Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and Government-wide policies but is not classified under Executive Order 13556 “Classified National Security Information” or the Atomic Energy Act, as amended. 

  CUI Regulations

The CUI security controls must be compliant with the federal regulations specified in 32 CFR Part 2002(link is external) and by the National Archives and Records Administration (NARA), who acts as the CUI Executive Agent (EA) to oversee the federal agency CUI compliance. The most commonly encountered Federal CUI requirements and guidelines include:

NATIONAL INSTITUTES OF STANDARDS AND TECHNOLOGY (NIST) SPECIAL PUBLICATION (SP)

• NIST SP 800-53r5(link is external) – Security and Privacy Controls for Federal Information Systems and Organizations
• NIST SP 800-171r2(link is external) – Protecting CUI in Nonfederal Systems and Organizations
• NIST SP 800-172(link is external) – Enhanced Security Requirements for Protecting CUI: Supplement to 800-171 Rev. 2

FEDERAL ACQUISITION REGULATION (FAR) SECURITY REQUIREMENTS

• FAR 52.204-21(link is external) – Basic Safeguarding of Covered Contractor Information Systems

DEPARTMENT OF DEFENSE FEDERAL ACQUISITION REGULATION (DFARS)

• DFARS 252.204-7012(link is external) – Safeguarding Covered Defense Information and Cyber Incident Reporting
• DFARS 252.204-7020(link is external) – NIST SP-171 DoD Assessment Requirements
• DFARS 252.204-7021(link is external) – Cybersecurity Maturity Model Certification Requirements

Other requirements and guidance as directed in agency-specific regulations and certain legal documents may also apply.

“Information” as defined by the Federal CUI Program may include research data and other project information, including non-public Federal Contract Information (FCI).  FCI is normally protected in accordance with FAR 52.204-21 when a research team receives, possesses, or creates FCI in the performance of a sponsored contract.

“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems may include electronic media, non-electronic media, and physical environments.

 

CUI Onboarding

The United States Government has instituted a requirement that only United States Persons (USPERS) with a lawful, government purpose be granted access to CUI. The Government defines a USPERS for the purpose of CUI access as those naturalized citizens, Lawful Permanent Resident Aliens, and those born in the United States.  The following acceptable forms of documentation will be utilized to establish USPER status for UConn CUI project participants:

List A: Valid US Passport, I-551 Permanent Resident Card

List B: US Military Photo ID, State Issued Driver’s License, or Government issued photo ID

List C: Original or Certified Copy of State Issued Birth Certificate, US Consular Report of Birth FS-240, DoS Certificate of Birth Abroad DS-1350, Certificate of US Citizenship, or Certificate of US Naturalization

A determination of USPER status will require one item from List A; or one item from List B and one item from List C. All documents produced to verify birth in the US must be either the originals or certified copies.

In addition, please complete the following training prior to meeting with me, and please have your User Agreement, Technology Control Plan Briefing Acknowledgement and Non-Disclosure Statement, and Background Check completed/submitted:

DoD CUI Training (as mandated by DoD and provided by DCSA)

• Please access the training here: https://securityawareness.usalearning.gov/cui/index.html

Insider Threat Awareness 

• Please access the training here: https://www.cdse.edu/Training/eLearning/INT101/

This course provides a thorough understanding of how Insider Threat Awareness is an essential component of a comprehensive security program. The course promotes the reporting of concerning behavior observed within the place of duty. Using case study scenarios, the course teaches common indicators associated with insider risk. The instruction promotes a proactive approach to reporting, to support positive outcomes for the workforce.

University of Connecticut Technology Control Plan Briefing Acknowledgement and Non-Disclosure Statement

• https://uconn.kualibuild.com/app/builder/app/63ebd8543981ce38d8f61cfe/run

OVPR Export Control trainings required (2 modules, offered by CITI)

• Authorized USPER project participants will be required to successfully complete the following CITI online export training prior to working on the project and shall provide proof of completion to the Director of Export Compliance. CITI training can be accessed at https://www.citiprogram.org/?pageID=668
• Then, type in “UConn” to find the university.
• Then, sign in with your UConn SSO login.
• Under the “Learner Tools” section of the website after you log in (you’ll have to scroll down in the webpage to see this section), click “Add a Course”
• Then, check the box for the Export Compliance course, and follow the remaining steps to enroll and take the courses.
• Contact the Export Control Officer, exportcontrol@uconn.edu if you have any difficulty accessing these required trainings.

NIST 800-171 compliance training (2023 version – required if you will need access to Secure Research Infrastructure)

• 2023 CMMC 2.0 NIST 800-171 Compliance Training
• Please use this link to start your training:
  • https://training.knowbe4.com/auth/saml/667c8d12bf2d3
• Students will need to first contact SRITraining@uconn.edu to be added to take the training

NIUVT User Agreement (NIUVT projects only)

• https://uconn.kualibuild.com/app/builder/app/62432ba8d88f65e3695cad83/run

OVPR Export Control User Agreement (for all non-NIUVT projects)              

•  https://uconn.kualibuild.com/app/651c2dab32976c013a5ea4f0/run

  Background Check Required

As part of your work, you may have access to Controlled Unclassified Information, which requires safeguarding or dissemination controls consistent with various laws and regulations. One of these regulations, NIST SP 800-171, establishes the basic security requirements for protecting CUI. One of these requirements is to screen individuals prior to authorizing access to organizational systems containing CUI. To begin this process contact researchsecurity@uconn.edu.

Background Investigation Process:

Background investigations may include, but are not limited to, criminal history checks, employment verification, education verification, and reference checks. The results of background investigations will be used to assess the suitability of individuals for access to CUI.

 

FAQ:

https://research-compliance.umich.edu/research-information-security/controlled-unclassified-information-cui

 

Additional Resources:

National Policy 

• Executive Order (EO) 13556, Controlled Unclassified Information 
• 32 Code of Federal Regulations (CFR), Part 2002, Controlled Unclassified Information 
• NIST Special Publication 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) 

DOD Policy 

• DODI 5200.48 Controlled Unclassified Information (CUI) 
• DFARS Section 252.204-7012 

 Useful Links 

• CUI Cover Sheet 
• CUI Quick Marking Tips  
• DOD CUI Marking Job Aid 
• DCSA CUI Frequently Asked Questions (FAQ)
• CUI Quick Start Guide
• DCSA CUI Resources One-Pager
• DCSA CUI Glossary & Policy Summaries
• DCSA CUI Landscape
• CUI Quick Reference Guide
• DCSA CUI Destruction Guidance

CUI Resources: https://www.dcsa.mil/Portals/91/Documents/CTP/CUI/DOD-CUI_Resources_One-Pager_for_DOD.pdf