Safeguarding CUI

The Office of Research Protections (ORP), under Research Compliance and Regulatory Assurances (ORCRA) and the Information Security Office (ISO) collaborate with UT System Facility Security Officer/Security Manager (FSO) to ensure there is a coordinated approach to national security issues common to export controlled and classified programs.  ORP is also responsible for helping UTEP faculty and staff with the security measures necessary to safeguard controlled unclassified information.

The UTEP Information Security Office (ISO) and the UTEP Office of Information Resources (IR) are responsible for administering programs that create a reliable and secure university computing environment. ISO provides assistance with the implementation and administration of information security initiatives and Data Owner’s security needs. Please contact the ISO at (915) 747-6324 or at security@utep.edu for additional information.

UTEP faculty and staff are responsible for:

• Obtaining sponsoring organization’s guidance concerning access to CUI or Classified Information.
• Determining who will have access to CUI.
• Contact ORP, ISO and IR if a protection/security plan (e.g. technology control plan, system security plan, or operations security plan) is required to control access to and safeguard CUI.

The most encountered Federal CUI requirements and guidelines include:

National Institutes of Standards and Technology (NIST) Special Publication (SP)

• NIST SP 800-171r2 - Protecting CUI in Nonfederal Systems and Organizations

Federal Acquisition Regulations (FAR) FAR 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems

Department of Defense

• DoDI 5200.48 – Controlled Unclassified Information

• DFARS 252.204-7000 - Disclosure of Information
• DFARS 252.204-7008 - Compliance with Safeguarding Covered Defense Information Controls
• DFARS 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting

• DFARS 252.204-7019 – Notice of NISTSP 800-171 DoD Assessment Requirements

• DFARS 252.204-7020 - NIST SP-171 DoD Assessment Requirements
• DFARS 252.204-7021 - Cybersecurity Maturity Model Certification Requirements

In addition to applicable Federal and State laws, regulations, and policies, UTEP employees who will be interacting with or otherwise handling CUI must comply with UTEP Standard 25 – Controlled Unclassified Information.

How to Comply with Sponsored Project CUI Requirements

All UTEP projects with applicable CUI needs must go through a certification process, wherein all environments involved with CUI must comply fully with the NIST 800-171 standards (either directly or through compensating controls).

Additionally, all environments that are involved with CUI must undergo an annual NIST 800-171 compliance assessment by Information Security before continued interaction with CUI. These assessments will result in an attestation report signed by the Chief Information Security Officer (CISO) or designee. All environments that are involved with CUI must also operate in a manner which facilitates “rapidly reporting” cyber incidents involving CUI. “Rapidly Reporting” means reporting a cyber incident to the affected federal agency within 72 hours (see DFARS 252.204-7012).