You are here

Controlled Unclassified Information (CUI)

U-M Research Information Security Oversight Program

U-M's Research Information Security Oversight Program is a cross-campus collaboration with:

Controlled Unclassified Information (CUI) is Federal non-classified information the U.S. Government creates or possesses, or that a non-Federal entity (such as the University of Michigan) receives, possesses, or creates for, or on behalf of, the U.S Government, that requires information and information system security controls as identified in a law, regulation, or government-wide policy. 

These controls must be compliant with the federal regulations specified in 32 CFR Part 2002 and by the CUI Executive Agent The most commonly encountered Federal CUI requirements and guidelines include NIST SP 800-171r2, NIST SP 800-53r5, DFARS 252.204-7012/7019/7020/7021, NIST SP 800-172and FAR 52.204-21Other requirements and guidance as directed in agency-specific regulations and certain legal documents may also apply. 

"Information" as defined by the Federal CUI Program may include research data and other project information, including non-public Federal Contract Information (FCI).  FCI is normally protected in accordance with FAR 52.204-21 when a research team receives, possesses, or creates FCI in the performance of a sponsored contract.

“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems may include electronic media, non-electronic media, and physical environments.

About the Research Information Security Oversight Program

A research project at the University of Michigan (U-M) may require implementation of CUI security controls when the Federal contract/award contains language/clauses (e.g., FAR, DFARS, NIST SP) requiring such controls.  ORSP and UMOR's Research Information Security Oversight Program (RISO) review the contracts during negotiations with the contract sponsor to determine which information system security clauses may apply to a given contract.

RISO will notify ORSP, the Principal Investigator (PI), and designated project team members of applicable information system security requirements if they exist.

A research project may include CUI if it is using data acquired under a Data Use Agreement (DUA) or similar legal document, and the data is information classified by the Federal government as CUI or FCI.

A research project may also include information system security requirements under NIST SP 800-53r5, NIST SP 800-171r2, and/or NIST SP 800-172, even if no CUI is expected within the scope of a contract.

The Federal CUI program requires training in several areas of CUI security.  All individuals with existing or anticipated  access to CUI or CUI-designated information systems must complete the U-M Mandatory CUI Training Package (provided by RISO).  RISO will distribute the Mandatory CUI Training Package based on the list of affected project team members provided by the PI.  Project Team Members who receive the Training Package must return a dated copy of the training certificate and dated/signed copy of the CUI Training Checklist form to RISO (Research.Information.Security@umich.edu) to receive credit for the mandatory training.  Failure to complete the mandatory training may result in loss of access to the affected research project.

 

Researcher roles and responsibilities

If CUI compliance is required for a research project, the PI and their unit Information Technology (IT) contact(s) will work with U-M's RISO to:

  • Verify the research project will receive, possess, and/or create CUI/FCI, or is otherwise required to implement security controls from the FAR, DFARS, NIST SP 800-171r2, NIST SP 800-172, NIST SP 800-53r5, or agency-specific regulation.

  • Identify, with assistance from ITS-IIA and ARC-TS, the appropriate information security system/technology solution to secure and store the information.  Appropriate system solutions may include the use of the Yottabyte Research Cloud (YBRC) platform offered through ARC-TS.

  • Create the required system security plan (SSP) for the research project.  The SSP plan establishes the security controls, policies, and procedures the research team will follow (e.g., information access restrictions, laboratory security, etc.) to comply with CUI/FCI and other Federal requirements.

  • Identify all project members to RISO that have or may have access to CUI and/or the information systems used to receive, transmit, generate, or maintain CUI for any given research project.  Any changes to a project member’s CUI access for an affected research project must be identified to RISO.

  • Be available to assist with internal (U-M) and external (Federal and/or third-party) security audits of CUI and CUI -designated information systems under their purview for any given contract/award.

Program Monitoring

U-M's Research Information Security Oversight Program is monitored by the U-M CUI Governance Committee.  The Committee issues policies, coordinates issues, coordinates solutions, approves system security plans (when applicable), ensures all affected research projects are in compliance with federal CUI/FCI rules, and continually monitors the effectiveness of the program.

FAQs

The National Archives CUI Registry identifies the information considered to be CUI by category/subcategories.  A non-exhaustive list of categories includes:

  • Controlled technical information with military or space application
  • Critical infrastructure information (e.g., energy infrastructure, water systems, etc.)
  • Export controlled information or materials used in research
  • Nuclear information related to protecting reactors, materials, or security
  • Statistical information (e.g., U.S. Census)
  • Transportation information (e.g., railroad safety, etc.)

​The CUI Registry is the authoritative online repository for information, policy, requirements and guidance on handling CUI.

It is critical to protect sensitive government information, some with national security or U.S. trade implications, to reduce the risks of unauthorized release or misue. Application of and compliance with the information security controls helps protect this information against threats to cyber security, data breaches, or other unauthorized disclosures.

 

32 CFR Part 2002 identifies three control levels that guide the safeguarding or dissemination of CUI:

  • CUI Basic - requires or permits the agencies to control or protect the information, but provides no specific information security controls
  • CUI Specified - requires or permits the agencies to control or protect the information, and provides specific information security controls
  • CUI Specified, but with CUI Basic Controls - requires or permits the agencies to control or protect the information, and provides only some of the controls

When the university accepts a contract that includes CUI, the Research Information Security Liaison determines the level of CUI (basic or specified) control required and works with the research team to ensure that the appropriate controls are implemented for the life of the project.

The controls for CUI are only implemented when we have accepted a contractual obligation to implement specified NIST SP 800-171 controls. Federal agencies may issue contract amendments that would require CUI controls at any time after a contract has been accepted. Consequently, information security controls may change during a project's lifecycle, but these new terms would only be effective from the date we contractually accept them.

Failure to comply may result in contract challenges to, or loss of, the award and result in future ineligibility to be awarded government contracts.

Failure to accurately report the status of compliance could result in charges of fraud and criminal penalties for the individual researcher.  In addition, the university could also experience adverse reputational, legal, or financial consequences.

References and Resources

Questions?

For questions about CUI at U-M, contact UMOR’s Research Information Security Oversight Program at Research.Information.Security@umich.edu.