The Controlled Unclassified Information (CUI) program was established as a uniform policy for federal executive branch agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI as well as guidelines for self-inspection and oversight requirements. The rule affects Federal executive branch agencies that handle CUI and all organizations that handle, possess, use, share, or receive CUI. The policy also covers organizations that operate, use, or have access to Federal information and information systems on behalf of an agency. Thus, the rule applies to Pitt when we are given access to, or generate, CUI.
The following sections provide additional information about the federal CUI program and how the University assists the research community address CUI safeguarding requirements when they appear in a federal solicitation or award. Please see the CUI Summary Points section below for quick facts about CUI.
Additional CUI Information
- CUI Summary Points
- Controlled Unclassified Information (CUI) is information that the federal government requires you to appropriately safeguard and control its dissemination. CUI is not information classified under Executive Order 13526 (PDF) – as either secret or top secret, for example – or under the Atomic Energy Act. (See Section 1 below)
- CUI safeguarding requirements are only applicable to Pitt activities and Pitt information systems when mandated by a federal agency in a contract, grant, or other agreement. The obligation to determine whether a federal award will include CUI controls belongs to the federal sponsor. (See Sections 1, 2, and 9 below)
- Not all information handled or generated under federal projects are considered CUI! Only research data and other project information that a research team receives, possesses, or creates during the performance of federally funded research will be considered CUI if required as a condition of a federal award. (See Sections 2 and 3 below)
- Pitt projects requiring the handling or generation of CUI typically contain publication restrictions, are contrary to University policy, and must be approved through an exceptions process through the Office of Sponsored Programs. Faculty are therefore encouraged to consider other alternatives to CUI projects whenever possible due to the additional oversight responsibilities necessary to manage these projects. (See Sections 7 and 9 below)
- University approved CUI projects are subject to mandatory safeguarding controls for marking documents, for email, and for packages and standard mail; controlled environments, both physical and electronic; principles for access and sharing; reproduction of CUI; faxing CUI; incident reporting; and destruction of CUI. (See Sections 4, 5, and 6 below)
- Federal CUI rules require universities to store CUI in non-federal systems that comply with the National Institute of Standards and Technology (NIST) 800-171 cybersecurity requirements. Faculty must agree to use Pitt-IT’s NIST 800-171 compliant environment as a condition of all approved University CUI projects. (See Section 5 below)
- CUI projects are subject to a technology control plan and mandatory training for all project personnel through the Office of Trade Compliance. (See Sections 8 and 9 below)
- The Office of Trade Compliance (OTC) oversees and manages Pitt’s CUI program. OTC partners with the Office of Sponsored Programs and Pitt-IT to assist faculty and Pitt’s research community comply with federal CUI rules. (See Section 9 below)
- Section 1: Federal CUI Policies
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls but is not classified under Executive Order 13526 (PDF) or the Atomic Energy Act.
Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch.
32 CFR Part 2002 "Controlled Unclassified Information" establishes a uniform policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI as well as guidelines for self-inspection and oversight requirements. The rule affects Federal executive branch agencies that handle CUI and all organizations that handle, possess, use, share, or receive CUI. The policy also covers organizations that operate, use, or have access to federal information and information systems on behalf of an agency. Thus, the rule applies to Pitt when we are given access to, or generate, CUI.
The CUI Registry is the government-wide online repository for federal level guidance regarding CUI policy and practice. There are 125 CUI categories spanning more than 20 groupings. Civil and criminal sanctions for the misuse of CUI vary across the categories.
National Institute of Standards and Technology (NIST) - NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides requirements for protecting the confidentiality of CUI. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.
- Section 2: Types of CUI
Whenever the University agrees to accept a federal award requiring the receipt or generation of CUI, the federal sponsor will require CUI controls under one of the following two categories:
CUI Basic is information subject to the uniform set of controls defined in the CUI Registry. These controls include rules for marking documents, for email, and for packages and standard mail; controlled environments, both physical and electronic; principles for access and sharing; reproduction of CUI; faxing CUI; incident reporting; and destruction of CUI. CUI Basic controls apply when controls are required but no other specific controls are described.
CUI Specified, as described in the CUI Registry, is information subject to specific handling controls different than the uniform set of controls defined for the basic level. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic, and are determined by the federal agency funding the award.
