Controlled Unclassified Information
Controlled Unclassified Information (CUI) defined:
CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide polices. CUI is not classified information. It is not corporate intellectual property unless created for or included in the requirements related to a government contract.
CUI is divided into two categories: CUI Basic and CUI Specified
CUI Basic must be safeguarded, handled, disseminated, marked, and destroyed in accordance with the basic requirements within the Code of Federal Regulations at 32 CFR Part 2002.
CUI Specified is CUI for which there are laws, regulations or government-wide policies that address specific safeguarding and handling. CUI Specified is not necessarily a higher level of CUI. Being categorized as “CUI Specified” means that certain requirements for handling and protecting such CUI are set forth in specific regulations or policies.
CUI Regulations and Resources
Security protocols for CUI must be in compliance with federal regulations specified 32 CFR Part 2002, and the National Archives and Records Administration (NARA). Frequently utilized CUI requirements and information can be found at the following locations:
National Institute of Standards and Technology (NIST) Special Publication (SP)
NIST SP 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations
NIST SP 800-171 – Protecting CUI in the Nonfederal Systems and Organizations
NIST SP 800-172 – Enhancing Security Requirements for Protecting CUI: Supplement to 800-171 Rev 2
Department of Defense Federal Acquisition Regulation (DFARS)
DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7020 – NIST SP-171 DoD Assessment Requirements
DFARS 252.204-7021 – Cybersecurity Maturity Model Certification Requirements
"Information" as defined by the Federal CUI Program may include research data and other project information, including non-public Federal Contract Information (FCI). FCI is normally protected in accordance with FAR 52.204-21 when a research team receives, possesses, or creates FCI in the performance of a sponsored contract.
“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems may include electronic media, non-electronic media, and physical environments.
Federal Acquisition Regulation (FAR) Security Requirements
FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
CUI training can be found at the Defense Counterintelligence and Security Agency (DCSA), Center for Development and Security Excellence (CDSE). CUI training consists of initial and annual refresher CUI education and training for industry personnel as required by Government Contracting Activities (GCA) for contracts with CUI requirements.
Computer-based training may be found at https://securityawareness.usalearning.gov/cui/index.html. To schedule an in-person training session, please contact the university CUI Manager.
** Principal Investigators (PI) may have additional training requirements as directed in agency-specific regulations and contractual obligations.
Additional Training and Information
Researcher Roles and Responsibilities
If CUI compliance is required for a research project, the PI will work with the Office of Research Security Compliance to:
- Verify the research project will receive, possess, and/or create CUI, or is otherwise required to implement security controls based on the CUI regulations.
- Faculty researchers will identify information systems, devices, and technologies used to store, process, and share CUI, and coordinate with the Office of Research Security Compliance to ensure conformance with government requirements and standards.
- Create the required Technology Control Plan (TCP) for the research project. The TCP establishes the controls, policies, and procedures the PI and associated research team will follow to comply with CUI and other federal statutory requirements.
- Identify all project members to ORSC that will have or may have access to CUI and/or the information systems used to receive, transmit, generate, or maintain CUI for any given research project.
- Be available to assist with internal (Auburn University) and external (federal and/or third-party) audits of CUI and CUI designated information systems under their purview for any given contract.
- Complete required training and renew that training as dictated by contact specifications.
The CUI Registry is the government-wide online repository for federal level guidance regarding CUI policy and practice.
For questions related to CUI, please contact Kevin Briggins, CUI Manager at firstname.lastname@example.org or (334) 844-0266.