Controlled Unclassified Information (CUI) – Guidelines for USU PIs

USU now hosts CUI-compliant IT infrastructure
As of May 22, 2026, USU IT administers a Research Enclave that is CMMC Level 2 compliant, allowing researchers to safely handle CUI in a controlled, virtual environment.

USU PIs may now submit proposals for awards that may feature CUI and should follow the guidelines below for (1) identifying CUI or CMMC requirements on an award and (2) coordinating with USU IT and the Office of Research for those awards

The federal government requires minimum security requirements for information systems that house or transmit sensitive information defined as Controlled Unclassified Information (CUI). These security standards are set forth by the National Institutes of Standards and Technology (NIST) in NIST Special Publication 800-171

This webpage is designed to help USU PIs and administrators:

  • Understand the institutional limitations on working with CUI at USU; 
  • Learn how to identify, at the proposal stage, when a project may involve CUI; and
  • Take the appropriate steps when you encounter an award that features CUI. 

What is CUI?

CUI is a category of unclassified U.S. Government information that requires safeguarding and controls to prevent its public release and limit its distribution to only those with a lawful government purpose. 

CUI may be identified by clear markings/labels that alert recipients that special handling may be required to comply with law, regulation, or Government-wide policy. 

What is CMMC?

CMMC, short for Cybersecurity Maturity Model Certification, is the Department of Defense’s framework for handling sensitive contract and research information.

CMMC certifications encompass three levels. USU is presently self-certified at CMMC Level 2, which encompasses the U.S. government’s requirements for housing or transmitting CUI.

How to Determine if an Award Features CUI or CMMC Requirements

At the proposal stage, USU PIs should review the funding announcement carefully and, when uncertain, consult with the sponsor's technical point of contact or program manager to identify CUI involvement in an award. “Involvement” includes the collection, development (generation), receipt, transmission, use, or storage of such data to support the proposed work. 

Special controls for handling sensitive data may be required if an RFP/solicitation includes any of the following references: 

  • Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), Controlled Defense Information (CDI) 
  • 32 CFR Part 2002 - Controlled Unclassified Information (CUI) 
  • NIST SP 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organization
  • FAR Clause 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
  • DFARS Clause 252.204-7008 – Compliance with Safeguarding Covered Defense Information Controls
  • DFARS Clause 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
  • Cybersecurity Maturity Model Certification (CMMC)

The Sponsored Programs Office (SPO) will also review the RFP/solicitation, and award documentation for references to any of the above indicators of required data controls. Please make sure that you include a copy of the RFP in your Kuali proposal, or send a copy directly to SPO and your departmental proposal development specialist to assist them in their review for potential CUI.

How to Work on an Award with CUI or CMMC Requirements

After a PI and the Sponsored Programs Office (SPO) have identified that an award will feature CUI or CMMC requirements, SPO will designate the project accordingly in its systems in order to trigger a process for the PI to on-board as a designated user within USU’s Research Enclave. The Research Enclave is a virtual environment for safely working with CUI and meeting CMMC requirements, and onboarding will involve a series of short training and other orientation steps jointly conducted by USU IT and the Office of Research.

Frequently Asked Questions

CUI is a category of unclassified U.S. Government information that requires safeguarding and controls to prevent its public release and limit its distribution to only those with a lawful government purpose. 

CUI may be identified by clear markings/labels that alert recipients that special handling may be required to comply with law, regulation, or Government-wide policy. 

CUI is most common in projects sponsored by the Department of Defense (DoD) and its branches and subagencies, such as the U.S. Air Force or DARPA. CUI is also a feature of certain NASA awards. 

Controlled Technical Information (CTI), referenced in some DoD projects, is a form of CUI. 

In order for a researcher to work with CUI on DoD projects, the DoD requires that the researcher's institution be compliant with Level 2 of its Cybersecurity Maturity Model Certification (CMMC) Program. CMMC Level 2 aligns with the controls outlined in NIST SP 800-171. 

Beyond DoD and NASA, the Office of Research expects that more federal agencies will soon begin to use the CUI label to designate certain sensitive research data. 

While not explicitly considered CUI, National Institutes of Health controlled-access data, as with CUI, requires adherence to the standards in NIST SP 800-171. For more information, see the NIH Security Best Practices for Users of Controlled-Access Data

Yes. The Office of Research is still determining a charging model for user costs for the Research Enclave, but a single user’s seat in the Research Enclave will cost approximately $2,500. For now, PIs should initiate a discussion with the Office of Research regarding cost and funds for Research Enclave access by contacting compliance@usu.edu.

Yes. At times, federal agencies may reference any of the above CUI indicators even when the contract or subcontract does not actually feature CUI. Given USU's institutional inability to utilize CUI, it is crucial that PIs and SPO work together to confirm with the sponsor that a specific project will in fact feature CUI. 

The use of USU’s network or information systems to access CUI may violate federal controls on sensitive information that could result in adverse consequences to both USU and the individual researcher. 

You should immediately report any (including inadvertent) exposure to CUI that occurs on USU's network or information systems (with the exception the Space Dynamics Laboratory) to compliance@usu.edu

When reporting the possible exposure to CUI, do not include any of the potentially sensitive data in your report.

No. Although the National Archives and Records Administration (NARA) includes export-controlled information within its CUI Registry, export-controlled information on a federal award need only be considered CUI when the sponsoring agency designates it as such. In addition, proprietary research that is not funded by the federal government, despite being subject to U.S. export control regulations, is not CUI. 

Having a Technology Control Plan in place on your project does not indicate the project is also CUI compliant. 

No. As with export-controlled information, although the National Archives and Records Administration (NARA) may include an information type in its CUI Registry, that information need only be considered CUI when the sponsoring agency designates it as such in its contract with researchers. While NARA is a government authority on CUI, it does not have a regulatory role, and USU PIs should reference the documentation issued by a contract’s sponsoring agency to determine CUI involvement in an award. 

No. A TCP is designed to help PIs ensure compliance with export controls that apply to a specific project. While TCPs may provide for a certain level of research data security, they are not designed to ensure compliance with the NIST SP 800-171 controls for CUI.