Safeguarding Controlled Unclassified Information (CUI)
What is Controlled Unclassified Information (CUI)?
As defined by Presidential Executive Order 13556, and 32 CFR 2002, CUI is information that the Federal Government creates or possesses, or that an entity creates or possesses for or on behalf of the Federal Government, that a law, regulation, or Federal Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI does not include information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies that is classified under Executive Order 13526 or the Atomic Energy Act, as amended. The Federal CUI regulation applies to Federal executive branch agencies that handle CUI and all organizations (including universities) that handle, possess, use, share, create, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of such an agency.
General Information
In addition to classified information, certain types of unclassified information also require access and distribution controls and protective measures for a variety of reasons. University activities (e.g. sponsored research projects, non-disclosure agreements, proprietary information agreements) may include receiving, generating, or using controlled unclassified information. Access to CUI is usually restricted to Non-U.S. persons, unless the sponsor has agreed to grant access to a Non-U.S. person under a fully executed non-disclosure agreement (NDA).
The Office of Research Compliance and Research Assurances (ORCRA) and the Information Security Office collaborate with UT System Facility Security Officer/Security Manager to ensure there is a common approach to national security issues common to export controlled and classified programs. The Office of Research Compliance and Research Assurances is responsible for helping UTEP faculty and staff with the security measures necessary to safeguard controlled unclassified information.
The UTEP Information Security Office (ISO) and the UTEP Office of Information Resources are responsible for administering programs that create a reliable and secure university computing environment. The Information Security Officer (ISO) provides assistance with the implementation and administration of information security initiatives and Data Owner’s security needs. Please contact the ISO at (915) 747-6324 or at security@utep.edu for additional information.
UTEP faculty and staff are responsible for:
- Obtaining sponsoring organization’s guidance concerning access to CUI or Classified Information.
- Determining who will have access to CUI.
- Contacting ORCRA, ISO and OIT if a protection/security plan (e.g. technology control plan) is required to control access to and dissemination of CUI.
Regulations
CUI security controls must be compliant with the federal regulations specified in 32 CFR Part 2002 and by the National Archives and Records Administration (NARA), who acts as the CUI Executive Agent (EA) to oversee the federal agency CUI compliance. The most encountered Federal CUI requirements and guidelines include:
National Institutes of Standards and Technology (NIST) Special Publication (SP)
- NIST SP 800-53r5 - Security and Privacy Controls for Federal Information Systems and Organizations
- NIST SP 800-171r2 - Protecting CUI in Nonfederal Systems and Organizations
- NIST SP 800-172 - Enhanced Security Requirements for Protecting CUI: Supplement to 800-171 Rev.
Federal Acquisition Regulation (FAR) Security Requirements
- FAR 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems
Department of Defense Federal Acquisition Regulation (DFARS)
- DFARS 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting
- DFARS 252.204-7019 – Notice of NISTSP 800-171 DoD Assessment Requirements
- DFARS 252.204-7020 - NIST SP-171 DoD Assessment Requirements
- DFARS 252.204-7021 - Cybersecurity Maturity Model Certification Requirements
Other requirements and guidance as directed in agency-specific regulations and certain legal documents may also apply.
"Information" as defined by the Federal CUI Program may include research data and other project information, including non-public Federal Contract Information (FCI). FCI is normally protected in accordance with FAR 52.204-21 when a research team receives, possesses, or creates FCI in the performance of a sponsored contract.
“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems may include electronic media, non-electronic media, and physical environments.
Military Critical Technical Agreement (DD-2345 Form)
The Office of Research Compliance & Regulatory Assurances maintains an approved Military Critical Technical Agreement (DD-2345 Form) which is the institutional form used to register in the Joint Certification Program (JCP). Please contact the Research Security Officer prior to attending a meeting/conference where unclassified technical data will be disclosed. If you are planning to bring CUI back with you to UTEP, please contact the Research Security Officer at (915) 747-8470 for guidance.