CUI

Controlled Unclassified Information

Any information that requires safeguarding or dissemination controls as defined by applicable law, regulations, and government-wide policies. The regulations and safeguard apply if an institution: possess, use, share, or receive CUI or operate, use, or have access to federal information and information systems on behalf of an agency.

CUI Basic vs CUI Specified

CUI Basic is CUI that contains the baseline handling and dissemination controls.

CUI Specified is a subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic.

Laws, U.S. Code, and Regulation

  • Executive Order 13556 - Established a program for managing all unclassified information in the Executive branch that requires safeguarding or dissemination controls in accordance with applicable law, regulations, and government wide policies
  • 32 CFR p. 2002 - Established CUI policy for agencies
  • DFARS 52.204.7012 - Established the requirements for safeguarding CUI and the cyber incident reporting for the Department of Defense (DoD)
  • NIST 800-171 - The current standard used to define the required safeguard for CUI. As of 2020, it was merged with the Cybersecurity Maturity Model Certification for DoD contracts

Where does CUI Come From?

There are many categories of CUI, and if contracted research falls into one of those categories, then it is likely that results and data will be marked as CUI. In the case of independent research, as long as no data was created for/possessed by an executive branch entity or agency, it is not considered CUI.

Example 1: An independent researcher did research on nuclear power. No Executive Branch entity was involved in the creation or handling of the data that came out of the project. Even though there is a CUI category that the research would fall into, it is not CUI.

Example 2: A university researcher takes on a Navy contract to research nuclear propulsion. The data that comes out of that project is CUI, because it was contracted by an entity that stems from the Executive Branch.

Additional information on the subject of CUI:

https://www.archives.gov/cui 

Why is it important that CUI is handled in certain ways?

Laws, U.S. Code, and Regulations determine how CUI is handled. Failure to take these into consideration can result in severe consequences not only from an institution but also in the form of Civil and Criminal penalties. These can come in the form of fines or imprisonment, with the fines also being applied to the institution as well as the individual.

It is important to note that some CUI contains sensitive information (HIPAA, FERPA, DoD Contracts) that could be a harmful invasion of privacy to individuals, in the case of HIPAA and FERPA, and a matter of national concern in the case of DoD contracts.

This work is supported by the National Science Foundation under Grant No. 1840043. Any opinions, recommendations, findings, or conclusions expressed are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.