April 2020 - It should be noted, due to new third-party oversight of an organizations compliance with CUI (800-171) requirements, UNH is not currently able to provide for CUI data management.
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.
Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.
As a participant in federally-funded research programs, our University receives data from or generates information for government agencies, corporate entities, and other institutions of higher education. Many of these awards and contracts require compliance with specific federal regulations enacted to protect categories of sensitive or labeled information, now commonly called “controlled unclassified information” or “CUI.”
Common examples of CUI that exist are identified by the following markings: Proprietary, Confidential, and all Defense Department Distribution Statements B through F. This “Labeled information” includes any non-classified information that is labeled with legacy or agency-specific designations and is CUI. This pertains to labels such as Unclassified (U), For Official Use Only (U//FOUO), Official Use Only (OUO), Sensitive But Unclassified (SBU). Some projects, which may not have specifically marked information, still could include CUI.
Some common types of information that meet the definition of CUI may be derived from the following quick reference list of common categories of CUI specified subsets, or for a complete list of CUI, categories visit National Archives CUI Categories.
It is the executive agency that is providing funding for research at the University that is responsible for identifying what it considers CUI under their auspices and in accordance with the rules from NARA.
- Critical Infrastructure
- Controlled Technical Information
- Emergency Management
- Export Control
- Geodetic Product Information
- Information Systems Vulnerability Info
- International Agreements
- Law Enforcement
- Natural and Cultural Resources
- NATO Controlled
- Procurement and Acquisition
- Proprietary Business Information
- SAFETY Act Information
It is the executive agency that is providing funding for research at the University that is responsible for identifying what it considers CUI under their auspices and in accordance with the rules from NARA. They in turn are responsible to alert the University during, for example, release of Requests for Proposal (RFP) information packet or in contract negotiation exchanges, that CUI is involved and that therefore the University will be required to be in compliance for sharing, handling or generating this type of data or risk default and all that it implies.
If you receive the award, it is also recommended that you keep in regular contact with your sponsor to ensure data or widgets that are considered non-CUI have not been redesignated as CUI.
The project PI is responsible for CUI compliance throughout the project from start to finish. CUI agreements can take the shape of a contract, grant, license, memoranda of agreement, or information-sharing agreement.
Understand the data categories on your contract, what data/widget/device you or your team may create during the performance of a contract, the requirements to protect that data/widget/device, and the costs associated with that protection before you sign the contact.
Key Elements of the CUI Program
(Adapted from National Archives, About Controlled Unclassified Data )
Scope: Executive Order 13556 "Controlled Unclassified Information" establishes a program for managing all unclassified information in the Executive branch that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.
Registry & Oversight: The Executive Agent (EA) will create a public registry of authorized categories, subcategories, and markings of CUI and their definitions, along with applicable safeguarding, dissemination, and decontrol procedures. The National Archives and Records Administration (NARA), through its Information Security Oversight Office (ISOO), shall serve as the EA to implement and oversee agency actions to ensure compliance with the Order.
Agency responsibility: Each Executive branch department and agency will identify a mechanism, i.e., office or individual(s), responsible for administering CUI policy. Agencies will also develop tailored CUI policies to meet agency-specific needs, and establish an internal oversight mechanism to promote consistent practices.
Implementation strategy: U.S. Government’s Executive branch departments and agencies will review all categories, subcategories, and markings used to designate unclassified information for safeguarding and dissemination controls and submit proposed categories, subcategories, and markings to the EA for review and approval. The EA will consult with affected agencies and non-governmental stakeholders to develop and issue such directives as are necessary to implement the Order. Phased implementation of the Order will take place based on deadlines established by the EA, in consultation with the Office of Management and Budget, and departments and agencies.
FOIA: The mere fact that information is designated as CUI shall not have a bearing on the Freedom of Information Act (FOIA) requests or determinations. The CUI program makes no changes to the FOIA process.
Failure to Comply
- Risk of fines
- Loss of ability to obtain Sponsored Research
For our purposes here: "data" is defined as any form of information be it physical (paper, photos, devices, widgets etc,) or electronic (photos, files, datasets, scans, email, videos, etc.). "PI" is the UNH primary investigator receiving the sponsored award.
In the case of a Sponsored Research Project:
- when the data is provided by the government directly (or indirectly via a compliance flow-down sub-contract or sub-award) to the PI or any member of their team, the CUI designation and access rules are governed by the entity providing the data. This compliance flow-down therefore includes responsibility by the PI and their team for maintaining CUI compliance if or when the data is then housed, shared, mailed, emailed, etc. by the PI and their team at UNH.
- when data is generated by the PI and their team, and the sponsor indicates that the data shall be designated as CUI, then access to this data is to be governed under the rules of CUI compliance. It is the PI's primary responsibility to ensure that these rules and regulations are maintained.
