Controlled Unclassified Information (CUI): What the Research Community Should Know
What is CUI?
Federal agencies and non-federal entities working on behalf of the federal government routinely generate, use, store, and share information that, while not meeting the threshold for classification as national security or atomic energy information, needs to be protected from unauthorized access. Often the information must be kept confidential because it contains personally identifiable information. Other times it may be information that should not be shared due to national security or US competitiveness purposes. Additionally, the integrity and availability of the data must be maintained, so it must be kept in a way to assure it is not corrupted or lost. This information is considered Controlled Unclassified Information (CUI).
The use and control of CUI is governed by the regulations at 32 CFR Part 2002 “Controlled Unclassified Information”. The rule affects Federal executive branch agencies that handle CUI as well as any nonfederal entities that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.
These controls must be compliant with the federal regulations specified in 32 CFR Part 2002 and by the CUI Executive Agent. The most encountered Federal CUI requirements and guidelines include NIST SP 800-171r2, NIST SP 800-53r5, DFARS 252.204-7012/7019/7020/7021, NIST SP 800-172, and FAR 52.204-21. Other requirements and guidance as directed in agency-specific regulations and certain legal documents may also apply.
Researchers Projects May be Subject to CUI Security Requirements
When receiving federal contracts and subcontracts or other sponsored agreements that contain any of the above FAR and/or DFAR clauses or other language regarding compliance with the NIST SP or 32 CFR Part 2002, a project may require implementation of CUI Security Controls.
CSU Process for Assuring Compliance
CSU has created a CUI Governance Committee that is in the process of developing policies, processes, and infrastructure necessary for CSU to be compliant with the security requirements outline in NIST SP 800-171r2, as well as to comply with the additional requirements of the DFARS clauses above. More information will come to the campus community from that committee in the coming months.
However, in the meantime, as CSU Sponsored Programs reviews incoming contracts, the Senior Research Administrator and Contracts Administrator are on the lookout for any of the FAR or DFAR clauses and any other terms and conditions in agreements requiring compliance with the NIST SPs. If those are identified, OSP will coordinate with the PI and the CSU Secure and Global Research (SGR) Office and CSU Division of IT Cybersecurity and Privacy Unit (DoIT) to determine what compliance is necessary and to put an IT Security Plan in place for the project. However, it is the Principal Investigator’s responsibility to assure compliance.
Check out the “CUI Award Lifecycle” tool created by the CUI working group at CSU.
Blog post by Bill Moseley, Pre-Award Manager, Office of Sponsored Programs and Sarah Robinson, Information Security Analyst, Cybersecurity and Privacy