Controlled Unclassified Information
- What is Controlled Unclassified Information (CUI)
- NIST 800-171 and DFARS 252.204-7012
- How to Comply
- Process Flow
What is Controlled Unclassified Information?
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. Relative to UTEP, such clauses and safeguarding controls are mostly commonly found in NIST 800-171 and DFARS 252.204-7012.
Executive Order 13556 "Controlled Unclassified Information” establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance.
32 CFR Part 2002 "Controlled Unclassified Information" establishes designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.
As such, contractors, subcontractors, and universities need to be compliant with CUI controls. For CUI Categories and Subcategories please go to CUI Registry General Guidelines site.
NIST 800-171 and DFARS 252.204-7012
NIST Special Publication 800-171 (NIST 800-171) is a Federal standard on security controls applied to Controlled Unclassified Information (CUI) and systems and processes involved with this data. UTEP and its research enterprise must ensure all systems and processes involved with CUI are compliant with NIST 800-171 to continue receiving Federal funds associated with the use of this data (either directly received from the government or indirectly through associated covered contracts and contractors).
DFARS 252.204-7012 is a standard clause in many DoD contracts requiring:
- Implementation of NIST Special Publication 800-171
- Safeguarding covered defense information (CDI), which is CUI
- Reporting cyber incidents that affect covered defense information or that impact the contractor’s ability to perform requirements designated as operationally critical support
- Submitting malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center
- Notifying the DoD of any security not implemented, within 30 days of contract award
How to Comply
Any UTEP project with NIST and/or DFARS or other legal or contractual obligations to properly protect Controlled Unclassified Information (CUI) may properly ensure compliance by:
- Contacting the Information Security Office to establish a System Security Plan (SSP), wherein the information security team will help guide investigators and their teams in a compliant data security program,
- Submit your System Security Plan (SSP) with the data sensitive research portal (DataSense) maintained by the Office of Research and Sponsored Projects, and
- Ensure you and your team are trained in CUI and CUI protection.
As part of the DataSense process, you may be asked to create a Technology Control Plan (TCP), which provides information on your operating environment, data needs, and basic project information. The System Security Plan (SSP) may be uploaded within the DataSense portal as part of the TCP.
All UTEP projects with applicable CUI needs must go through the approval process, wherein all environments involved with CUI must comply fully with the NIST 800-171 standards (either directly or through compensating controls) and follow the guidance provided by approved System Security Plan (SSP). Any deviations from the SSP must be approved by the Chief Information Security Officer (CISO). The CISO will route such request to either the Vice President of Research (for research-related activities) or the Vice President for Business Affairs (for administrative activities), as appropriate, for additional approval.
All environments that are involved with CUI must undergo an annual NIST 800-171 compliance assessment by Information Security before interacting with CUI. These assessments will result in an attestation report signed by the CISO, or designee. All environments that are involved with CUI must also operate in a manner which allows incident reporting of cyber incidents involving CUI within 72 hours.
An export control project or one with CUI should generally follow a process as below:
- A contract has clauses and/or sponsor indicates a project has Export Control &/or Controlled Unclassified Information (CUI) restrictions
- The PI is notified of such restrictions by ORSP
- The PI provides information in the DataSense portal to allow a review to occur between Export Control and/or Research Administration to determine if the clauses may be negotiated or exclusions exist that reduce the need for compliance. If compliance is required, then the process moves to step 4, otherwise, the PI is informed of the exclusion and the exclusion is documented for archiving.
- PI enters information into the DataSense portal, using a template to generate a Technology Control Plan (TCP)
- An email is sent to the PI and Information Security Office to generate a System Security Plan (SSP)
- Personnel working on the project are trained on Export Control and/or CUI
- PI uploads the information security office approved SSP into the DataSense portal
- An approved TCP with SSP is documented in the DataSense Portal
- A UTEP account is established for the project
- Auditing and monitoring occur to ensure compliance, as in the TCP and SSP
All personnel interacting with or otherwise handling Controlled Unclassified Information, whether appointed, funded, or not, must take the below training. It is the responsibility of the Principal Investigator to follow the safeguards to ensure a compliant operating environment, as in the System Security Plan (SSP), and to ensure all relevant personnel are successfully trained.
- Mandatory Controlled Unclassified Information (CUI) Training: https://securityhub.usalearning.gov/index.html
- ORSP Training for Project Specific Operations: contact firstname.lastname@example.org
- Overview of CUI: https://www.dcsa.mil/mc/ctp/cui/
- How to Identify and Mark CUI: https://www.archives.gov/cui/training.html#intro-to-marking
- CUI Markings: https://www.archives.gov/cui/registry/category-marking-list
- Other CUI resources: https://www.cdse.edu/toolkits/cui/current.html