Skip to main content

Controlled Unclassified Information

CUI Processes and Procedures

 

 

   

Contact Us

Mario E. Caire, Ph.D.
Research Security Officer
Kelly Hall, 4th floor, North Wing
500 W University Ave
El Paso, TX 79968

  Office: 915-747-8470
  rso@utep.edu  
  mcaire@utep.edu

CUI Processes and Procedures

  • General Process for working with Controlled Unclassified Information (Updated)
  • Reproducing CUI (printing, copying, scanning, faxing, etc.)
  • ISO Approved Mandatory CUI Training
  • Safeguarding Improperly Received CUI (Forcoming)
  • Safeguarding Unsolicited CUI
  • Sponsored Projects with CUI Requirements (Under revision)
  • Determining CUI Requirements at Proposal Development (Under revision)
  • Determining if an Award will Involve Access to CUI (Under revision)
  • How to address CUI Incidents (Forthcoming)

General Process for working with Controlled Unclassified Information

  1. The first point of contact for any research related CUI questions or support is the Office for Research Protections (ORP). Contact rso@utep.edu for guidance or questions regarding the safeguarding of CUI.
  2. When a solicitation, contract, or agreement includes CUI clauses, confirm with the cognizant federal agency or project sponsor (flow down) the need to receive, store, process, and safeguard CUI. Contact information for the cognizant agency is available on the National Archives CUI Website. Use this Quick Reference Guide for Identifying FCI and CUI as a guide to identifying CUI clauses in contracts.
  3. If the sponsor confirms safeguarding CUI is a project requirement, report this to your RA or to ORP (rso@utep.edu). Upon confirmation of CUI, the RSO will inform the Information Security Office (ISO) and the PI will work with ISO to set up a NIST 800-171 compliant environment. The PI will be asked to complete and submit a CUI Questionnaire to security@utep.edu.
    • Be sure to identify everyone on the project that will require access to CUI in the questionnaire. ISO will send training notices to each individual, and no one will be allowed to work on the project until training certificates have been submitted to security@utep.edu. Additional information can be found on the CUI Training Webpage.
    • ISO will then work with the PI or project technical contact to implement the NIST 800-171 controls to meet the project safeguarding needs.
    • Current safeguarding options include:
      • Configuring a CUI Laptop (provided by the department or project)
      • CUI CafĂ© (an internal CUI enclave under development)
      • Amazon Web Services (AWS) Commercial or GovCloud.
  4. Work with the RSO, ISO, and the CUI originator to negotiate how to properly receive CUI in the controlled environment. Current options include:
    • DoD Safe
    • PreVeil
    • Other ISO and Agency/Flow Down approved method
  5. If a controlled environment is needed to discuss CUI documents with others in a Teams like or Zoom environment, consult with your sponsor to determine if Zoom for Gov (ZfG) is an approved method. If so, request a ZfG account through HelpDesk@utep.edu. Note: Consult with ISO if the CUI originator supports an alternate collaboration tool. Microsoft Teams is not approved for meetings that will involve discussions of CUI.
  6. If you need to share CUI documents with anyone at the University, you will need a NIST 800-171 Compliant CUI environment and a Preveil account. Preveil provides a secure email platform for sharing documents as attachments. An account for Preveil can be obtained from security@utep.edu.

 

Reproducing CUI
Click Here

 

Mandatory CUI Training

Visit the   CUI training web page  for guidance on taking the ISO approved CUI training.

For more information or assistance on specific training requirements, contact either of the following:

 

Safeguarding Unsolicited CUI

What is Unsolicited CUI?

Unsolicited Controlled Unclassified Information (CUI) refers to information that is shared or received without a specific request and is designated as CUI according to federal regulations. 

How is Unsolicited CUI obtained?

Unsolicited CUI might be received through various means, such as emails, faxes, regular mail, or verbal communications. Handling such information requires

  1. Adherence to established protocols to ensure its protection and proper dissemination
  2. Proper training

Lookout for potential indicators of CUI

  1. Are you receiving any communication from a Federal Agency or Federal Flowdown (e.g. DoD, DoT)?
  2. Do any attachments have CUI in the file name?
  3. Is the Email Marked CUI in the header or footer?

How to Safeguard Unsolicited CUI

If you have received or believe you have received unsolicited CUI via Outlook Email in a non-compliant environment (i.e. a workstation that does not meet NIST 800-171 requirements):

  1. Reach out to the sender to determine if what was sent is actual CUI. If it is, inform the sender that it was improperly sent. The originator will need to report the mishandling of CUI to their appropriate next level contact. Contact your RSO for guidance on how to proceed.
  2. Do not delete any CUI email messages.
  3. Do not open any attachments.
  4. Do not save attachments to your workstation.
  5. If you do open or download an attachment, do not delete it and do not empty your recycle bin
  6. Contact your research security officer (RSO) at   rso@utep.edu  to report the incident. Be sure to include the following information
  • Office Location
  • UTEP Tag Number
  • Who you have shared the CUI with
  1. The RSO will coordinate with the Information Security Office to
  • Securely delete any CUI from your system
  • Provide you with a secure environment for properly handling CUI
  1. If it is determined that you have a lawful government purpose to store, process, or otherwise transmit any unsolicited CUI, you will be required to take mandatory CUI training and gain access to a compliant environment for doing so.

