Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is Federal non-classified information the U.S. Government creates or possesses, or that a non-Federal entity (such as the Alabama A&M University) receives, possesses, or creates for, or on behalf of, the U.S Government, that requires information and information system security controls as identified in a law, regulation, or government-wide policy. 

CUI Regulations

The CUI security controls must be compliant with the federal regulations specified in 32 CFR Part 2002 and by the National Archives and Records Administration (NARA), who acts as the CUI Executive Agent (EA) to oversee the federal agency CUI compliance. The most commonly encountered Federal CUI requirements and guidelines include:

NATIONAL INSTITUTES OF STANDARDS AND TECHNOLOGY (NIST) SPECIAL PUBLICATION (SP)

• • NIST SP 800-53r5 - Security and Privacy Controls for Federal Information Systems and Organizations
  • NIST SP 800-171r2 - Protecting CUI in Nonfederal Systems and Organizations
  • NIST SP 800-172 - Enhanced Security Requirements for Protecting CUI: Supplement to 800-171 Rev. 2

FEDERAL ACQUISITION REGULATION (FAR) SECURITY REQUIREMENTS

• • FAR 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems

DEPARTMENT OF DEFENSE FEDERAL ACQUISITION REGULATION (DFARS)

• • DFARS 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting
  • DFARS 252.204-7020 - NIST SP-171 DoD Assessment Requirements
  • DFARS 252.204-7021 - Cybersecurity Maturity Model Certification Requirements

Other requirements and guidance as directed in agency-specific regulations and certain legal documents may also apply.

"Information" as defined by the Federal CUI Program may include research data and other project information, including non-public Federal Contract Information (FCI).  FCI is normally protected in accordance with FAR 52.204-21 when a research team receives, possesses, or creates FCI in the performance of a sponsored contract.

“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems may include electronic media, non-electronic media, and physical environments.

AMU RESEARCH INFORMATION SECURITY OVERSIGHT PROGRAM

The AAMU Research Information Security Oversight (RISO) program under the Office of Research Compliance (ORC) is a cross-campus collaboration with:

• • • Research and Sponsored Projects (RSP)
    • Information Technology Services (ITS)
    • Office of General Counsel

A research project at the Alabama A&M University (AAMU) may require implementation of CUI security controls when the Federal contract/grant contains language/clauses (e.g., FAR, DFARS, NIST SP) requiring such controls.  A research project may be subject to CUI regulations if:

• • It is using data acquired under a Data Use Agreement (DUA) or similar legal document, and the data is information classified by the Federal government as CUI or FCI.
  • It includes information system security requirements under NIST SP 800-53r5, NIST SP 800-171r2, and/or NIST SP 800-172, even if no CUI is expected within the scope of a contract.

RISO notifies OSP, the Principal Investigator (PI), and designated project team members (including staff maintaining relevant information systems) of the security requirements.

REQUIRED TRAINING

The Federal CUI program requires training in several areas of CUI security. All project team members identified by the PI and RISO who have existing or anticipated access to CUI or to information systems containing or handling CUI must complete the AAMU PEERRS Controlled Unclassified Information (CUI) Protections training.  Failure to complete the mandatory training may result in loss of access to the affected research project.

RESEARCHER ROLES AND RESPONSIBILITIES

If CUI compliance is required for a research project, the PI and their unit Information Technology (IT) contact(s) will work with AAMU's RISO to:

• • Verify the research project will receive, possess, and/or create CUI/FCI, or is otherwise required to implement security controls based on the CUI regulations.
  • Identify, with assistance from ITS-IIA and ARC-TS, the appropriate information security system/technology solution to secure and store the information.  
  • Create the required system security plan (SSP) for the research project.  The SSP plan establishes the security controls, policies, and procedures the research team will follow (e.g., information access restrictions, laboratory security, etc.) to comply with CUI/FCI and other Federal requirements.
  • Identify all project members to RISO that have or may have access to CUI and/or the information systems used to receive, transmit, generate, or maintain CUI for any given research project.  Any changes to a project member’s CUI access for an affected research project must be identified to RISO.
  • Be available to assist with internal (AAMU) and external (Federal and/or third-party) security audits of CUI and CUI -designated information systems under their purview for any given contract/award.
  • Complete the required training, and renew that training, as appropriate.  

PROGRAM MONITORING

AAMU's RISO program is monitored by the Research Security Program Committee (RSPC).  The Committee issues policies, coordinates issues, coordinates solutions, approves system security plans (when applicable), ensures all affected research projects are in compliance with federal CUI/FCI rules, and continually monitors the effectiveness of the program.

FAQs

1. 1. What Type of Information is Considered CUI?

The National Archives CUI Registry identifies the information considered to be CUI by category/subcategories.  A non-exhaustive list of categories includes:

• • Controlled technical information with military or space application
  • Critical infrastructure information (e.g., energy infrastructure, water systems, etc.)
  • Export controlled information or materials used in research
  • Nuclear information related to protecting reactors, materials, or security
  • Statistical information (e.g., U.S. Census)
  • Transportation information (e.g., railroad safety, etc.)

​The CUI Registry is the authoritative online repository for information, policy, requirements and guidance on handling CUI.

1. 2. What are CUI Control Levels?

32 CFR Part 2002 identifies three control levels that guide the safeguarding or dissemination of CUI:

• • CUI Basic - requires or permits the agencies to control or protect the information, but provides no specific information security controls
  • CUI Specified - requires or permits the agencies to control or protect the information, and provides specific information security controls
  • CUI Specified, but with CUI Basic Controls - requires or permits the agencies to control or protect the information, and provides only some of the controls

When the university accepts a contract that includes CUI, the Research Information Security Liaison determines the level of CUI (basic or specified) control required and works with the research team to ensure that the appropriate controls are implemented for the life of the project.

1. 3. What are potential consequences of non-compliance with CUI requirements?

Failure to comply may result in contract challenges to, or loss of, the award and result in future ineligibility to be awarded government contracts.

Failure to accurately report the status of compliance could result in charges of fraud and criminal penalties for the individual researcher.  In addition, the university could also experience adverse reputational, legal, or financial consequences.

Back to Research Security Page