What else do I need to know?
Definitions
Controlled Unclassified Information (CUI): Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.
Covered Agencies: Federal executive branch agencies, including but not limited to the Department of Defense, the Department of Health & Human Services, and the National Institutes of Health, that handle CUI as well as all organizations and entities (which includes universities) that handle, possess, use, share, create, or receive CUI. Or which operate, use, or have access to Federal information and information system on behalf of a federal agency.
Covered Persons: means all ̽̽ faculty, staff, students, affiliates, contractors, visitors, volunteers, subcontractors, and third-parties employees and agents) who collect, access, use, and/or disclose CUI on behalf of ̽̽.
CUI Implementing Regulations: and related implementing regulations including, but not limited to, .
Information Security Plan (ISP): is a plan developed by the Covered Person(s) in consultation with Enterprise Technology Services (ETS) to maintain the confidentiality, privacy, and security of CUI.
NIST Special Publication 800-171: is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI).
Procedures
̽̽ Covered Persons are required to protect and safeguard all CUI in accordance with this University Operating Procedure (UOP), with ̽̽’s Information Security Policy, Information Security Procedure, and Privacy Policy as well as with any CUI Implementing Regulations and any applicable information security plans, contracts, and agreements.
As required by the federal government, CUI can only be stored and processed on IT systems that have been risk assessed to comply with NIST SP 800-171 standards. Therefore, ̽̽ Covered Persons who wish to engage in an activity involving CUI can only do so within the approved CUI environment. Access will need to go through SPA (for research) and/or your IT support in conjunction with Enterprise Technology Services (ETS). Covered Persons are required to adhere to any information security plans associated with CUI from receipt through destruction.
There are many different types of CUI. A list of CUI organizational groupings and specific CUI categories can be found in the . Organizational groupings include critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural, and cultural resources, North Atlantic Treaty Organization (NATO), nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax, and transportation. Within these broad groupings are specific categories including data related to homeland security, national infrastructure, nuclear and intelligence. Individual federal agencies are required to develop and issue regulations that provide details on how they will implement the CUI requirements.
While most work with CUI will be attached to awards that are administered through Sponsored Project Administration (SPA) and, therefore, SPA will assist with identifying projects where CUI will be used and connect the researchers to the Information Security Officer to develop a ISP where needed and/or will work with the researchers as it relates to handling, storing and use of CUI, CUI may enter the University outside of the scope of SPA. Ultimately, individual researchers who use CUI are responsible for complying with ̽̽’s related Policies, UOPs and federal and state regulations.
Failure to comply with the CUI Implementing Regulations, ̽̽’s policies and procedures, and any applicable information security plans, contracts and agreements may result in contractual, financial and legal penalties to ̽̽ and to the individual(s) involved, including administrative sanctions such as loss of federal funding and loss of future awards/grants. In addition, violations can result in disciplinary action including termination or expulsion from ̽̽.
Given the sensitivity and risk, any known or suspected mishandling of any protected data, including CUI, must be reported without delay. Reports may be made via the Compliance and Ethics Reporting and HelpLine (the Compliance HelpLine). The Compliance Helpline accepts anonymous reports.
Related Documents/Policies
Is there education available?
Training related to this policy is as follows:
| Training Topic: | Handling and Safeguarding CUI |
|---|---|
| Training Audience: | All Covered Persons |
| Method of Delivery: | On-Line |
| Delivered By: | Research Integrity |
| Frequency: | Prior to Accepting CUI |
| Training Topic: | Handling and Safeguarding CUI – Refresher |
|---|---|
| Training Audience: | All Covered Persons |
| Method of Delivery: | On-Line |
| Delivered By: | Research Integrity |
| Frequency: | Annually Throughout Life of CUI (until destruction) |