Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and Government-wide policies but is not classified under Executive Order 13556 “Classified National Security Information” or the Atomic Energy Act, as amended.
CUI Regulations
The CUI security controls must be compliant with the federal regulations specified in 32 CFR Part 2002(link is external) and by the National Archives and Records Administration (NARA), who acts as the CUI Executive Agent (EA) to oversee the federal agency CUI compliance. The most commonly encountered Federal CUI requirements and guidelines include:
NATIONAL INSTITUTES OF STANDARDS AND TECHNOLOGY (NIST) SPECIAL PUBLICATION (SP)
- NIST SP 800-53r5(link is external) – Security and Privacy Controls for Federal Information Systems and Organizations
- NIST SP 800-171r2(link is external) – Protecting CUI in Nonfederal Systems and Organizations
- NIST SP 800-172(link is external) – Enhanced Security Requirements for Protecting CUI: Supplement to 800-171 Rev. 2
FEDERAL ACQUISITION REGULATION (FAR) SECURITY REQUIREMENTS
- FAR 52.204-21(link is external) – Basic Safeguarding of Covered Contractor Information Systems
DEPARTMENT OF DEFENSE FEDERAL ACQUISITION REGULATION (DFARS)
- DFARS 252.204-7012(link is external) – Safeguarding Covered Defense Information and Cyber Incident Reporting
- DFARS 252.204-7020(link is external) – NIST SP-171 DoD Assessment Requirements
- DFARS 252.204-7021(link is external) – Cybersecurity Maturity Model Certification Requirements
Other requirements and guidance as directed in agency-specific regulations and certain legal documents may also apply.
“Information” as defined by the Federal CUI Program may include research data and other project information, including non-public Federal Contract Information (FCI). FCI is normally protected in accordance with FAR 52.204-21 when a research team receives, possesses, or creates FCI in the performance of a sponsored contract.
“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems may include electronic media, non-electronic media, and physical environments.
CUI Onboarding
UConn research contracts, projects, and/or meetings that have Controlled Unclassified Information (CUI) as indicated in the research contract, we will need to meet with the University Research Security Office to display the documents listed below in order to complete their USPERS/citizenship verification.
The United States Government has instituted a requirement that United States Persons (USPERS) be granted access to CUI. The Government defines a USPERS for the purpose of CUI access as those naturalized citizens, Lawful Permanent Resident Aliens, and those born in the United States. The following acceptable forms of documentation will be utilized to establish USPER status for UConn CUI project participants:
List A: Valid US Passport, I-551 Permanent Resident Card
List B: US Military Photo ID, State Issued Driver’s License, or Government issued photo ID
List C: Original or Certified Copy of State Issued Birth Certificate, US Consular Report of Birth FS-240, DoS Certificate of Birth Abroad DS-1350, Certificate of US Citizenship, or Certificate of US Naturalization
A determination of USPER status will require one item from List A; or one item from List B and one item from List C. All documents produced to verify birth in the US must be either the originals or certified copies.
Training Requirements
DoD CUI Training (as mandated by DoD and provided by DCSA)
All Personnel handling (CUI) must receive initial and annual refresher CUI education and training, and maintain documentation of this training for audit purposes. The University of Connecticut provides a mandatory training course for all DOD personnel with access to CUI. This course also fulfills CUI training requirements for industry when it is required by Government Contracting Activities for contracts with CUI requirements.
- Please access the training here: https://securityawareness.usalearning.gov/cui/index.html
University of Connecticut Technology Control Plan Briefing Acknowledgement and Non-Disclosure Statement
OVPR Export Control trainings required (2 modules, offered by CITI)
- Authorized USPER project participants will be required to successfully complete the following CITI online export training prior to working on the project and shall provide proof of completion to the Director of Export Compliance. CITI training can be accessed at https://www.citiprogram.org/?pageID=668
- Then, type in “UConn” to find the university.
- Then, sign in with your UConn SSO login.
- Under the “Learner Tools” section of the website after you log in (you’ll have to scroll down in the webpage to see this section), click “Add a Course”
- Then, check the box for the Export Compliance course, and follow the remaining steps to enroll and take the courses.
- Contact the Export Control Officer, exportcontrol@uconn.edu if you have any difficulty accessing these required trainings.
NIST 800-171 compliance training (2023 version)
- 2023 CMMC 2.0 NIST 800-171 Compliance Training
- Please use this link to start your training:
- https://training.knowbe4.com/auth/saml/667c8d12bf2d3
- Students will need to first contact SRITraining@uconn.edu to be added to take the training
NIUVT User Agreement (NIUVT projects only)
OVPR Export Control User Agreement (for all non-NIUVT projects)
Background Screening for CUI
All university researchers and staff who handle or have access to Controlled Unclassified Information (CUI) are required to undergo background investigations as a condition of their access as required by NIST 800-171. Background investigations are necessary to verify the trustworthiness, reliability, and suitability of individuals with access to sensitive information.
Employee Background Checks:
Employees of the university will have their background checks conducted by the Human Resources department as part of the standard hiring process as required by the Pre-Employment Background Check Policy. Any employee hired prior to the implementation of background checks by the university will be required to undergo a background investigation prior to accessing CUI. The University Research Security Office will provide you with additional information during your onboarding.
Undergraduate and Graduate Student Background Checks:
Undergraduate student and graduate students who are state employees are also required to undergo a background check in order to handle or have access to CUI as part of their research activities. The background investigation process for these students must be initiated through the Research Security Office prior to beginning any CUI research.
Background Investigation Process:
Background investigations may include, but are not limited to, criminal history checks, employment verification, education verification, and reference checks. The results of background investigations will be used to assess the suitability of individuals for access to CUI.
FAQ:
Additional Resources:
National Policy
- Executive Order (EO) 13556, Controlled Unclassified Information
- 32 Code of Federal Regulations (CFR), Part 2002, Controlled Unclassified Information
- NIST Special Publication 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)
DOD Policy
Useful Links
- CUI Cover Sheet
- CUI Quick Marking Tips
- DOD CUI Marking Job Aid
- DCSA CUI Frequently Asked Questions (FAQ)
- CUI Quick Start Guide
- DCSA CUI Resources One-Pager
- DCSA CUI Glossary & Policy Summaries
- DCSA CUI Landscape
- CUI Quick Reference Guide
- DCSA CUI Destruction Guidance
CUI Resources: https://www.dcsa.mil/Portals/91/Documents/CTP/CUI/DOD-CUI_Resources_One-Pager_for_DOD.pdf