U.S. CUI Banner Marking (32 CFR 2002)

Detects Controlled Unclassified Information (CUI) banner and portion markings as defined by 32 CFR 2002.20 and the NARA CUI Registry. A CUI banner is the control marking "CUI" optionally followed by category markings (CUI//SP-PRVCY) and limited-dissemination controls (//NOFORN, //FEDCON, //FED ONLY, //NOCON, //DL ONLY, //REL TO ...), with elements separated by double slashes. The bare token "CUI" is too common to match alone, so a match requires either the "//" banner structure or the spelled-out phrase "Controlled Unclassified Information".

Type: regex
Engine: universal
Confidence: high
Confidence justification: High confidence: the "//" banner structure and the registry-defined dissemination tokens are highly specific to CUI markings, and the spelled-out phrase is unambiguous. Requiring structure or the full phrase eliminates matches on the bare three-letter token "CUI".
Jurisdictions: us
Regulations: NIST SP 800-171, 32 CFR 2002, FISMA
Frameworks: NIST CSF, ISO 27001, SOC 2
Data categories: government, security-classification
Scope: narrow
Risk rating: 9
Platform compatibility: Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported

Pattern

\bCUI//(?:SP-)?[A-Z]{2,}[A-Z0-9/-]*(?://(?:NOFORN|FEDCON|FED ONLY|NOCON|DL ONLY|REL TO [A-Z, ]+))?\b

Corroborative evidence keywords

controlled unclassified information, CUI, limited dissemination, dissemination control, NOFORN, FEDCON, basic, specified, designating authority, safeguarding, decontrol, CUI registry

Proximity: 300 characters

Should match

CUI//SP-PRVCY//NOFORN — Full CUI banner with privacy category and NOFORN dissemination control
Banner: CUI//PRVCY//FEDCON — CUI banner with category and FEDCON control
This document contains Controlled Unclassified Information per agency policy — Spelled-out CUI control phrase

Should not match

The cui dataset was uploaded to the cluster — Bare token "cui" with no banner structure or full phrase
SECRET//NOFORN — National-security classification banner, not a CUI marking
Please review the controlled access list before the meeting — Prose using "controlled" without the CUI phrase or banner

Known false positives

Strings of the shape "CUI//..." appearing in unrelated path-like or URL-like text where slashes separate uppercase tokens. Mitigation: Require corroborative CUI handling keywords (controlled unclassified information, limited dissemination, designating authority) within the proximity window.
Training material or policy documents quoting CUI marking examples rather than applying them. Mitigation: Combine with document-classification metadata and exclude known example/training file paths.