Research data is only CUI if it is:
- Federal information provided to you by the U.S. government or another party on their behalf (example: a DOD contractor provides charts and diagrams that are marked as Controlled Technical Information (CTI) and has the banner CUI//SP-CTI ); or
- Subject to terms & conditions in the award that the information be treated as CUI. In such cases, information developed by you during the performance of U.S. government sponsored research would be CUI (example: a Department of Energy (DOE) laboratory provides a research award specifying that all generated data is CUI and further advises that the data will be classified in the CUI registry as General Nuclear information (NUC) and carry the banner CUI//SP-NUC).
- Section 3: Not Everything Is CUI
The following are illustrative examples of information that is not CUI:
- Proprietary research that is not funded by the federal government is not CUI. This is true even when the background information provided by the sponsor and/or your research results are proprietary technical information subject to the U.S. export control regulations.
- Medical information and/or human subjects data subject to privacy protections (e.g., HIPAA or as part of informed consent representations) are not CUI.
- Exception: Such data may be CUI when provided by the U.S. government, e.g., medical information about federal employees, to the University for use in research.
- Student information subject to privacy protections (e.g., FERPA) is not CUI.
- Exception: Such data may be CUI when collected by the U.S. government, e.g., certain financial information provided by students and/or parents in federal financial aid applications, which is then passed to the University for use in financial aid administration.
- Information that is already in the public domain (e.g., published), including publicly available U.S. government data sets.
- Non-contextualized research data (e.g., raw output collected for a CUI project that must be correlated with additional input from a person, application or second data source in scope of the CUI research project to have meaning or context) will generally not be considered CUI unless it bears identifying marks linking it to a specific CUI project.
- Note: Researchers are advised to discuss the possibility for designating certain output as "non-contextualized research data" with Pitt administrators when developing the technology control plan for the CUI project for which it will be collected.
It may be prudent to handle controlled information (e.g., export controlled, HIPAA, or FERPA data) that is not CUI with the same safeguarding standards but this information should not be marked as CUI.
- Section 4: Requirements for Safeguarding CUI
32 CFR 2002.14 details the safeguarding requirements for CUI. In general, authorized holders must take reasonable precautions to guard against unauthorized disclosure of CUI, which must include the following measures:
- Establish controlled environments in which to protect CUI from unauthorized access or disclosure and make use of those controlled environments;
- Reasonably ensure that unauthorized individuals cannot access or observe CUI or overhear conversations discussing CUI;
- Keep CUI under the authorized holder's direct control or protect it with at least one physical barrier (such as a locked door to an enclosed room), and reasonably ensure that the authorized holder or the physical barrier protects the CUI from unauthorized access or observation when outside a controlled environment; and
- Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on in accordance with the applicable security requirements and controls.
The regulations identify two types of information systems that process, store, or transmit CUI and specifies different safeguarding standards for each.
- Federal Information Systems are information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. An information system operated on behalf of an agency provides information processing services to the agency that the Government might otherwise perform itself but has decided to outsource.
- Pitt information systems are not Federal Information Systems.
- Non-Federal Information Systems are all other information systems. Agencies may not treat non-Federal Information Systems as though they are agency systems, so agencies cannot require that non-executive branch entities protect these systems in the same manner that the agencies might protect their own information systems.
- Pitt IT maintains a CUI compliant non-federal information system for projects that involve the receipt or generation of CUI. Pitt Principal Investigators and their assigned team members are required to use this system whenever CUI will be received or generated under a financial or non-financial agreement the University agrees to accept. Pitt-IT will work directly with the PI to create a plan to comply with the cybersecurity requirements under each approved CUI project.
- More information on NIST SP800-171 cybersecurity standards applicable to non-federal information systems is given in the next section.
- Section 5: Protecting CUI in Non-Federal Systems and Organizations (NIST SP 800-171)
National Institute of Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171) defines the safeguarding requirements Pitt will apply to information systems that store, process, or transmit CUI.
NIST SP 800-171 identifies 110 unique requirements that apply to University information systems that process, store, or transmit CUI. The requirements are organized into the following 14 families: access control (22 controls); awareness and training (3 controls); audit and accountability (9 controls); configuration management (9 controls); identification and authentication (11 controls); incident response (3 controls); maintenance (6 controls); media protection (9 controls); personnel security (2 controls); physical security (6 controls); risk assessment (3 controls); security assessment (4 controls); system and communications protection (16 controls); and system and information integrity (7 controls).
