Controlled Unclassified Information

In addition to Federal classified information, certain types of Federal unclassified information require access and distribution controls and protective measures for a variety of reasons. University activities (e.g. sponsored research projects, non-disclosure agreements, proprietary information agreements) may include receiving, generating, or using controlled unclassified information. Access to CUI is usually restricted to Non-U.S. persons, unless the sponsor has agreed to grant access to a Non-U.S. person under a fully executed non-disclosure agreement (NDA).

When working on a research proposal or accepting a new award from a federal agency, it is important to understand the distinction between fundamental research and restricted research. Restricted research involves greater administrative oversight as well as stringent security controls.

National Security Decision Directive 189 (NSDD 189), National Policy on the Transfer of Scientific, Technical, and Engineering Information defines fundamental research as “basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, as distinguished from proprietary research and from Industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reason.”

While a project may be considered fundamental research by the PI and the federal sponsor (or federal flow down), some sponsors may impose a distribution restriction that requires a review by the agency before any results are made publicly available. Examples of such restrictions include non-disclosure agreements, DoD Distribution Statements, and the DFARS 252.204-7000 clause.

As defined by Presidential Executive Order 13556 (the Order) and 32 CFR Part 2002, CUI is information that the Federal Government creates or possesses, or that an entity creates or possesses for or on behalf of the Federal Government, that a law, regulation, or Federal Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI does not include information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies that is classified under Executive Order 13526 or the Atomic Energy Act, as amended.

In order to qualify for federal contracts that require safeguarding of CUI, the University must implement a compliant infrastructure. 32 CFR Part 2002 requires use of NIST Special Publication 800-171 when establishing that infrastructure.

The Order specifies categories of non-classified information to be safeguarded and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the CUI program. NARA maintains official CUI categories and subcategories within the Federal CUI Registry. For a full listing of categories, please visit  CUI Registry General Guidelines site. The DoD version of the CUI Categories can be found at  https://www.dodcui.mil/.

CUI categories are divided into two subsets:  basic  and  specified . Both subsets require compliance with NIST 800-171.

• CUI Specified is the subset of CUI for which there are specific handling controls in addition to NIST 800-171. When working with  CUI Specified additional specific requirements that must be met as specified by the federal agency or as specified by authorizing law, regulation, or Government- wide policy.
• CUI Basic is the subset of CUI that does not have specific handling or dissemination controls.

A federal agency or federal flow down is responsible for identifying and marking CUI and specifying handling requirements. In the absence of such guidance, it is the responsibility of the project PI to reach out to program manager for CUI guidance. This is especially important for solicitations or contracts with the Department of Defense, which currently has the most mature Federal CUI program.

The guide below provides additional information on how to identify CUI requirements within federal solicitations, contracts, subcontracts, and other agreements.

Quick Reference Guide for Identifying FCI and CUI

CUI Quick Facts

• CUI includes certain types of information such as financial, legal, privacy, and procurement.
• CUI is a designation, not a classification of information.
• CUI replaces legacy markings such as
  • For Official Use Only (FOUO)
  • Sensitive but Unclassified (SBU)
• Classified information is separate from the CUI Program.

General Steps for Working with CUI

1. Confirm with the originating federal agency or flow down the need to receive, store, and/or process CUI.
2. Report the need to rso@utep.edu. The Research Security Officer (RSO) will help confirm the need and trigger an Information Security Office (ISO) CUI review.
3. Upon ISO CUI review

• You will receive a notice from security@utep.edu to take required CUI training. Links to the training modules and instructions for submitting your certificates will be included.
• ISO will issue a loaner CUI laptop on which to work with CUI documents.

4. Work with the RSO, ISO, and the CUI originator to negotiate how to properly receive CUI on the CUI laptop. Options include:

• DoD Safe
• PreVeil
• Other ISO and Agency/Flow Down approved method

5. If a controlled environment is needed to discuss or share CUI documents with others

• Request a Zoom – GovCloud account
• Consult with the information security office if originator supports an alternate method

6. If you need to share CUI documents with anyone at the University, request a Preveil account from security@utep.edu. Preveil provides a secure email platform for sharing documents as attachments.