Controlled Unclassified Information (CUI)


This article provides insights into CUI @OU, what you need to do to protect CUI, and what OU IT is doing to protect CUI @OU.


What is CUI?

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.  See

Examples of CUI@OU

Given the CUI designation, these types of data would carry NIST SP 800-171 security requirements.  This is typically extended via terms and conditions of a relevant agreement.

  • Defense
    • Controlled Technical Information
    • DoD Critical Infrastructure Security Information
  • Export Control
    • Export Controlled
    • Export Controlled Research
  • Protected Health Information (PHI)
    • Subset of PII requiring additional protection
    • Health information that identifies the individual
    • Created or received by a healthcare provider, health plan, or employer, or a business associate of these
    • Related to:
      • Physical or mental health of an individual
      • Provision of healthcare to an individual
      • Payment for the provision of healthcare to an individual
  • Tax
    • Federal Taxpayer Information (FAFSA)
  • Privacy
    • Personnel Records (HR)
    • Student Records (FERPA)

What is NIST SP 800-171?

NIST SP 800-171 defines 110 recommended security requirements for protecting the confidentiality of CUI when resident on an OU system (e.g., server, database, laptop, etc.).

Category Category
Access Control Media Protection
Awareness and Training Personnel Security
Audit and Accountability Physical Protection
Configuration Management Risk Assessment
Identification and Authentication Security Assessment
Incident Response System and Communications Protection
Maintenance System and Information Integrity

Does my RFP/RFI involve CUI?

CUI compliance may be required if your RFP/solicitation, aware, or contract includes any of the following references:

  • 32 CFR 2002 Controlled Unclassified Information​​​​​​​

  • NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organization

  • 52.204-21 Basic Safeguarding of Covered Contractor Information Systems 

  • 252.204-7008 Compliance with safeguarding covered defense information controls

  • 252.204-7012 Safeguarding covered defense information and cyber incident reporting

  • Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), Controlled Defense Information (CDI)

What do I need to do?

  1. Complete CUI Training
  2. Conduct Background Checks
  3. Classify and Categorize CUI data
  4. Define the environment (on-premise or cloud)
  5. Inherit Security
  6. Schedule Risk Assessment
  7. Understand CUI Marking



Article ID: 3136
Tue 12/5/23 11:52 AM
Tue 2/6/24 2:04 PM

Related Services / Offerings

Related Services / Offerings (1)