CUI Frequently Asked Questions

Who needs to take CUI Training?

All personnel (including PI’s, CoPI’s, senior personnel, student researchers, research administrators, etc.) who will be interacting with or otherwise handling CUI (either within a proposal or during the performance of an award) must take the ISO approved CUI Training.

What do I do if a proposal to a federal agency is CUI?

When a sponsored project proposal involves Controlled Unclassified Information, the Research Protections unit, in consultation with the University Information Security Office, will work with the Principal Investigator (PI) to ensure a compliant environment is set up for development of the proposal. This will typically involve checking-out a CUI laptop from the Information Security Office to develop the proposal and working with your Research Administrator and the Research Protections unit for secure submission of the proposal.

What do I do if my award or project will involve storing, processing, or handling CUI?

When a university award involves controlled unclassified information, the Research Protections unit, in consultation with the University Information Security Office, will work with the Principal Investigator (PI) to ensure that all safeguarding requirements are addressed in a System Security Plan or Technology Control Plan before project funds are released.

Who do I contact to find out more about CUI?

For federal research related CUI, contact the University RSO (rso@utep.edu) for additional information on how to address CUI in proposals and throughout an award.

For non-research related CUI, contact the Information Security Office at security@utep.edu.

What do I do if I receive unsolicited CUI?

Follow the process outlined in the Processes and Procedures web page.

I am a PI on a CUI proposal, what are my roles and responsibilities?

Roles and responsibilities for a PI are outlined in the Roles and Responsibilities web page.

What are Distribution Statements?

DoD Instruction (DoDI) 5230.24 Distribution Statements on DoD Technical Information, establishes policies, assigns responsibilities, and provides procedures for assigning distribution statements on technical information, including: research, development, test and evaluation (RDT&E); engineering; acquisition; and sustainment information. Distribution statements specify the extent to which the technical information is available for secondary release and distribution without additional approvals or authorizations. Unless otherwise authorized by the controlling DoD office, non-U.S. Government entities or individuals are strictly prohibited from further distributing technical information subject to the restrictions in this DoDI. The distribution statements that typically apply to UTEP contracts with the federal sponsor or federal flow down include statements A, C, and D.

• Distribution Statement A. Approved for public release: distribution is unlimited.
• Distribution Statement C. Distribution authorized to U.S. Government agencies and their contractors.
• Distribution Statement D. Distribution authorized to the Department of Defense and U.S. DoD contractors only.

What is Federal Contract Information (FCI)

48 CFR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems (also known as Federal Acquisition Regulation 52.204-21 or FAR 52.204-21), defines FCI as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments”.

FCI is normally protected on UTEP information systems in accordance with FAR 52.204-21 when a research team or research administrator receives, possesses, or creates FCI in the performance of a federal contract. Examples of FCI include email communications, proposal responses, Notice of Award documents, contracts, contract performance reports, annual reports, etc.