What is CUI?
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. See https://www.archives.gov/cui/registry/category-list.
Examples of CUI@OU
Given the CUI designation, these types of data would carry NIST SP 800-171 security requirements. This is typically extended via terms and conditions of a relevant agreement.
- Defense
- Controlled Technical Information
- DoD Critical Infrastructure Security Information
- Export Control
- Export Controlled
- Export Controlled Research
- Protected Health Information (PHI)
- Subset of PII requiring additional protection
- Health information that identifies the individual
- Created or received by a healthcare provider, health plan, or employer, or a business associate of these
- Related to:
- Physical or mental health of an individual
- Provision of healthcare to an individual
- Payment for the provision of healthcare to an individual
- Tax
- Federal Taxpayer Information (FAFSA)
- Privacy
- Personnel Records (HR)
- Student Records (FERPA)
What is NIST SP 800-171?
NIST SP 800-171 defines 110 recommended security requirements for protecting the confidentiality of CUI when resident on an OU system (e.g., server, database, laptop, etc.).
| Category |
Category |
| Access Control |
Media Protection |
| Awareness and Training |
Personnel Security |
| Audit and Accountability |
Physical Protection |
| Configuration Management |
Risk Assessment |
| Identification and Authentication |
Security Assessment |
| Incident Response |
System and Communications Protection |
| Maintenance |
System and Information Integrity |
Does my RFP/RFI involve CUI?
CUI compliance may be required if your RFP/solicitation, aware, or contract includes any of the following references:
-
32 CFR 2002 Controlled Unclassified Information
-
NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organization
-
52.204-21 Basic Safeguarding of Covered Contractor Information Systems
-
252.204-7008 Compliance with safeguarding covered defense information controls
-
252.204-7012 Safeguarding covered defense information and cyber incident reporting
-
Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), Controlled Defense Information (CDI)
What do I need to do?
- Complete CUI Training
- Conduct Background Checks
- Classify and Categorize CUI data
- Define the environment (on-premise or cloud)
- Inherit Security
- Schedule Risk Assessment
- Understand CUI Marking