How are yall dealing with external users (mainly the government) emailing your company CUI unencrypted?

We are in GCC High and have sensitivity labels deployed. So I train my users to label the data as CUI when saving it locally or to sharepoint. However, The email will still sit in there inbox unencrypted.