CUI Processes and Procedures

• Sponsored Projects with CUI Requirements
• Determining CUI Requirements at Proposal Development
• Determining if an Award will Involve Access to CUI

A federally funded sponsored project (or flow down) with CUI requirements should generally follow this process:

1. A solicitation or contract review identifies clauses and/or the federal sponsor indicates a proposal or project has CUI restrictions. These reviews are conducted by the PI, RA, and/or Research Protections (RP).
2. The PI identifies or is notified of such restrictions by the RA/RP.
3. The PI completes the CUI Scope Form (this form specifies the intended controlled environment for safeguarding CUI) and submits the form to RP for review and approval. For assistance completing the form, contact RP (rso@utep.edu).
4. Upon certification of the CUI Scope Form by RP, an Information Security Office review of the proposed controlled environment is initiated.
   A. An email is sent to the PI and Information Security Office which triggers the review and/or set up of protections for the project. These protections will be documented in an ISO managed System Security Plan.
   B. PI certifies the ISO review and protections and provides a signed copy to RP.

Note: All personnel identified in the CUI Scope Form who will be working on the project are required to take CUI training and each individual must be certified by the Information Security Office (ISO) before beginning any work that involves CUI.

      5.Upon completion of the steps above
         A. For a proposal that includes CUI, RP releases the proposal for submission to the agency upon certification by ISO that the PI (and anyone else working on the proposal) has completed CUI training.
              Work with your RA on specific submission requirements for CUI Proposals.
         B. For an award from an agency that involves CUI, all personnel identified in the CUI Scope Form who will be working on the project are required to take CUI training and must be certified by ISO
              before beginning any work that involves CUI.
         C. RP releases the award for account setup via a Grant Action Request Tracking (GART) update when all requirements have been met.
         D. A UTEP account is then established for the project.
      6. Auditing and monitoring occur to ensure compliance with the ISO approved protection plan.

When developing a proposal for submission to a federal agency or flow down, researchers are advised to,

1. Conduct a thorough review of the CUI implications before proposal submission. Things to do include:
   A. Review the funding announcement or agency guidelines.
   B. Contact the agency sponsor.
   C. Indicate CUI is part of the proposal in the Notice of Intent.
   
   
2. If CUI protections are outlined by the agency
   A. Clearly define the CUI Scope, including all systems, networks, storage, facilities, and personnel that will store, process, or transmit CUI.
   B. Identify any CUI data that will be used or generated and ensure that the proposal includes appropriate security measures.
   C. Consult with the RSO for guidance on addressing CUI requirements to ensure all appropriate safeguards are addressed. If applicable, the RSO will initiate a request for ISO guidance on identifying CUI safeguards during the proposal phase.
   D. When applicable, include a CUI compliance statement within the proposal. This statement should outline the steps the research team will take to safeguard CUI in accordance with federal regulations.

Research Protections advises that any project involving CUI must have a designated CUI coordinator who is responsible for overseeing compliance throughout the research lifecycle. In the absence of a CUI coordinator, the PI is responsible for overseeing compliance.

Follow this process to determine if an award requires access to CUI. It may be necessary to search various documents (contracts, questionnaires, exhibits, addendums, etc.) for keywords that may indicate access to CUI is required. Refer to the Quick Reference Guide for Identifying FCI and CUI for guidance on what to look for.

1. Does the award originate from a Federal Agency (or flow down)?

• Yes: proceed to step 2.
• No: Stop. If the sponsor is not a Federal agency or federal flow down, it cannot be CUI.

2. Does the information meet the standards for classification according to instruction DoDM 5200.01, Volume 1?

• Yes:
  a. Stop and refer to DoDM 5200.01, Volume 1, for guidelines on processing classified
  b. Report immediately to the campus FSO.
• No: proceed to step 3.

3. Does the information fall within a current Federal law, regulation, or government policy or do any of the contract documents contain CUI Clauses? Refer to the CUI Quick Reference Document for examples of clauses.

• No: the information cannot be designated CUI and is therefore not subject to NIST 800-171.
• Yes: proceed to step 4.

4. Can the CUI requirements be negotiated or do fundamental research exclusions exist? Work with your RA, RSO, and/or the sponsor to make this determination.

• Yes: Clarify in contract documents CUI negotiated out and/or fundamental research exclusions.
• No: proceed to step 5.

5. Fill out the following document and submit to the RSO, rso@utep.edu. Upon approval the RSO will trigger an ISO CUI review.

• CUI Scope Form

Tips:

• The DoD offers access to its online CUI Registry, which lists specific categories of information that the government requires to be protected. The list includes critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements and law enforcement.
• The DoD CUI Registry goes on to specify additional categories of information, including legal, natural and cultural resources, NATO, nuclear, privacy, procurement and acquisition, proprietary business information, provisional, statistical and tax information.

References

• Managing Controlled Unclassified Information (CUI). NSF.ORG