Controlled Unclassified Information, or CUI, is Federal non-classified information the U.S. Government creates or possess, and as defined inÌý, CUI is information held by or generated for the Federal Government that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies that isn’t classified underÌýÌýor the Atomic Energy Act, as amended.
CUI can also be information a non-Federal entity (University Systems of New Hampshire) receives, possess, or creates for, or on behalf of the U.S. Government that requires information and information system security controls as identified in law, regulation, or government-wide policy.Ìý"Information" as defined by the Federal CUI Program may include research data and other project information, including non-public Federal Contract Information (FCI).Ìý FCI is normally protected in accordance with FAR 52.204-21 whenÌýa research team receives, possesses, or creates FCI in the performance of a sponsored contract.
The most commonly encountered Federal CUI requirements and guidelines includeÌý,Ìý,Ìý,Ìý,ÌýandÌý
Things to know about CUI:
- Research data and other project information that a research team receives, possesses, or creates during theÌýperformance of federally funded research may be CUI.
- The obligation to determine whether or not an award will involve CUI belongs to the federal sponsor; award documents should specifically identify CUI and applicable security requirements.Ìý
- CUI safeguarding requirementsÌýare only applicable to Â̾ÞÈËÊÓƵ and Â̾ÞÈËÊÓƵ information systems when mandated by a federal agency in a contract, grant, or other agreement.
- The security requirements apply to the components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.
°Õ³ó±ðÌýÌýis the online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI Executive Agent other thanÌý. Among other information, the CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.
CUI FAQ
CUI is defined by the and is listed by category/subcategories. The list includes, but is not limited to the following:
- Controlled technical information with military or space application
- Export controlled information or materials used in research
- Statistical Information (e.g., US Census)
The CUI Registry is the authoritative online repository for information, policy, requirements, and guidance on handling CUI.
It is critical to protect sensitive government information, some with national security or U.S. trade implications, to reduce the risks of unauthorized release or misuse. Application of and compliance with the information security controls helps protect this information against threats to cyber security, data breaches, or other unauthorized disclosures.
Ìýidentifies three control levels that guide the safeguarding or dissemination of CUI:
- CUI Basic - subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. Agencies handle CUI Basic according to the uniform set of controls set forth in this part and the CUI Registry.
- CUI Specified - subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. The CUI Registry indicates which laws, regulations, and Government-wide policies include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out the controls for CUI Specified information and does not for CUI Basic information.
- CUI Specified, but with CUI Basic Controls -ÌýrequiresÌýor permits the agencies to control or protect the information, andÌýprovides only some of the controls
Research data is only likely to be CUI if:
- it is provided to you by the U.S. government (or another party on their behalf)
- it is developed by you during the performance of U.S. government sponsored research; andÌýthe contract or agreement specifies that the information is CUI.
The following are examples of information that is not CUI:
- Proprietary research that is not funded by the federal government is not CUI.Ìý This is true even when the background information provided by the sponsor and/or your research results are proprietary technical information subject to the US export control regulations.
- Medical information and/or human subjects data subject to privacy protections (e.g., HIPAA or as part of informed consent representations) are not CUI.
- Exception: Such data may be CUI when provided by the U.S. government, e.g., medical information about federal employees,Ìýto the University System for use in research.Ìý
- Student information subject to privacy protections (e.g., FERPA) is not CUI.
- Exception: Such data may be CUI when collected by the U.S. government, e.g., certain financial information provided by students and/or parents in federal financial aid applications, which is then passed to the University System for use in financial aid administration.
- Information that is alreadyÌýin the public domain (e.g., published), including publicly available U.S. governmentÌýdata sets.
- Non-contextualized research dataÌý(e.g., raw output collected for a CUI projectÌýthatÌýmust be correlated with additional input from a person, application or second data source in scope of the CUI research project to have meaning or context) willÌýgenerally not be considered CUI unless it bears identifying marks linking it to specific CUI project.ÌýÌý
DoD Mandatory Controlled Unclassified Information Training can be found on site and .
- Developed by CUI Executive Agents, these training modulesÌýfor the CUI Program are designed for a widespread audience at multiple levels within the government and beyond.Ìý The modules can be used to supplement any training or awareness efforts by Executive branch entities or other stakeholders (i.e., Nonfederal organizations).
Â̾ÞÈËÊÓƵ has a CUI focused training module available via our SANS Training Platform. For access to this module, please submit a ticket for
Failure to comply may result in contract challenges to, or loss of, the award and result in future ineligibility to be awarded government contracts.
Failure to accurately report the status of compliance could result in charges of fraud and criminal penalties for the individual researcher.Ìý In addition, the university could also experience adverse reputational, legal, or financial consequences.
Ìý
References
Ìý- Agency which oversees the federal CUI Program