These cybersecurity requirements may be outlined in proposal solicitations for research projects where CUI is expected to be provided or generated. Any award agreement will indicate the specific cybersecurity controls for CUI.
Pitt IT maintains a CUI compliant Non-Federal Information system for cases that involve the receipt or generation of CUI. Pitt Principal Investigators are required to use this system whenever CUI will be received or generated under a financial or non-financial agreement the University agrees to accept. Pitt-IT will work directly with the PI to create a plan to comply with the cybersecurity requirements under each approved CUI project.
- Section 6: The Department of Defense (DoD) and CUI
DoD is the only agency that uses the terms covered defense information (CDI) and controlled technical information (CTI), which it defines in Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012.
However, in order to understand scope of control, you also need to understand how DoD uses the term covered contractor information system, also defined in DFARS 252.204-7012.
- Controlled Technical Information (CTI) means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Dissemination of CTI is governed by DoD Instruction 5230.24, Distribution Statements on Technical Documents. CTI does not include information that is lawfully publicly available without restrictions.
- Covered Defense Information (CDI) means unclassified CTI or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—
- Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
- Covered Contractor Information System means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits CDI.
Essentially, CTI is a specific category of CUI (listed on the CUI Registry as part of the Defense organizational index grouping) while CDI is a DoD term that encompasses all categories of CUI plus any other information DoD has not approved for public release.
DFARS 252.204-7012 is the DoD contract clause that requires covered contractor information systems be subject to the security requirements in NIST SP 800-171, the same standards that apply to CUI Basic; however, it also includes additional DoD-specific cyber incident reporting requirements.
DoD funded research involving CDI must include DFARS 252.204-7012 and will almost certainly include DFARS 252.204-7000 which requires DoD prior approval for any publication or other public release.
- Section 7: CUI and Export Controls
CUI categories encompass more types of information than is covered by export control regulations. However, these two information safeguard regimes may be applied independently and can overlap. For instance, the CUI registry contains a category entitled “Export Controlled”. If a federal agency includes CUI safeguarding requirements in the award and identifies the Export Controlled CUI category as applicable, then both regulations will apply. Thus, the project will be controlled for both CUI and export control purposes and is considered CUI Specified.
The University of Pittsburgh maintains an openness in research policy that supports a faculty member’s freedom to publish the results of their research and include foreign nationals at their discretion. The export controls regulations call this type of research fundamental research which is defined by EAR 734.8(c) as "basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, and for which the researchers have not accepted restrictions for proprietary or national security reasons."
Technology or software that arises during or results from fundamental research and is intended to be published is not subject to the export control regulations.
While it is possible for a CUI controlled project to be fundamental research, these projects often contain restrictions on publication and/or participation of certain foreign nationals. As explained in Part 6, the DoD often includes DFARS clauses 252.204-7000 (7000 clause) and 252.204-7012 in the same contract. The “7000 clause” includes a publication restriction that requires DoD prior approval for any publication or other public release.
These restrictions are not consistent with University policy and typically will not be accepted. For CUI and non-fundamental research projects that are accepted, the University requires the creation of a Technology Control Plan (TCP). The Office of Trade Compliance will work with the PI of the research project to develop the TCP and conduct any necessary training which is described further in the next section.
- Section 8: CUI Training
All Pitt personnel involved in projects that require receipt or generation of CUI must complete two types of training as a condition of the award. Personnel include the PI of the project, their staff and trainees, department/school administrators, Pitt IT staff, and other central office staff that may have a need to handle CUI or access protected CUI systems. These trainings will be conducted by the Office of Trade Compliance and include the following:
Broad CUI Training: Broad training includes an overview of export controls, the CUI program, and cybersecurity controls commonly used to protect CUI and other non-public information.
Specific CUI training: Specific training will be included as part of the Technology Control Plan (TCP) that OTC creates for the project. The training will include detailed information relevant to the project including: confirmed type(s) of CUI, marking requirements, cyber and physical security protocols, oral/written/electronic communication protocols, destruction guidance, insider threats, and available in-house assistance. Those who successfully complete the training will be required to sign a certification as part of the TCP.
Both broad and specific training will be done at the same time as part of a TCP.
Individuals added to a project governed by a TCP after the project has started must take the mandatory broad and specific TCP training and sign a certification prior to engaging in any activities that include access to CUI.
The PI will be required to recertify the terms of the TCP on an annual basis.
CUI training will be required every two years for those individuals named on a TCP that involves CUI.
