What is CUI?
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. See https://www.archives.gov/cui/registry/category-list.
This article will help you determine if your research is impacted by these requirements and if so, what steps you need to take.
Does this apply to you?
CUI compliance may be required if your RFP/solicitation, aware, or contract includes any of the following references:
- 32 CFR 2002 Controlled Unclassified Information
- NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organization
- 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
- 252.204-7008 Compliance with safeguarding covered defense information controls
- 252.204-7012 Safeguarding covered defense information and cyber incident reporting
Examples of CUI@OU
Given the CUI designation, these types of data would carry NIST SP 800-171 security requirements. This is typically extended via terms and conditions of a relevant agreement.
- Defense
- Controlled Technical Information
- DoD Critical Infrastructure Security Information
- Export Control
- Export Controlled
- Export Controlled Research
- Protected Health Information (PHI)
- Subset of PII requiring additional protection
- Health information that identifies the individual
- Created or received by a healthcare provider, health plan, or employer, or a business associate of these
- Related to:
- Physical or mental health of an individual
- Provision of healthcare to an individual
- Payment for the provision of healthcare to an individual
- Tax
- Federal Taxpayer Information (FAFSA)
- Privacy
- Personnel Records (HR)
- Student Records (FERPA)
CUI Compliance Process
- Consult with local IT staff about space, hardware, configuration, and access settings. Review Define the environment (on-premise or cloud) for a list of services available from OU IT.
- Submit a CUI Request Form to alert IT Security that your proposal contains CUI requirements. It is important to get a head start on this at the proposal stage because if your proposal is awarded, you may have 30 days or less to report to the federal government that you are compliant.
- Based on the information you have provided in the CUI Request Form (step 2), IT Security will help you select methods and controls to ensure that your information system meets NIST 800-171 guidelines and test and evaluate controls prior to final implementation.
- IT Security will validate forseeable project data risks and the OU Chief Information Security Officer (CISO) will sign off on the assessment and pass it on to you, the PI, for your information. Along with the Director for the Office of Export Controls, you may (1) accept the risk as stated, (2) take action to mitigate the risk per the CISOs suggestions. If (1), you will be informed of all risk that the project and data requirements may involve, and it will be up to you to determine if you are willing to assume the risk.
What's Required To Comply With NIST 800-171?
NIST 800-171 has 109 controls (14 control families) that impose requirements at the environmental, system, access, user, and logging/auditing levels. Some of these are summarized below.
See the NIST Publication for complete information.
| Control Family |
Requirements |
| Access Control |
The system (hardware, software, data) must:
- Permit only those individuals authorized by the Principal Investigator (PI) and currently working on the project.
- Account for users no longer working on the project and must be removed within 48 hours of user's transfer or termination.
- Must be provided accounts with the least privileges necessary to conduct their work or research.
- Must use university-owned computers/devices to access the system.
- Should avoid using portable storage devices or third party services for project data.
- Only a single individual (such as the PI) can post public information about the project if authorized by the contract.
See Control Access to Data.
|
| Awareness and Training |
Users of the system:
- Must complete university-sponsored security training.
See Complete CUI Training.
See Understand CUI Marking.
|
| Auditing |
Logging/auditing and documentation of the system and users/personnel must be carried out. This includes maintaining:
- Records of authorized users/privileges maintained.
- Records of applications installed on the system and user workstations and devices, and authorized users or portable media.
See System Log Review Guideline.
|
| Physical Security |
The hosting environment (physical space) in which the system is housed must:
- Be secured (locks, cameras, card readers, guards) to ensure access only by authorized personnel.
- House project components (hardware, software) in separate racks from other systems. Racks must be secured with locking mechanisms.
|
| System and Communications Protection |
The system (hardware, software, data) must be logically or physically separated from other information systems and:
- Be built from components with necessary security settings/configurations baselines to meet NIST 800-171 controls.
- Include only required applications and keep unnecessary processes and ports disabled.
- Be isolated from other campus information flows by firewalls and network segmentation
- Encrypt all data in transit and at rest using FIPS 140-2 encryption standards.
- Include a test environment for analyzing impact of changes; maintain regular patching timeframes.
- Incorporate processes for documentation, inventory, change management, personnel authorization.
See Encryption Standard.
|
| System and Information Integrity |
The system (hardware, software, and data) must:
- Collect log information documenting all user actions and installed applications.
- Include processes for incident reporting and remediation of vulnerabilities.
- Install OU anti-virus/anti-malware software.
|
| Maintenance |
The system (hardware, software, and data) must:
- Provide processes for maintenance, including authorization, escort and tool validation of third party personnel, and prioritize local maintenance processes over remote.
|