Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. 32.CFR 2002.4.

Background of CUI

  • Established in 2010 and managed by the National Archives and Records Administration and the Information Security Oversight Office
  • CUI Registry contains the categories of CUI as well as appropriate markings, dissemination controls and the decontrol process
  • Created to preserve the confidentiality of sensitive federal information
  • Guidance in NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Cybersecurity Maturity Model Certification Program (CMMC)

  • CMMC is a program from the Department of Defense to help assess the alignment and enforcement of security controls to NIST SP 800-171.
  • It requires the use of System Security Plans (SSP) and Plans of Actions and Milestones (PoAMs) to document compliance with requirements.

How do we identify CUI?

  • Collaboration and coordination between the Office of Sponsored programs, Secure and Global Research (SGR) and the Research IT Data Security team in the Office of the Vice President for Research is critical for identifying contracts with clauses that contain publication restrictions, such as the DFARS 252.204-7012 and 252.204-7000. These clauses extend the basic federal IT security controls from FAR 52.204-21 to NIST SP 800-171’s extensive 110 security controls. Alerts are also in place for safeguarding data where restriction clauses exist for export control that are not sponsored by the Department of Defense. Contracts by NASA or the Department of Energy have similar clauses that need to be evaluate.
  • You should also take the CSU CUI training for more information. 
  • Review the Secure and Global Research Export Control Website.
  • Review the Department of Defense Training Website.
  • Review the National Archives Controlled Unclassified Information (CUI) Website.

What storage is available for CUI data?

  • CSU has a Secure Enclave that is CMMC L2 and CUI Compliant.  This Secure Enclave is hosted by the University of California – San Diego Supercomputer Center, Sherlock Division and utilizes NIST SP 800-171 Controls to meet the required FAR 52.204-21 and DFARS 252.204.71012 regulations. 
  • To get access to the enclave you must have a project that requires this level of data security. 
  • Required training for FAR 52.204-21 and DFARS 252.204.7012 is mandatory prior to access.
  • Training must be renewed each year.
  • A background check that is within 3 years is required and you will be required to have a background done every 3 years as long as your research project or work requires access to the secure enclave.
  • Please see the secure enclave page for more information. 

Contact RIT Secure Enclave Support

Secure Enclave-related questions

Email RIT Secure Enclave

Additional Resources

CUI Award Lifecycle
NIST CUI System Security Plan Template
NIST Plan of Actions & Milestones Template
Protecting Controlled Unclassified Information
CYBERSECURITY MATURITY MODEL CERTIFICATION