The federal government requires cybersecurity controls on certain types of protected data often used or gathered in research projects. The protected data, referred to as Controlled Unclassified Information (CUI), is defined and described in the Code of Federal Regulations (CFR) at 32 CFR Part 2002. CUI includes a broad spectrum of information types, many of which are relevant to research conducted on campus. A full list of information types (categories & subcategories) is available at the CUI Registry of the National Archives.
Does This Apply to You?
CUI compliance may be required if (1) your sponsor indicates that data in your award/contract is designated as CUI and/or is subject to NIST 800-171 controls or (2) your request for proposal/solicitation, award, or contract includes one of the following:
- 32 CFR 2002 Controlled Unclassified Information
- NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
- 252.204-7008 Compliance with safeguarding covered defense information controls
- 252.204-7012 Safeguarding covered defense information and cyber incident reporting
For questions regarding CUI terms in proposals, awards, or contracts contact George Finney, Chief Security Officer.
CUI Compliance Process
- Using the CUI Checklist, consult with the Office of Information Technology about space, hardware, configuration and access settings.
- Contact George Finney, Chief Security Officer to alert the Information Security Team that your proposal contains CUI requirements.
- The Information Security Team will assign a level of Availability, Integrity, and Confidentiality (AIC) to the data.
- The Information Security Team will select methods and controls to ensure that NIST 800-171 guidelines are met.
- The Chief Security Officer will either sign off on the assessment or determine that the risk is too high.