Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. Prior to EO 13556, there were more than 100 different markings for such information across the executive branch including ad hoc, agency-specific approaches that unnecessarily restricted information-sharing.

32 CFR Part 2002 "Controlled Unclassified Information" was issued to establish a uniform policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency. The rule therefore applies to the University when we are given access to, or generate, CUI.

The CUI Registry is the Government-wide online repository for Federal-level guidance regarding CUI policy and practice. It lists the CUI Categories, Subcategories and change log.

Examples of CUI Types

Privacy-Health Information HLTH

Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).

As per 42 USC 1320d(4), "health information" means any information, whether oral or recorded in any form or medium, that (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

Critical Infrastructure

Systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters, across any Federal, State, regional, territorial, or local jurisdiction.

Proprietary Business Information-Manufacturer

Material and information relating to, or associated with, a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications.

Both sponsored research and unfunded agreements like CRADAs or Data Use Agreements may require the exchange or creation of CUI and cybersecurity measures to protect CUI. As federal agencies are implementing CUI requirements in agreements the implementation of specific cybersecurity measures may differ. Federal agencies can develop and promulgate their own general purpose or project-specific clauses to specify safeguarding requirements for information or information systems. 

National Institute of Standards and Technology (NIST) -NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

NIST SP 800-171 identifies 110 unique requirements that apply to University information systems that process, store, or transmit CUI. The 110 requirements are organized into the following 14 families: access control (22 controls); awareness and training (3 controls); audit and accountability (9 controls); configuration management (9 controls); identification and authentication (11 controls); incident response (3 controls); maintenance (6 controls); media protection (9 controls); personnel security (2 controls); physical security (6 controls); risk assessment (3 controls); security assessment (4 controls); system and communications protection (16 controls); and system and information integrity (7 controls).

These cybersecurity requirements may be outlined in proposal solicitations CUI is expected to be provided or generated in the course of research. The agreement will indicate the specific cybersecurity controls for CUI.

Currently for U.S. government contracting in Department of Defense Contracts the Defense Federal Acquisition Regulation (DFAR) 7012 (most recent Oct 2016) Safeguarding Covered Defense Information and Cyber Incident Reporting details the CUI cybersecurity NIST 800-171 standards and incident reporting requirements.  Similar controls are anticipated via a Federal Acquisition Regulation (FAR) clause that will apply the CUI regulations and NIST 800-171 to contractors for non-DOD contracts.

Understand whether you will be receiving or potentially generating CUI in the course of your research. You are responsible for complying with the agreement terms for properly protecting CUI.

Consequences for not protecting your data:

• Lose your data or have data integrity issues
• Lose research funding opportunities
• Cost and liability of breach
• Possible penalties, monetary fines
• Reputation risk for you and for UC San Diego

As part of the agreement negotiation process either for sponsored research or unfunded agreements you will want to ensure that you have a mutual understanding and agreement with the sponsor regarding the research and inputs and outputs with respect to the following:

• Fundamental Research - In order to qualify as fundamental research, your research award cannot contain any restrictions on the publication/dissemination of the research results or the participation of foreign nationals.
  • If you will be a subcontractor, ensure that your work is clearly distinguished at the proposal stage as fundamental research, particularly when the prime recipient is an industry partner, which may be conducting proprietary restricted research.
• CUI - Any CUI involved in research could include planned collection, development (generation), receipt, transmission, use, or storage of CUI to support the performance of the proposed work.
  • If your work is funded by the U.S. Government, this will determine whether or not you must comply with the safeguarding requirements of NIST SP 800-171 or some other standards, e.g., FISMA (44 USC §3551 et seq.), Public Law (P.L.) 113-283) low, moderate, or high.
  • If DoD-funded, you will also have to comply with the cyber incident reporting requirements of DFARS 252.204-7012.
• Deliverables other than Reports - If project deliverables include items other than summary reports of your research findings, e.g., compiled code, samples of materials, or prototypes (e.g., devices, components, or sensors), talk to UC San Diego Export Control (export@ucsd.edu), for guidance at the proposal and award stages. These deliverables are more likely to trigger safeguarding requirements.

