You are here
U-M Research Information Security Oversight Program
U-M's Research Information Security Oversight Program is a cross-campus collaboration with:
- UMOR - Research Ethics & Compliance
- Office of Research and Sponsored Projects (ORSP)
- Information Assurance (IA)
- Advanced Research Computing - Technology Services (ARC-TS)
- Michigan Medicine Corporate Compliance Office
- Office of General Counsel
Controlled Unclassified Information (CUI) is federal non-classified information the U.S. Government creates or possesses, or that a non-federal entity (such as the University of Michigan) receives, possesses, or creates for, or on behalf of, the U.S Government, that requires information security controls to safeguard or disseminate. These controls must be compliant with the federal regulations specified in 32 CFR Part 2002 and NIST SP 800-171r1.
"Information" as defined by the federal CUI Program may include research data and other project information that a research team receives, possesses, or creates in the performance of a sponsored contract.
About the Research Information Security Oversight Program
A research project at the University of Michigan (U-M) may require the implementation of CUI information security controls when the federal contract/award contains language/clauses (e.g., FAR, DFAR) requiring those controls. ORSP and UMOR's Research Information Security Oversight Program review the contracts to determine the applicability of the clauses in negotiation with the sponsor.
A research project may also include CUI if it is using data acquired under a Data Use Agreement (DUA) and the data is information classified by the government as CUI.
Researcher roles and responsibilities
If CUI compliance is required for a research project, the Principal Investigator and their unit Information Technology (IT) contact(s) will work with U-M's Research Information Security Oversight Program to:
- Verify that the research project will receive, possess, and/or create CUI
- Identify, with assistance from ITS-IIA and ARC-TS, the appropriate information security system/technology solution to use to secure and store the information. Appropriate system solutions may include the use of the Yottabyte Research Cloud (YBRC) platform offered through ARC-TS.
- Create the required information security plan for the research project. This plan outlines the policies and procedures the research team will follow (e.g., information access restrictions, laboratory security, etc.) to comply with the CUI requirements.
U-M's Research Information Security Oversight Program is monitored by the Michigan Medicine Corporate Compliance Office. Monitoring includes the initial certification and periodic re-certification that the appropriate controls are in place for each research project, and continual monitoring of the effectiveness of U-M's CUI program.
- Controlled technical information with military or space application
- Critical infrastructure information (e.g., energy infrastructure, water systems, etc.)
- Export controlled information or materials used in research
- Nuclear information related to protecting reactors, materials, or security
- Statistical information (e.g., U.S. Census)
- Transportation information (e.g., railroad safety, etc.)
The CUI Registry is the authoritative online repository for information, policy, requirements and guidance on handling CUI.
It is critical to protect sensitive government information, some with national security or U.S. trade implications, to reduce the risks of unauthorized release or misue. Application of and compliance with the information security controls helps protect this information against threats to cyber security, data breaches, or other unauthorized disclosures.
32 CFR Part 2002 identifies three control levels that guide the safeguarding or dissemination of CUI:
- CUI Basic - requires or permits the agencies to control or protect the information, but provides no specific information security controls
- CUI Specified - requires or permits the agencies to control or protect the information, and provides specific information security controls
- CUI Specified, but with CUI Basic Controls - requires or permits the agencies to control or protect the information, and provides only some of the controls
When the university accepts a contract that includes CUI, the Research Information Security Liaison determines the level of CUI (basic or specified) control required and works with the research team to ensure that the appropriate controls are implemented for the life of the project.
The controls for CUI are only implemented when we have accepted a contractual obligation to implement specified NIST SP 800-171 controls. Federal agencies may issue contract amendments that would require CUI controls at any time after a contract has been accepted. Consequently, information security controls may change during a project's lifecycle, but these new terms would only be effective from the date we contractually accept them.
Failure to comply may result in contract challenges to, or loss of, the award and result in future ineligibility to be awarded government contracts.
Failure to accurately report the status of compliance could result in charges of fraud and criminal penalties for the individual researcher. In addition, the university could also experience adverse reputational, legal, or financial consequences.