Controlled Unclassified Information (CUI)

Controlled Unclassified Information, or CUI, is Federal non-classified information the U.S. Government creates or possess, and as defined in Executive Order 13556, CUI is information held by or generated for the Federal Government that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies that isn’t classified under Executive Order 13526 or the Atomic Energy Act, as amended.

CUI can also be information a non-Federal entity (University Systems of New Hampshire) receives, possess, or creates for, or on behalf of the U.S. Government that requires information and information system security controls as identified in law, regulation, or government-wide policy. "Information" as defined by the Federal CUI Program may include research data and other project information, including non-public Federal Contract Information (FCI).  FCI is normally protected in accordance with FAR 52.204-21 when a research team receives, possesses, or creates FCI in the performance of a sponsored contract.

The most commonly encountered Federal CUI requirements and guidelines include NIST SP 800-171r2 (external link)NIST SP 800-53r5 (external link)DFARS 252.204-7012/7019/7020/7021 (external link)NIST SP 800-172 (external link), and FAR 52.204-21 (external link.)

Things to know about CUI:

  • Research data and other project information that a research team receives, possesses, or creates during the performance of federally funded research may be CUI.
  • The obligation to determine whether or not an award will involve CUI belongs to the federal sponsor; award documents should specifically identify CUI and applicable security requirements. 
  • CUI safeguarding requirements are only applicable to USNH and USNH information systems when mandated by a federal agency in a contract, grant, or other agreement.
  • The security requirements apply to the components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.

The CUI Registry is the online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI Executive Agent other than 32 CFR Part 2002. Among other information, the CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.


CUI FAQ

CUI is defined by the National Archives CUI Registry and is listed by category/subcategories. The list includes, but is not limited to the following:

  • Controlled technical information with military or space application
  • Export controlled information or materials used in research
  • Statistical Information (e.g., US Census)

The CUI Registry is the authoritative online repository for information, policy, requirements, and guidance on handling CUI.

It is critical to protect sensitive government information, some with national security or U.S. trade implications, to reduce the risks of unauthorized release or misuse. Application of and compliance with the information security controls helps protect this information against threats to cyber security, data breaches, or other unauthorized disclosures.

32 CFR Part 2002 (external link) identifies three control levels that guide the safeguarding or dissemination of CUI:

  • CUI Basic - subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. Agencies handle CUI Basic according to the uniform set of controls set forth in this part and the CUI Registry.
  • CUI Specified - subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. The CUI Registry indicates which laws, regulations, and Government-wide policies include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out the controls for CUI Specified information and does not for CUI Basic information.
  • CUI Specified, but with CUI Basic Controls - requires or permits the agencies to control or protect the information, and provides only some of the controls

Research data is only likely to be CUI if:

  • it is provided to you by the U.S. government (or another party on their behalf)
  • it is developed by you during the performance of U.S. government sponsored research; and the contract or agreement specifies that the information is CUI.

The following are examples of information that is not CUI:

  • Proprietary research that is not funded by the federal government is not CUI.  This is true even when the background information provided by the sponsor and/or your research results are proprietary technical information subject to the US export control regulations.
  • Medical information and/or human subjects data subject to privacy protections (e.g., HIPAA or as part of informed consent representations) are not CUI.
    • Exception: Such data may be CUI when provided by the U.S. government, e.g., medical information about federal employees, to the University System for use in research. 
  • Student information subject to privacy protections (e.g., FERPA) is not CUI.
    • Exception: Such data may be CUI when collected by the U.S. government, e.g., certain financial information provided by students and/or parents in federal financial aid applications, which is then passed to the University System for use in financial aid administration.
  • Information that is already in the public domain (e.g., published), including publicly available U.S. government data sets.
  • Non-contextualized research data (e.g., raw output collected for a CUI project that must be correlated with additional input from a person, application or second data source in scope of the CUI research project to have meaning or context) will generally not be considered CUI unless it bears identifying marks linking it to specific CUI project.  

DoD Mandatory Controlled Unclassified Information Training can be found on DoD CUI Program site and here.

National Archives CUI Training - Developed by CUI Executive Agents, these training modules for the CUI Program are designed for a widespread audience at multiple levels within the government and beyond.  The modules can be used to supplement any training or awareness efforts by Executive branch entities or other stakeholders (i.e., Nonfederal organizations).

USNH has a CUI focused training module available via our SANS Training Platform. For access to this module, please submit a ticket for Cybersecurity Training

Failure to comply may result in contract challenges to, or loss of, the award and result in future ineligibility to be awarded government contracts.

Failure to accurately report the status of compliance could result in charges of fraud and criminal penalties for the individual researcher.  In addition, the university could also experience adverse reputational, legal, or financial consequences.

 


References

National Archives - Agency which oversees the federal CUI Program