Addressing CUI in Proposals

In solicitations look for indications that CUI is expected to be provided or generated in the course of research. In DoD solicitations, this may be explicitly stated, or may be signaled by the inclusion of publication restrictions such as the clause DFARS 252.204-7000, “Disclosure of Information”. If you see this kind of language, please alert your business office and OCGA Contract and Grant Officer immediately. The OCGA Staff Assignments tool will direct you to the appropriate person.

Example of a DARPA-Required CUI Security Plan

CUI Risk Mitigation Plan (Required for proposers who anticipate generating work that may be considered CUI in accordance with Section 1.5 “Controlled Unclassified Information”): Provide a detailed plan for how the organization and its subcontractors will meet CUI safeguarding requirements. The plan should provide a detailed strategy to protect CUI without unnecessarily compartmentalizing information flow within or among performer teams. This plan must describe safeguard procedures for generating sensitive program deliverables.

Proposal Preparation

In order to mitigate potential CUI concerns in agreements, the suggested language below ensures that the technical point of contact or program manager will see it and have the opportunity to ask questions if the description:

1. Doesn't match his/her expectations, or
2. Fails to provide clear guidance to the contracting officer on what terms should or should not be included in any subsequent agreement with UC San Diego.

In addition, researchers are encouraged to describe the dual use nature of their research, especially for Department of Defense (DOD) related research. Solicitations may require a CUI Security Plan be provided in the proposal.

Proposal Language

Language to include in DOD related Scopes of Work (SOW):

The work described in this proposal is fundamental research intended to advance the state of the art and result in open scientific publications. No "covered defense information," as defined in DFARS 252.204-7012 (OCT 2016) will be collected, developed, received, transmitted, used, or stored by the University to support the performance of this work. It is understood that any developmental items and specially designed parts, components, accessories and attachments fabricated under any Department of Defense award resulting from this proposal are being developed for both civil and military applications.

Language to include in Non DoD-Funded SOWs:

The work described in this proposal (statement of work) is fundamental research intended to advance the state of the art and result in open scientific publications.

Budget Preparation

For proposals that will include CUI you will need to consider the cost of implementing the cybersecurity requirements as there will be a budget impact. Please work with IT and SDSC to budget for and implement the required cybersecurity controls.

Contact OIA Risk and Compliance to determine what set up and maintenance costs will be to implement for your research that has CUI.

Please copy the Chief Information Security Officer ciso@ucsd.edu on all requests. For Health Sciences please also include Kenneth Wottge. For any Controlled Technical Information or Export Restricted CUI, copy export@ucsd.edu in your request.

One specific subset of CUI, Controlled Technical Information (CTI) is export restricted CUI. A foreign national license may be required for foreign persons in the U.S. or abroad to access that data or for exports to collaborators in other countries. The Office of Export Controls will determine the export control status of CUI (or CDI) and the need for licenses or other authorizations when they review the award. For more information about U.S. export control and sanction regulations, visit the export controls website. Contact UC San Diego Export Control (export@ucsd.edu) with any questions regarding export control implications of CUI.

In the CUI Registry, CTI is defined as:

Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with Department of Defense Instruction 5230.24, "Distribution Statements of Technical Documents." The term does not include information that is lawfully publicly available without restrictions. These restrictions would either be stated in an award document, or identified on the CDRL attachment.

In DOD Contracts, DFARs clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting addresses the requirements for safeguarding CUI and other sensitive information and reporting breaches.

“Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is:

1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

In addition to CUI markings agencies may place limits on disseminating CUI beyond for a lawful government purpose only through the use of the limited dissemination controls listed on the CUI limited dissemination controls webpage, or through methods authorized by a CUI Specified authority.

For example a marking of NOFORN or NF indicates no foreign dissemination. Information may not be disseminated in any form to foreign governments, foreign nationals, foreign or international organizations, or non-US citizens.

“Covered defense information” is an extremely broad category. The University must secure Government confirmation that there is no CDI involved in a project in order to ensure that we do not hav to meet the safeguarding requirements.