Controlled Unclassified Information (CUI)

The University of California, San Diego participates in research that is federally-funded, and collaborates with other institutes and agencies that hold highly sensitive data. In order to be eligible for contracts or federal awards, researchers must comply with specific federal regulations determined by The Department of Defense (DOD) to appropriately safeguard controlled unclassified information, or "CUI".

Where Does CUI Come From?

Controlled Unclassified Information (CUI) refers to the protected data in The Cybersecurity Maturity Model Certification, or "CMMC". The CMMC defines 5 levels of maturity, where each level has an increasing number of protective practices and processes.

The purpose of CMMC is to help organizations meet the basic safeguarding requirements for Federal Contract Information (FCI) laid out in the Federal Acquisition Regulation and the security requirements for Controlled Unclassified Information (CUI) in NIST SP 800-171.

NIST SP 800-171 involves The National Institute of Standards and Technology (NIST) special publication Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations which outlines the type and levels of controls necessary to protect CUI during each level of CMMC.

Does CUI Compliance Apply to Your Type of Research?

CUI may include research data and other project information that a research team receives, possesses, or creates under a sponsored contract. Since CUI encompasses a large range of information types in research, a more complete reference to CUI data types can be found in the National Archives CUI Registry. As an example, the following details a non-exhaustive list of categories that may apply to researchers:

  • Critical Infrastructure
    • General Critical Infrastructure Information
    • Information Systems Vulnerability Information
    • Physical Security
  • Export Control
  • Intelligence
  • Law Enforcement
    • DNA
  • Privacy
    • General Privacy
    • Genetic Information
    • Health Information
    • Personnel Records
    • Student Records

In addition to the categories outlined above, CUI compliance may be required if your proposal, award, or contract includes one or more of the following:

Why Is This Important?

Lab data within the scope of CUI as outlined by the National Archives CUI Registry must have the appropriate security requirements as detailed in NIST SP 800-717. Failure to comply may result in refusal, objection, or loss of research awards, as well as future ineligibility towards DOD contracts or contracts with other government agencies.

The Compliance Process

Step 1: Verify CUI Possession

Verify that your research project will create, receive, or possess CUI of any type.

Step 2: Complete CUI Checklist

Work with local IT staff to complete the CUI Checklist for base security.

Step 3: Submit CUI Intake Form

Submit a CUI form to alert the Technical Working Committee that your project contains CUI.

Step 4: Consultation

The Technical Working Committee will offer solutions and assign controls to ensure your security guidelines are met.

Step 5: Certification of CUI-Compliant Environment

Draft research proposal with certification of CUI-Compliant environment supplied by Technical Working Committee.