CUI Training

If access to CUI is required in the conduct of your work, you will be required to take approved training before you access any type of controlled unclassified information. The training modules and instructions for certifying completion can be found on the   Controlled Unclassified Training  webpage. Upon reporting an unsolicited CUI training incident, you will also receive an email notification with instructions on how to complete the training and how to submit your training certificates.

 

Sponsored Projects with CUI Requirements

A federally funded sponsored project (or flow down) with CUI requirements should generally follow this process:

  1. A solicitation or contract review identifies clauses and/or the federal sponsor indicates a proposal or project has CUI restrictions. These reviews are conducted by the PI, RA, and/or Research Protections (RP).
  2. The PI identifies or is notified of such restrictions by the RA/RP.
  3. The PI completes the   CUI Scope Form  (this form specifies the intended controlled environment for safeguarding CUI) and submits the form to RP for review and approval. For assistance completing the form, contact RP ( rso@utep.edu).
  4. Upon certification of the   CUI Scope Form  by RP, an Information Security Office review of the proposed controlled environment is initiated.
An email is sent to the PI and Information Security Office which triggers the review and/or set up of protections for the project. These protections will be documented in an ISO managed System Security Plan.
PI certifies the ISO review and protections and provides a signed copy to RP.
  1. Upon completion of the steps above
For a   proposal  that includes CUI, RP releases the proposal for submission to the agency upon certification by ISO that the PI (and anyone else working on the proposal) has completed CUI training. Work with your RA on specific submission requirements for CUI Proposals.
For an   award  from an agency that involves CUI, all personnel identified in the   CUI Scope Form  who will be working on the project are required to take   CUI training  and must be certified by ISO before beginning any work that involves CUI.
RP releases the award for account setup via a Grant Action Request Tracking (GART) update when all requirements have been met.
A UTEP account is then established for the project.

      6. Auditing and monitoring occur to ensure compliance with the ISO approved protection plan.

Note: All personnel identified in the   CUI Scope Form  who will be working on the project are required to take   CUI training  and each individual must be certified by the Information Security Office (ISO) before beginning any work that involves CUI.

 

Determining CUI Requirements at Proposal Development

When developing a proposal for submission to a federal agency or flow down, researchers are advised to,

  1. Conduct a thorough review of the CUI implications before proposal submission. Things to do include:
    A. Review the funding announcement or agency guidelines.
    B. Contact the agency sponsor.
    C. Indicate CUI is part of the proposal in the Notice of Intent.
  2. If CUI protections are outlined by the agency
    A. Clearly define the CUI Scope, including all systems, networks, storage, facilities, and personnel that will store, process, or transmit CUI.
    B. Identify any CUI data that will be used or generated and ensure that the proposal includes appropriate security measures.
    C. Consult with the RSO for guidance on addressing CUI requirements to ensure all appropriate safeguards are addressed. If applicable, the RSO will initiate a request for ISO guidance on identifying CUI safeguards during the proposal phase.
    D. When applicable, include a CUI compliance statement within the proposal. This statement should outline the steps the research team will take to safeguard CUI in accordance with federal regulations.

Research Protections advises that any project involving CUI must have a designated CUI coordinator who is responsible for overseeing compliance throughout the research lifecycle. In the absence of a CUI coordinator, the PI is responsible for overseeing compliance.

 

Determining if an Award will Involve Access to CUI

Follow this process to determine if an award requires access to CUI. It may be necessary to search various documents (contracts, questionnaires, exhibits, addendums, etc.) for keywords that may indicate access to CUI is required. Refer to the   Quick Reference Guide for Identifying FCI and CUI  for guidance on what to look for.

  1. Does the award originate from a Federal Agency (or flow down)?
  • Yes: proceed to step 2.
  • No: Stop. If the sponsor is not a Federal agency or federal flow down, it cannot be CUI.
  1. Does the information meet the standards for classification according to instruction DoDM 5200.01, Volume 1?
  • Yes:
    a. Stop and refer to DoDM 5200.01, Volume 1, for guidelines on processing classified information.
         b. Report immediately to the campus FSO.
  • No: proceed to step 3.
  1. Does the information fall within a current Federal law, regulation, or government policy or do any of the contract documents contain CUI Clauses? Refer to the CUI Quick Reference Document for examples of clauses.
  • No: the information cannot be designated CUI and is therefore not subject to NIST 800-171.
  • Yes: proceed to step 4.
  1. Can the CUI requirements be negotiated or do fundamental research exclusions exist? Work with your RA, RSO, and/or the sponsor to make this determination.
  • Yes: Clarify in contract documents CUI negotiated out and/or fundamental research exclusions.
  • No: proceed to step 5.
  1. Fill out the following document and submit to the RSO, rso@utep.edu. Upon approval the RSO will trigger an ISO CUI review. (This step is under revision).

Tips:

  • The DoD offers access to its online CUI Registry, which lists specific categories of information that the government requires to be protected. The list includes critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements and law enforcement.
  • The DoD CUI Registry goes on to specify additional categories of information, including legal, natural and cultural resources, NATO, nuclear, privacy, procurement and acquisition, proprietary business information, provisional, statistical and tax information.

References

  • Managing Controlled Unclassified Information (CUI). NSF.ORG