What is CUI?
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. See https://www.archives.gov/cui/registry/category-list.
This article will help you determine if your research is impacted by these requirements and if so, what steps you need to take.
Does this apply to you?
CUI compliance may be required if your RFP/solicitation, aware, or contract includes any of the following references:
- 32 CFR 2002 Controlled Unclassified Information
- NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organization
- 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
- 252.204-7008 Compliance with safeguarding covered defense information controls
- 252.204-7012 Safeguarding covered defense information and cyber incident reporting
Examples of CUI@OU
Given the CUI designation, these types of data would carry NIST SP 800-171 security requirements. This is typically extended via terms and conditions of a relevant agreement.
- Defense
- Controlled Technical Information
- DoD Critical Infrastructure Security Information
- Export Control
- Export Controlled
- Export Controlled Research
- Protected Health Information (PHI)
- Genomic data
- Subset of PII requiring additional protection
- Health information that identifies the individual
- Created or received by a healthcare provider, health plan, or employer, or a business associate of these
- Related to:
- Physical or mental health of an individual
- Provision of healthcare to an individual
- Payment for the provision of healthcare to an individual
- Tax
- Federal Taxpayer Information (FAFSA)
- Privacy
- Personnel Records (HR)
- Student Records (FERPA)
What is NIST 800-171?
The purpose of NIST 800-171 is to provide guidance for federal agencies to ensure that certain types of federal information are protected when processed, stored, and used in non-federal information systems. NIST 800-171 applies to Controlled Unclassified Information (CUI) shared by the federal government with a nonfederal entity.
See the NIST Publication for complete information.
Who is Responsible?
What is Needed to Comply?
What Do I Need to Do?
Step One: Comply with OU IT Policies
- Submit a CUI Request Form to alert IT Security that your proposal contains CUI requirements. It is important to get a head start on this at the proposal stage because if your proposal is awarded, you may have 30 days or less to report to the federal government that you are compliant. Based on the information you have provided in the CUI Request Form, IT Security will help you select methods and controls to ensure that your information system meets NIST 800-171 guidelines and test and evaluate controls prior to final implementation.
- Follow all existing policies (e.g., Identity and Access Management, Cybersecurity, etc.). Where you are unable to comply with an existing policy, submit an IT exception request and be prepared to create a project-level procedure that provides a detailed set of instructions detailing how you have implemented to secure the system.
- Create a Data Flow Diagram. Think of this diagram as conceptual rather than technical – multiple systems can be abstracted together. The purpose of this diagram is to identify the ports, protocols, and network services needed by the environment for data to flow between systems. The Data Flow Diagram can be used to request firewall rules be created to permit network traffic. See Firewall Request.
- Create a project cyber plan defining procedures for:
- Asset management
- Controlling personally owned devices
- Identity and access management
- Procedures for correlating system log records
- Baseline configuration details (e.g. tailored CIS Benchmarks)
- System-level change management procedures
- System maintenance procedures
- System media protection procedures
- Facility security procedures
- Vulnerability and flaw remediation procedures
Step Two: Apply Secure IT Configurations
- OU subscribes to the Center for Internet Security (CIS) SecureSuite program. CIS SecureSuite provides several resources designed to improve security including:
- CIS Benchmarks: prescriptive configuration guides for 100+ technologies
- CIS Build Kits: GPOs and shell scripts for configuring systems using CIS benchmarks
- CIS-CAT: instantly check systems against CIS Benchmarks, receive a compliance score of 1-100, and receive remediation guidance for steps you can take to improve security.
You can use these resources to help meet compliance requirements for ITAR, CUI, PCI DSS, HIPAA, and other relevant statutes or standards. As a developer or IT support person, you can use these tools at no cost to improve the security of systems you maintain and help improve OU’s overall security.
Step Three: Purchase Software
-
Investments in software may be needed to meet CUI requirements. Request an IT Security Assessment before installing new software to ensure it can meet requirements. All software used for your project must be documented in your System Security Plan.
Available from OU IT |
Plan to Purchase |
- Use OU anti-malware software, see CrowdStrike FAQ.
- Use OU vulnerability scanning and compliance monitoring software
- For web applications, use OU single-sign-on (SSO) when possible
- Use OU accounts through Active Directory integration whenever possible
|
- Microsoft 365 GCC High license for OneDrive, SharePoint, and Teams, see SecureResearchOU Request
- AWS GovCloud services, see CUI Access Request
- Azure GCC High services, see CUI Access Request
- FIPS-validated cryptography software
- System logging software
- Device management software
- Media disposal software
|
Step Four: Purchase Hardware
- Investments in hardware may be needed to meet CUI requirements. Request an IT Security Assessment before installing new hardware to ensure it can meet requirements. All hardware used for your project must be documented in your System Security Plan.
- Consult with local IT staff about space, hardware, configuration, and access settings.
- Store servers and other project hardware in an OU IT Data Center to inherit the security hardware provided by OU IT (e.g., firewalls, VPN, IDS/IPS, etc.).
- If you do not plan to use the OU IT Data Center, upgrades to hardware for environmental monitoring, heating/cooling, and more may be required.
- Purchase Standard Computers, whenever possible, to ensure hardware is automatically monitored.
Steve Five - Schedule a Project Risk Assessment
- The objective of this assessment is to express opinions as to whether your project IT environment conforms to the requirements and to evaluate the risks facing OU’s research mission. IT Security will validate forseeable project data risks and the OU Chief Information Security Officer (CISO) will sign off on the assessment and pass it on to you, the PI, for your information. Along with the Director for the Office of Export Controls, you may (1) accept the risk as stated, (2) take action to mitigate the risk per the CISOs suggestions. If (1), you will be informed of all risk that the project and data requirements may involve, and it will be up to you to determine if you are willing to assume the risk.