Controlled Unclassified Information (CUI) – Guidelines for USU PIs
The federal government requires minimum security requirements for information systems that house or transmit sensitive information defined as Controlled Unclassified Information (CUI). These security standards are set forth by the National Institutes of Standards and Technology (NIST) in NIST Special Publication 800-171.
USU’s IT infrastructure currently does not allow researchers on campus to access CUI.
This webpage is designed to help USU PIs and administrators:
- Understand the institutional limitations on working with CUI at USU;
- Learn how to identify, at the proposal stage, when a project may involve CUI; and
- Take the appropriate steps when you encounter an award that features CUI.
How to Determine if a Contract Features CUI
At the proposal stage, USU PIs should review the funding announcement carefully and, when uncertain, consult with the sponsor's technical point of contact or program manager to identify CUI involvement in an award. “Involvement” includes the collection, development (generation), receipt, transmission, use, or storage of such data to support the proposed work.
Special controls for handling sensitive data may be required if an RFP/solicitation includes any of the following references:
- Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), Controlled Defense Information (CDI)
- 32 CFR Part 2002 - Controlled Unclassified Information (CUI)
- NIST SP 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organization
- FAR Clause 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
- DFARS Clause 252.204-7008 – Compliance with Safeguarding Covered Defense Information Controls
- DFARS Clause 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
The Sponsored Programs Office (SPO) will also review the RFP/solicitation, and award documentation for references to any of the above indicators of required data controls. Please make sure that you include a copy of the RFP in your Kuali proposal, or send a copy directly to SPO and your departmental proposal development specialist to assist them in their review for potential CUI.
Frequently Asked Questions
CUI is a category of unclassified U.S. Government information that requires safeguarding and controls to prevent its public release and limit its distribution to only those with a lawful government purpose.
CUI may be identified by clear markings/labels that alert recipients that special handling may be required to comply with law, regulation, or Government-wide policy.
CUI is most common in projects sponsored by the Department of Defense (DoD) and its branches and subagencies, such as the U.S. Air Force or DARPA. CUI is also a feature of certain NASA awards.
Controlled Technical Information (CTI), referenced in some DoD projects, is a form of CUI.
In order for a researcher to work with CUI on DoD projects, the DoD requires that the researcher's institution be compliant with Level 2 of its Cybersecurity Maturity Model Certification (CMMC) Program. CMMC Level 2 aligns with the controls outlined in NIST SP 800-171.
Beyond DoD and NASA, the Office of Research expects that more federal agencies will soon begin to use the CUI label to designate certain sensitive research data.
While not explicitly considered CUI, National Institutes of Health controlled-access data, as with CUI, requires adherence to the standards in NIST SP 800-171. For more information, see the NIH Security Best Practices for Users of Controlled-Access Data.
No. At this time, USU's IT infrastructure does not meet the CMMC Level 2 controls designed to provide secure access to CUI. The use of USU's network or information systems to access CUI may violate federal controls on sensitive information and could result in adverse consequences to both USU and the individual researcher.
In some cases, however, the federal sponsor may rework the scope of a project to allow USU researchers to participate in the project without accessing CUI. Additionally, when a USU researcher is subcontracted on an award featuring CUI, the primary contractor may, in limited cases, permit USU researchers to access CUI by utilizing their compliant IT infrastructure. To consider these possibilities, it is important that PIs begin working with the Sponsored Programs Office (SPO) early on in the proposal stage.
The USU Office of Research and IT are presently only working to certify institutional compliance with the CMMC Level 1 controls. This compliance will allow USU researchers to handle less sensitive data on campus, such as federal contract information (FCI) featured in some DoD and NASA awards.
Yes. At times, federal agencies may reference any of the above CUI indicators even when the contract or subcontract does not actually feature CUI. Given USU's institutional inability to utilize CUI, it is crucial that PIs and SPO work together to confirm with the sponsor that a specific project will in fact feature CUI.
The use of USU’s network or information systems to access CUI may violate federal controls on sensitive information that could result in adverse consequences to both USU and the individual researcher.
You should immediately report any (including inadvertent) exposure to CUI that occurs on USU's network or information systems (with the exception the Space Dynamics Laboratory) to compliance@usu.edu.
When reporting the possible exposure to CUI, do not include any of the potentially sensitive data in your report.
No. Although the National Archives and Records Administration (NARA) includes export-controlled information within its CUI Registry, export-controlled information on a federal award need only be considered CUI when the sponsoring agency designates it as such. In addition, proprietary research that is not funded by the federal government, despite being subject to U.S. export control regulations, is not CUI.
Having a Technology Control Plan in place on your project does not indicate the project is also CUI compliant.
No. As with export-controlled information, although the National Archives and Records Administration (NARA) may include an information type in its CUI Registry, that information need only be considered CUI when the sponsoring agency designates it as such in its contract with researchers. While NARA is a government authority on CUI, it does not have a regulatory role, and USU PIs should reference the documentation issued by a contract’s sponsoring agency to determine CUI involvement in an award.
No. A TCP is designed to help PIs ensure compliance with export controls that apply to a specific project. While TCPs may provide for a certain level of research data security, they are not designed to ensure compliance with the NIST SP 800-171 controls for CUI.