Controlled Unclassified Information (CUI)

UCSD faculty, staff, and students may also receive documents, PowerPoints, or emails labeled as CUI that are not connected to a contract with specified required safeguards. When CUI is not connected to a contract, it is considered “noncontractual CUI”. After receiving this type of information, the receiver must:

1. Restrict access to the document/email so that anyone who was not a direct recipient cannot access. Do not forward, post, print, or otherwise distribute.
2. Request from the sender details of the intended safeguards for the information.
3. Notify Director Export Control and Facility Security (lprovencher@ucsd.edu) for assistance with next steps.

The steps taken to safeguard noncontractual CUI will consider the response from the sender as well as the assessed risk levels of the content provided. The objective is for everyone involved to exercise reasonable due diligence to protect potentially sensitive information.

Sponsored research and unfunded agreements like CRADAs or Data Use Agreements may require the exchange or creation of CUI and cybersecurity measures to protect CUI. Contracts with a federal prime sponsor may involve specific flow down requirements that include implementation of NIST-800-171 safeguarding controls. UC San Diego has processes in place to manage the CUI according to the specialized controls. Working with contractual CUI requires additional IT resources and support from ITS’ Regulated Research Cybersecurity Program.

National Institute of Standards and Technology (NIST) -NIST Special Publication 800-171 “Assessing Security Requirements for Controlled Unclassified Information” provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.

PIs must determine whether they may receive or potentially generate CUI during proposal preparation or research. If CUI is applicable, it is critical to budget for the additional IT expenses required. 

In solicitations, look for indications that CUI is involved. DoD solicitations may explicitly state or signal CUI with the inclusion of publication restrictions such as the clause DFARS 252.204-7000, “Disclosure of Information”. If you see this kind of language, PIs should notify and work with departmental business office and Sponsored Projects Office as soon as possible so that you obtain assistance to meet your timelines and deadlines. 

When CUI is identified, Export Control will create a Technology Control Plan (TCP) that outlines the protocols and procedures for securing CUI. When CUI comes to UCSD IT systems, ITS’ Regulated Research Cybersecurity Program will assist in creation of the required System Security Plan (SSP).

See next tab "UCSD Resources to Implement CUI Cybersecurity Requirements."

Proposals

Proposals may require an explanation if the UCSD deliverables are not expected to involve CUI or a detailed plan for how the organization will meet CUI safeguarding requirements. Work with UCSD Export Control to determining if CUI is likely involved in the UCSD proposed deliverables. Regulated Research Cybersecurity Program and Export Control can assist with the development of the CUI plan which provides a strategy to protect CUI without unnecessarily compartmentalizing information flow within or among performer teams. This plan must describe safeguard procedures for generating sensitive program deliverables.

PIs are responsible for complying with the agreement terms for properly protecting CUI, so it is critical to confirm a shared understanding of CUI inputs and/or deliverables. When research results are CUI it is important to identify if data points are also CUI or if controls occur during the analysis or final reports.

Fundamental Research with CUI Inputs- In order to qualify as fundamental research, your research award cannot contain any restrictions on the publication/dissemination of the research results or the participation of foreign nationals. Fundamental research can involve access to CUI. When this occurs, Export Control can help find solutions.

CUI Generating Research- CUI involved in research could include planned collection, development (generation), receipt, transmission, use, or storage of CUI to support the performance of the proposed work.

Keep in mind that projects yielding deliverables other than reports summarizing research findings, e.g., compiled code, samples of materials, or prototypes (e.g., devices, components, or sensors), are subject to export controls. UC San Diego Export Control (export@ucsd.edu), can assist with guidance at the proposal and award stages.

Consequences for not protecting your data:

• Lose your data or have data integrity issues
• Lose research funding opportunities
• Cost and liability of breach
• Possible penalties, monetary fines
• Reputation risk for you and for UC San Diego

EXPORT CONTROL: Contact export@ucsd.edu for guidance at the proposal and award stages when CUI is identified to create a Technology Control Plan (TCP) that outlines the protocols and procedures for securing CUI.

CAMPUS: Contact ITS’ Regulated Research Cybersecurity Program via this webpage https://blink.ucsd.edu/technology/security/rrcp/index.html to determine what set up and maintenance costs needed to implement for research involving contractual CUI.

HEALTH SCIENCES: Contact Matthew Summerville. mwsummerville@ucsd.edu for any Controlled Technical Information or Export Restricted CUI, please copy export@ucsd.edu in your request.

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. Prior to EO 13556, there were more than 100 different markings for such information across the executive branch including ad hoc, agency-specific approaches that unnecessarily restricted information sharing.

32 CFR Part 2002 "Controlled Unclassified Information"  established a uniform policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the program. The rule affects federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to federal information and information systems on behalf of an agency. The rule therefore applies to the University when we are given access to, or generate, CUI.

eCFR :: 48 CFR 252.204-7012 -- Safeguarding Covered Defense Information and Cyber Incident Reporting. (DFARS 252.204-7012) mandates contractors to protect and report covered defense information (CDI) incidents, and comply with NIST SP 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time of the solicitation.

NIST SP 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

These cybersecurity requirements may be outlined in proposal solicitations that CUI is expected to be provided or generated in the course of research. The agreement will indicate specific cybersecurity controls to protect CUI.

Export Controlled,  concerning certain items, commodities, technology, software, or other information identified in the Export Administration Regulations (EAR) or International Traffic in Arms Regulations (ITAR).

Other Categories of CUI

Controlled Technical Information (CTI) or Covered Defense Information (CDI) is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information are indicated with the distribution statements B through F, in accordance with Department of Defense Instruction 5230.24, "Distribution Statements of Technical Documents." The term does not include information that is lawfully publicly available without restrictions. These restrictions would either be stated in an award document or identified on the CDRL attachment.

Critical Infrastructure Information involves the systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters, across any federal, state, regional, territorial, or local jurisdiction.

Proprietary Business Information is information relating to, or associated with, a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications.

Other categories of CUI are listed and described on this link - https://www.dodcui.mil/CUI-Registry-New/