Controlled Unclassified Information (CUI)
The University of California, San Diego participates in research that is federally-funded, and collaborates with other institutes and agencies that hold highly sensitive data. In order to be eligible for contracts or federal awards, researchers must comply with specific federal regulations determined by The Department of Defense (DOD) to appropriately safeguard controlled unclassified information, or "CUI".
Where Does CUI Come From?
Controlled Unclassified Information (CUI) refers to the protected data in The Cybersecurity Maturity Model Certification, or "CMMC". The CMMC defines 5 levels of maturity, where each level has an increasing number of protective practices and processes.
The purpose of CMMC is to help organizations meet the basic safeguarding requirements for Federal Contract Information (FCI) laid out in the Federal Acquisition Regulation and the security requirements for Controlled Unclassified Information (CUI) in NIST SP 800-171.
NIST SP 800-171 involves The National Institute of Standards and Technology (NIST) special publication Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations which outlines the type and levels of controls necessary to protect CUI during each level of CMMC.Does CUI Compliance Apply to Your Type of Research?
CUI may include research data and other project information that a research team receives, possesses, or creates under a sponsored contract. Since CUI encompasses a large range of information types in research, a more complete reference to CUI data types can be found in the National Archives CUI Registry. As an example, the following details a non-exhaustive list of categories that may apply to researchers:
- Critical Infrastructure
- General Critical Infrastructure Information
- Information Systems Vulnerability Information
- Physical Security
- Export Control
- Intelligence
- Law Enforcement
- DNA
- Privacy
- General Privacy
- Genetic Information
- Health Information
- Personnel Records
- Student Records
In addition to the categories outlined above, CUI compliance may be required if your proposal, award, or contract includes one or more of the following:
- 32 CFR 2002 Controlled Unclassified Information
- NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- 52.204-21 Basic Safeguarding Of Covered Contractor Information Systems
- 252.204-7008 Compliance with safeguarding covered defense information controls
- 252.204-7012 Safeguarding covered defense information and cyber incident reporting
Why Is This Important?
Lab data within the scope of CUI as outlined by the National Archives CUI Registry must have the appropriate security requirements as detailed in NIST SP 800-717. Failure to comply may result in refusal, objection, or loss of research awards, as well as future ineligibility towards DOD contracts or contracts with other government agencies.