8.2.1.2 Confidential Research and Publications Policy

Tags CUI

Policy Statement

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government policies but is not classified under Executive Order 13526 or the Atomic Energy Act.The University of Oklahoma owns and operates information systems that contain CUI information which must follow the guidelines of NIST SP 800-171 when establishing security requirements to protect CUI’s confidentiality on non-federal systems.

The purpose of this Policy is to define the security controls required for safeguarding CUI in OU Information Systems.

Scope

This policy applies to all authorized holders of CUI which may include but is not limited to, staff, faculty, students, contractors, affiliates, vendors, or other individuals with access to CUI.This policy also applies to any offer or information OU or a sub-contractor of OU creates or possess for or on behalf of the United States Government, which is required to be protected under law, regulation, or government-wide policy and is indicated in an executed contract or agreement where:

  • Associated data is labeled as Controlled Unclassified Information; or
  • Contracts having DFARS 252.204-7012, or any other clause which invokes CUI requirements.

Procedure

  1. Classification:  CUI is categorized at the moderate confidentiality impact value in accordance with Federal Information Processing Standard 199, Standards for Security (FIPS Publication 199). Systems that include CUI must incorporate the requirement to safeguard CUI at the moderate confidentiality impact value into their design and management actions. OU may increase the confidentiality impact value above moderate and apply additional security requirements and controls only internally and may not require anyone outside the agency to maintain the higher impact value or more stringent security requirements/controls.
  2. Training and Awareness:  OU Faculty, Staff, and any other OU personnel including applicable contractors, storing, transmitting or processing CUI, must receive suitable CUI awareness training provided by the OU System Security Training, Education, and Awareness Team.
  3. Marking:  All CUI documents must be protected according to applicable laws, regulations, and government-wide policies. Specific procedures for marking are outlined in the CUI Marking Guideline.
  4. Storage:  Electronic CUI shall only be stored in a password protected system (e.g., database, email, network drive, segregated and protected electronic storage device).
  5. Indicators:  CUI indicators must be present to alert users of the presence of CUI within the system.
  6. Logon Warning or Banner:  A warning must be shown on the login screen or via a screen after logging in, and optionally in headers that appear on each page displayed.
  7. Application Printouts:  Additionally, any printouts generated from an application must have the CUI banner on every page of the printout. If these are not printed by the application, the user must write the banner on every page that is printed or use a CUI cover sheet to protect the information that is printed.
  8. Personally-owned Devices:  CUI shall not be processed on personally owned electronic devices unless connected through an approved by OU IT GRC with approved controls in place. CUI shall not be stored on personally owned electronic devices. 
  9. Personal Email:  CUI shall not be sent to or from personal email accounts.
  10. Posting CUI Information:  CUI shall not be posted on or processed through any external or non-agency approved websites or portals (internet kiosks, social media sites, blogs, etc.).
  11. IT Risk Assessment:  All Information Systems storing, processing, or transmitting CUI must undergo an annual assessment conducted by the OU IT Governance, Risk, and Compliance Team.
  12. Authority to Operate:  Offers and agreements which require the system that is storing or processing CUI to obtain an Authority to Operation (ATO), require the approval of the Director for the Office of Export Controls, once an Information System has been assessed and authorized to be in compliance. The AO is the senior official/executive with the authority to assume responsibility for operating an Information System at an acceptable level of risk.

References

  1. National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information
  2. NIST Cybersecurity Framework
  3. Executive Order 13556 Controlled Unclassified Information (CUI)
  4. NARA’s CUI webpage