Great question. The best information I've seen on CUI labeling is in the DoD training at DoD Mandatory Controlled Unclassified Information (CUI) Training. This is free and very detailed, everyone who handles CUI should be required to complete it. It's here that the rule to include CUI at the top and bottom of an email is explained.
From my understanding, CUI must be marked according to the contract you receive from your customer. You can't mark something as CUI without a contract that outlines the access and dissemination controls for that CUI. So I assume that your data is CUI because your contract with the government specifies that, and you have a CUI header defined for the data. You're just asking the best way to include it.
Based on the training, there are two required elements - the CUI Banner/Footer on each page, and the CUI Designation Indicator at least on the first page. If CUI exists only on one page, the entire document must be marked as CUI. Since TDMS files don't really have pages, you would need to include these in the metadata.
The CUI Banner would a simple metadata parameter stating "CUI". This would make searches easy. The CUI Designation Indicator would need to include the required elements:
Controlled by: [Name of Organization]
Controlled by: [Name of Office]
CUI Category: (List of CUI category or categories)
Limited Dissemination Control or Distribution Statement:
POC: [Phone or email address]
Most of that information would need to come from the contract, and refer to the authority issuing the contract. The POC is not you (the engineer), it is the person who decided what the CUI designation would be, probably back in the program office for your project.
I would store that information as metadata into the file header.
Our company also requires that all CUI files be saved with _CUI_ in the file name so that it can be identified as CUI without opening the file.
This document is also very helpful to understand the CUI marking rules: CUI-Quick-Marking-Tips.pdf.
