48, 32 CFR Part 2002, and applicable DFARS clauses.