The Requirements that Flow-Down to Your Project
The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.
Working with NARA, the National Institute of Standards and Technology (NIST) created Special Publication 800-171 which provides the guidelines for use in protecting CUI. This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.
The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.
Guiding Principles for CUI at UNH
CUI compliance at UNH can be achieved through a joint partnership between the PI and their sponsor, UNH Information Security Systems, UNH Research Computing Center, and UNH Sponsored Programs. Each group plays a vital role in helping the PI and their team to maintain CUI compliance for their project.'s CUI. The following information is provided to inform the PI and their team on what they should expect to cover during the partnership effort to comply with the requirements for handling CUI information.
- Identify and implement controls that limit access to the system and data strictly to individuals affiliated with the research project.
- Ensure that researchers, administrators, and technologists are informed of the security risks associated with their activities and of methods required to reduce those risks.
- Implement system audit controls to record and report events deemed unlawful, unauthorized, or inappropriate to the research project or to UNH. Events should be associated with an individual user.
- Document and maintain an inventory of the information system assets (e.g. servers, laptops, mobile devices, and software applications) and their security configuration settings.
- Identify and maintain an inventory of researchers, administrators, and technologists who have access to the information systems being used to support the research project. Each user should have a unique account for authenticating to applications, servers, workstations, laptops, and mobile devices.
- Follow the UNH Incident Reporting Policy and Procedure for reporting any potential compromises relating to the research data or the systems used to support the project.
- Create and maintain processes for managing the lifecycle of the information systems used to support the research project. This includes applying patches to applications and servers as well as having a data and information disposal plan
- Control physical access to and securely store media assets containing CUI by limiting access to CUI authorized users and sanitizing or destroying media containing CUI before disposal or reuse.
- Conduct screening activities (e.g. background checks) when recruiting and on-boarding researchers, administrators, and technologists who will have access to CUI and ensure access is removed when a researcher, administrator or technologist is off-boarded from the research project.
- Physical access to organizational information systems, equipment, and the respective operating environments should be strictly limited to authorized individuals. These spaces should be monitored.
- Periodic risk assessments should be conducted to ensure security controls are working as designed.
- The information system should be monitored to detect and report indicators of potential compromises, data exfiltration, or other misuses.
Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program standardizes the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.
As the Federal Government's Executive Agent (EA) for Controlled Unclassified Information (CUI), the National Archives and Records Administration (NARA), through its Information Security Oversight Office (ISOO), oversees the federal government-wide CUI program. As part of that responsibility, ISOO issued a rule to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program.
The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, create, use, or have access to Federal information and information systems on behalf of an agency.
- NARA ISOO issued CUI rule 32 CFR 2002
- Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which invokes NIST 800-171 DFARS 252.204-7012
- Executive Order 13556 "Controlled Unclassified Information"
For questions about CUI contact
Enterprise IT Research Computing Center
Phone: (603) 862-2889
Planning for your Project Proposal
If you have or think you will have CUI, follow these steps for implementation of CUI compliance at UNH.
Step 1: Educate yourself and your team by reviewing this webpage, then email the CUI contact (above) who will initiate your consultation with the UNH CUI team about space, hardware, configuration, and access settings that meet the NIST 800-171 requirements using this sample CUI Checklist. USNH checklist in development.
Step 2: A Sample CUI intake form (UNH form to be developed) may be used to alert the CUI contact that your proposal contains CUI requirements. It is critical to get a head start on this at the proposal stage because if your proposal is awarded, you may have 30 days or less to report to the federal government that you are compliant.
Step 3: Based on the information you have provided in the intake form (step 2 above), the USNH CUI Team may assign a level of Availability, Integrity, and Confidentiality to the data.
Step 4: The team will help you select methods and controls to ensure that the information system meets NIST 800-171 guidelines and test and evaluate controls prior to final implementation.
Step 5: The USNH CUI Team will validate foreseeable project data risks and the USNH Chief Information Security Officer (CISO) may sign off on the assessment and pass it on to you, the PI, for your information. Along with your Risk Executive—Dean, Director or other executive designated to review—you may (1) accept risk as stated, (2) take action to mitigate risk per the CISOs suggestions, or (3) determine this risk is too high as a measure of risk management. If (3), you will be informed of all risks that the project and data requirements may involve, and it will be up to you to determine if you are willing to assume the risk. The details of the project will be outlined in a report which will then be submitted to the appropriate Federal agency. See the sample campus Risk Management Framework for details. A USNH framework has not yet been published.
Step 6: Once the project begins and the system is active and operating the USNH CUI team will monitor and report anomalies of concern for review and mitigation.