U.S. Government CUI Training Materials
DoD Mandatory Controlled Unclassified Information (CUI) Training. Please note that while this course is mandatory training for all DoD personnel with access to controlled unclassified information, Pitt researchers are NOT required to complete this course unless specified in a contract. Other DoD-Specific CUI training materials can be found HERE.
National Archives and Records Administration (NARA) CUI Training Modules. Developed by the CUI Executive Agent, these training modules for the CUI Program are designed for a widespread audience at multiple levels within the government and beyond. They are intended to supplement any training or awareness efforts by Executive branch entities or other stakeholders (Non-federal organizations).
- Section 9: Roles and Responsibilities for CUI
Federal Agencies: Federal agencies are responsible for determining when CUI will be exchanged or created as part of an award or other transaction. CUI requirements are defined as a term and condition within an agreement along with corresponding cybersecurity measures to protect the CUI. As federal agencies continue to implement CUI requirements in agreements, the implementation of specific cybersecurity measures may differ. Federal agencies can develop and promulgate their own general purpose or project-specific clauses to specify safeguarding requirements for information or information systems.
Principal Investigator (PI): PIs are responsible for understanding and identifying research projects involving CUI as soon as possible so that proper steps can be taken to evaluate and negotiate acceptable terms and conditions. As part of this process, PIs should consider alternatives to using or generating CUI whenever possible due to the high level of protections required for CUI. It is vital to properly protect CUI whenever the University agrees to accept a project that includes the receipt or generation of CUI. Faculty are responsible for monitoring CUI compliance which includes oversight of trainees, staff, collaborators, and all subcontracts.
Consequences for not protecting CUI include:
- Loss of data o Loss of research funding
- Cost and liability of breach
- Possible penalties, monetary fines
- Reputational risk for Pitt and you
It is important for PIs to recognize and understand that some CUI material is limited to US citizens only, while other material is limited to individuals from selected countries. The PI is responsible for ensuring that CUI material is only shared with the appropriate individuals.
When subcontractors are involved, or you are a subcontractor to another party, it is important to clearly distinguish at the proposal stage that Pitt maintains a fundamental research policy. Statements of work should be clearly written to support this position whenever possible.
As part of the negotiation process, the Office of Sponsored Programs and other Pitt offices as needed will work with the PI to ensure that there is a mutual understanding with the sponsor regarding all inputs and outputs for the project, including any CUI.
Office of Sponsored Programs (OSP): OSP is the central office charged with assisting faculty, staff, and students in their efforts to promote and secure sponsored research funding. The OSP reviews, negotiates, endorses, and provides administrative oversight related to proposals and awards in accordance with all applicable laws, policies and regulations.
The OSP works together with the PI and their department and school to submit and negotiate all sponsored projects and research related non-financial agreements that may require the receipt or generation of CUI.
Pitt IT: Pitt IT is the central office that provides helpful IT resources to Pitt faculty in support of their teaching, research, and daily work. Pitt IT works collaboratively with OSP and the PI whenever there are specific cybersecurity provisions in sponsored project awards. In cases where CUI will be received or generated under a financial or non-financial agreement, PI’s are required to use a Pitt IT-approved CUI compliant Non-Federal Information Systems a condition of accepting the agreement.
The Office of Trade Compliance (OTC): OTC is the central office that provides effective practice and hands-on assistance to the University community for compliance with U.S. trade regulations and other research security topics like CUI. OTC works with OSP and Pitt IT in cases involving a federal contract or subcontract that requires the receipt or generation of CUI to create a mandatory TCP and to determine export controls applicability. OTC provides broad and specific training for personnel involved in projects requiring CUI under the TCP. OTC also maintains records on mandatory training for all staff involved in a project that requires CUI.
- Section 10: Help, Contacts, and Other Information
Allen A. DiPalma, Director, Office of Trade Compliance (firstname.lastname@example.org)
Jacki Correll, Assistant Director, Office of Trade Compliance (JMCorrell@pitt.edu)
John Duska, Deputy Chief Information Security Officer, Pitt IT (email@example.com)
Sean Gallagher, Security Analyst, Pitt IT (firstname.lastname@example.org)
Laura Kingsley, Director, Office of Sponsored Programs (email@example.com)
DOD CUI Program Webpage: https://www.dodcui.mil/Home/Training/
NARA CUI Webpage: https://www.archives.gov/cui
Additional information to be added later…