Controlled Unclassified Information (CUI) is information that the U.S. Government creates or possesses, or that an entity (e.g., the University) creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. The federal CUI Registry identifies various categories of information which may be considered CUI and would require enhanced safeguarding in compliance with CUI Program requirements. Export-controlled information that the University creates or possesses for or on behalf of the Government under an agreement is just one of the many possible CUI categories.
CUI does not include classified information (i.e., information classified under Executive Order 13526 or the Atomic Energy Act) or information that a non-executive branch entity possess and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. This means that CUI does not include research that the federal government did not fund, even though the research may still be subject to U.S. export controls (e.g. ITAR- or EAR-regulated data). CUI also does not include information that is published or otherwise in the public domain. These information types should not be marked as CUI.
Executive agencies are responsible for determining when contractors and subcontractors will receive or generate CUI as part of an agreement and will incorporate related compliance requirements within the agreement terms. Agencies may give advanced notice of this determination by indicating anticipated CUI compliance requirements within a solicitation or program guidelines. The Department of Defense, for example, relies upon certain provisions of the Defense Federal Acquisition Regulations Supplement (DFARS) and utilizes Department-specific policies, requirements, and terminology. A DoD-funded award that involves CUI will reference, at a minimum, DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting”. This provision points to other relevant DoD policies and definitions and is often accompanied by DFARS 252.204-7000, ‘Disclosure of Information’. This clause requires researchers to seek the DoD Contracting Officer’s written approval prior to public release and states that projects involving Covered Defense Information (CDI) will not be considered by DoD to qualify as “fundamental research” . A solicitation for a DoD award that is expected to involved CUI may include indicators such as DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls”.
CUI categories are divided into two subsets of safeguarding and dissemination requirements – CUI Basic and CUI Specified. CUI Basic is the subset for which the authorizing law, regulation or Government-wide policy does not set out specific handling or dissemination controls. CUI Basic must be handled in accordance with the uniform set of controls set forth in 32 CFR Part 2002 “Controlled Unclassified Information” and the CUI Registry. CUI Specified is the subset in which the authorizing law, regulation, or Government-wide policy does contain specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic. CUI Basic controls apply whenever CUI Specified ones do not cover the involved CUI.
CUI itself must be stored, handled and generated within controlled environments to ensure that unauthorized individuals are unable to access, observe, or overhear discussions of CUI. To this end, controlled environments should have adequate physical or procedural controls and must protect information in compliance with the implementing CUI Program regulations and NIST Special Publication 800-171, Safeguarding Controlled Unclassified Information in Nonfederal Systems and Organizations.
The Office of Export Controls requires all individuals who will access and/or participate in projects involving export-controlled CUI to be briefed into, sign, and maintain ongoing compliance with a Technology Control Plan (TCP). Research teams must also work with the University’s IT Security team to scope out and prepare for the resources the team will need to achieve compliance with NIST 800-171 standards and with OU IT’s “Confidential Research and Publications Policy”. This includes obtaining and using email accounts to exchange CUI within OU IT’s Secure Research environment (Microsoft Office 365 for Government). Additionally, all OU personnel who will store, transmit, or process CUI must receive suitable CUI awareness training provided by the OU System Security Training, Education, and Awareness Team. All personnel who handle CUI/CDI are required to complete levels 1 and 2, and IT roles who protect CUI must complete levels 1, 2, and 3. Trainings are initiated through the Office of Research Services (ris@ou.edu). Initial training must commence within 90 days of the identification of CUI requirements and must be renewed every 2 years thereafter.
Documents, emails, presentations, or other files which contain CUI must be marked in accordance with the CUI Marking Handbook (pdf) and any other applicable agency-specific policies.
Notify the Office of Export Controls who will assess applicable regulatory and contractual requirements and implement a Technology Control Plan (TCP) for all OU participants prior to executing the agreement. Also, notify the University’s IT Security team (grc@ou.edu) to begin identifying and preparing for the IT resources your team will need to achieve compliance with NIST 800-171 safeguards. Researchers can initiate this by requesting an IT security consultation for their upcoming project.
In addition to the University’s trainings, individuals may access free modules from the U.S. National Archives and Records Administration (NARA). The DoD CUI Program website provides training resources as well.
