Controlled Unclassified Information (CUI)

U-M Research Information Security Oversight Program

The Research Information Security Oversight (RISO) program under the Office of the Vice President for Research is a cross-campus collaboration with:

Controlled Unclassified Information (CUI) is Federal non-classified information the U.S. Government creates or possesses, or that a non-Federal entity (such as the University of Michigan) receives, possesses, or creates for, or on behalf of, the U.S Government, that requires information and information system security controls as identified in a law, regulation, or government-wide policy.

CUI Regulations

The CUI security controls must be compliant with the federal regulations specified in 32 CFR Part 2002 and by the National Archives and Records Administration (NARA), who acts as the CUI Executive Agent (EA) to oversee the federal agency CUI compliance. The most commonly encountered Federal CUI requirements and guidelines include:

National Institutes of Standards and Technology (NIST) Special Publication (SP)

NIST SP 800-53r5 - Security and Privacy Controls for Federal Information Systems and Organizations
NIST SP 800-171r2 - Protecting CUI in Nonfederal Systems and Organizations
NIST SP 800-172 - Enhanced Security Requirements for Protecting CUI: Supplement to 800-171 Rev. 2

Federal Acquisition Regulation (FAR) Security Requirements

FAR 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems

Department of Defense Federal Acquisition Regulation (DFARS)

DFARS 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7020 - NIST SP-171 DoD Assessment Requirements
DFARS 252.204-7021 - Cybersecurity Maturity Model Certification Requirements

Other requirements and guidance as directed in agency-specific regulations and certain legal documents may also apply.

"Information" as defined by the Federal CUI Program may include research data and other project information, including non-public Federal Contract Information (FCI). FCI is normally protected in accordance with FAR 52.204-21 when a research team receives, possesses, or creates FCI in the performance of a sponsored contract.

“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems may include electronic media, non-electronic media, and physical environments.

About the Research Information Security Oversight (RISO) Program

A research project at the University of Michigan (U-M) may require implementation of CUI security controls when the Federal contract/grant contains language/clauses (e.g., FAR, DFARS, NIST SP) requiring such controls. OVPR's Research Information Security Oversight Program (RISO) reviews the contracts during negotiations with the contract sponsor to determine which information system security clauses may apply to a given contract.

A research project may be subject to CUI regulations if:

It is using data acquired under a Data Use Agreement (DUA) or similar legal document, and the data is information classified by the Federal government as CUI or FCI.

It includes information system security requirements under NIST SP 800-53r5, NIST SP 800-171r2, and/or NIST SP 800-172, even if no CUI is expected within the scope of a contract.

RISO notifies ORSP, the Principal Investigator (PI), and designated project team members (including staff maintaining relevant information systems) of the security requirements.

Required Training

The Federal CUI program requires training in several areas of CUI security.

All project team members identified by the PI and RISO who have existing or anticipated access to CUI or to information systems containing or handling CUI must complete the U-M PEERRS Controlled Unclassified Information (CUI) Protections training in My LINC. Failure to complete the mandatory training may result in loss of access to the affected research project.

Researcher Roles and Responsibilities

If CUI compliance is required for a research project, the PI and their unit Information Technology (IT) contact(s) will work with U-M's RISO to:

Verify the research project will receive, possess, and/or create CUI/FCI, or is otherwise required to implement security controls based on the CUI regulations.
Identify, with assistance from ITS-IIA and ARC-TS, the appropriate information security system/technology solution to secure and store the information.
Create the required system security plan (SSP) for the research project. The SSP plan establishes the security controls, policies, and procedures the research team will follow (e.g., information access restrictions, laboratory security, etc.) to comply with CUI/FCI and other Federal requirements.
Identify all project members to RISO that have or may have access to CUI and/or the information systems used to receive, transmit, generate, or maintain CUI for any given research project. Any changes to a project member’s CUI access for an affected research project must be identified to RISO.
Be available to assist with internal (U-M) and external (Federal and/or third-party) security audits of CUI and CUI -designated information systems under their purview for any given contract/award.
Complete the required training, and renew that training, as appropriate.

Program Monitoring

U-M's RISO program is monitored by the U-M CUI Governance Committee. The Committee issues policies, coordinates issues, coordinates solutions, approves system security plans (when applicable), ensures all affected research projects are in compliance with federal CUI/FCI rules, and continually monitors the effectiveness of the program.

FAQs

What type of information is considered to be CUI?

The National Archives CUI Registry identifies the information considered to be CUI by category/subcategories. A non-exhaustive list of categories includes:

Controlled technical information with military or space application
Critical infrastructure information (e.g., energy infrastructure, water systems, etc.)
Export controlled information or materials used in research
Nuclear information related to protecting reactors, materials, or security
Statistical information (e.g., U.S. Census)
Transportation information (e.g., railroad safety, etc.)

The CUI Registry is the authoritative online repository for information, policy, requirements and guidance on handling CUI.

What is the U.S. Government's interest in identifying and protecting CUI?

It is critical to protect sensitive government information, some with national security or U.S. trade implications, to reduce the risks of unauthorized release or misue. Application of and compliance with the information security controls helps protect this information against threats to cyber security, data breaches, or other unauthorized disclosures.

What are CUI control levels?

32 CFR Part 2002 identifies three control levels that guide the safeguarding or dissemination of CUI:

CUI Basic - requires or permits the agencies to control or protect the information, but provides no specific information security controls
CUI Specified - requires or permits the agencies to control or protect the information, and provides specific information security controls
CUI Specified, but with CUI Basic Controls - requires or permits the agencies to control or protect the information, and provides only some of the controls

When the university accepts a contract that includes CUI, the Research Information Security Liaison determines the level of CUI (basic or specified) control required and works with the research team to ensure that the appropriate controls are implemented for the life of the project.

Do I have to enforce CUI controls on contracts that have been signed previously?

The controls for CUI are only implemented when we have accepted a contractual obligation to implement specified NIST SP 800-171 controls. Federal agencies may issue contract amendments that would require CUI controls at any time after a contract has been accepted. Consequently, information security controls may change during a project's lifecycle, but these new terms would only be effective from the date we contractually accept them.

What are potential consequences of non-compliance with CUI requirements?

Failure to comply may result in contract challenges to, or loss of, the award and result in future ineligibility to be awarded government contracts.

Failure to accurately report the status of compliance could result in charges of fraud and criminal penalties for the individual researcher. In addition, the university could also experience adverse reputational, legal, or financial consequences.

References and Resources

National Archives Website on Controlled Unclassified Information Link to the agency that oversees the federal CUI Program. This website contains the CUI Registry, links to policies, guidelines, and more.
U-M ITS Safe Computing Data Classification Levels U-M institutional data is classified into one of four classifications or sensitivity levels. Researchers should become familiar with these levels and consider whether additional procedures should be implemented to adequately protect and manage the data used in and generated by research.
ITS Advanced Research Computing Secure Enclave Services (SES) U-M controlled computing environment for the hosting and analysis of CUI and/or other restricted research data.

Questions?

For questions about CUI at U-M, contact UMOR’s Research Information Security Oversight Program at Research.Information.Security@umich.edu.

Enterprise