Skip to main content
UTEP

CUI Roles and Responsibilities


How to Comply with Sponsored Project CUI Requirements

All UTEP projects with applicable CUI needs must go through a certification process, wherein all environments involved with CUI must comply fully with the NIST 800-171 standards (either directly or through compensating controls).

Additionally, all environments that are involved with CUI must undergo an annual NIST 800-171 compliance assessment by Information Security before continued interaction with CUI. These assessments will result in an attestation report signed by the Chief Information Security Officer (CISO) or designee. All environments that are involved with CUI must also operate in a manner which facilitates “rapidly reporting” cyber incidents involving CUI. “Rapidly Reporting” means reporting a cyber incident to the affected federal agency within 72 hours (see DFARS 252.204-7012).

Protection of Controlled Unclassified Information (CUI) is a shared responsibility between Federal agencies or flow downs that sponsor research and UTEP. Safeguarding CUI at UTEP is also a shared responsibility. The various roles that share responsibility for protecting CUI at UTEP include:

  • The University
  • Principal Investigators
  • Research Administrators
  • Research Protections
  • Research Security Officer
  • Information Security Office
  • Information Resources
  • Export Control Office (when the project includes CUI related to Export Control, such as ITAR)

No individual may have access to CUI information unless it is determined he or she has an authorized, lawful government purpose. Anyone with a lawful government purpose to handle CUI

  • Is required to take mandatory training before working with CUI
  • Ensure CUI is protected while under their possession
  • Can share CUI as long as there is a lawful government purpose and the authorized holder can reasonably be assured that the recipient can safeguard CUI

Sponsoring Federal Agencies

Federal agencies are responsible for

  1. Clearly identifying and marking any CUI before sharing it with the university or other contractors. This includes providing specific contract clauses that outline the handling and safeguarding requirements for CUI. Examples include:
  2. DFARS 252.204-7008
  3. DFARS 252.204-7012
  4. NIST 800-171
  5. CMMC 2.0
  6. Providing secure methods for transmitting CUI to the university, such as through encrypted communications or FIPS compliant, secure file transfer protocols. Methods supported by the University include
  7. DoD SAFE
  8. Preveil
  9. Outlining specific cybersecurity requirements that the university must follow.
  10. Providing End-of-contract instructions for the secure disposal or return of CUI.
  11. Monitoring the University's compliance with these standards throughout the contract's duration.

The University

There are risks to the University when it comes to working with CUI in contracts, including the possibility of information security gaps or breaches in campus computer systems and networks that could allow protected information to fall into the hands of adversaries. To counter that possibility, the University needs to:

  1. Create and enforce policies and procedures for handling CUI.
  • Research Protections and Information Security Office responsible for developing and implementing
  1. Be able to identify all CUI that has entered University systems and networks, whether or not it was marked as such when received.
  • Research Protections and CUI handlers responsible for tracking
  1. Ensure that all CUI received from a federal agency is properly safeguarded in accordance with federal regulations and the terms of the contract. This includes
  • Implementing the necessary NIST 800-171 security controls
  • Controlling dissemination based on agency guidelines
  • Rendering any CUI received in a non-compliant system unreadable, indecipherable, and irrecoverable
  • The PI and ISO have the primary responsibility for safeguarding CUI at the University
  1. Maintaining compliance throughout the lifecycle of the contract.
  • The primary responsibility falls on the PI and the Information Security Office.
  1. Ensure that all systems used to store, process, or transmit CUI are regularly assessed and monitored for compliance.
  • The primary responsibility falls on the PI and the Information Security Office.

Researcher/Principal Investigator (PI)

The principal investigator and the research team have a critical, if not the most important, role in protecting CUI. In order to mitigate risk, the PI must consider the following when the sponsor is a federal agency or flow down:

  1. Verify with the sponsor that the research project (either at proposal submission or at the time of award) will receive, possess, and/or create CUI or is otherwise required to implement security controls based on CUI regulations.
  2. Rapidly report potential or actual CUI requirements. Requirements can be identified through review of solicitation guidelines, communications with agency contacts, contract review, etc.
  3. During submission of a Notice of Intent (NOI) to submit a proposal, the PI should ensure appropriate flags for CUI, Classified Research, or Export control restrictions are selected.
  4. During the award phase, the PI should ensure appropriate flags for CUI, Classified Research, or Export control restrictions are selected in the Notice of Award.
  5. Review contracts during negotiations with the contract sponsor to determine which clauses may apply to a given contract. Ask the sponsor
  6. Can the CUI requirements be negotiated?
  7. Do fundamental research exclusions exist?
  8. When it is determined that CUI will be received and before receiving or working with CUI,
  9. Certify that all individuals handling CUI have undergone appropriate training, including the PI, to ensure they understand their responsibilities and the security protocols.
  10. Identify and document the CUI environment for the project. This includes identifying and documenting all systems, software, networks, and project personnel that will store, process, or transmit CUI as well as the facilities that house sensitive equipment or computers. *
  11. Work with the Information Security Office (ISO) in establishing necessary controls to protect the CUI environment. This includes defining and communicating the policies and procedures the research team will follow (e.g., information access restrictions, laboratory security, etc.) to comply with the CUI requirements. *
  12. Ensure that only authorized personnel, those who have a lawful government purpose to access the data, have access to CUI.
  13. Manage proper use and dissemination of CUI within the scope of the research or contract.
  14. Promptly report any security incidents involving CUI to the RSO and the federal agency as specified in the contract.

 

* Refer to the PI Process for a Sponsored Project with CUI Requirements (Process Flow) procedure for specific instructions on getting started on a CUI project.

Researcher Administrator (RA)

RAs play an important role in safeguarding CUI. Many RA activities throughout the grant life cycle provide opportunities to identify CUI requirements. These activities include interaction with PIs, potential interaction with a federal agency or flow down contacts, reviewing solicitation guidelines, contract review for notices of award, review of addendums to contracts, etc.

When a proposal or award originates from a Federal Agency or flow down, RAs should

  1. Keep an eye out for any indication that CUI is involved in a proposal or award and report any actual or potential CUI concern to the RSO.
  2. If working on a project from a federal agency or federal flow down, look out for any indication that you may have received unsolicited CUI either through email, fax, or mail.

- Refer to the processes and procedures web page for guidance on handling unsolicited CUI.

  1. Review contracts during negotiations with the contract sponsor to determine which clauses may apply
  2. Can the CUI requirements be negotiated?
  3. Do fundamental research exclusions exist?
  4. If working on a proposal that is CUI (for example, the proposal itself or other documentation) the RA will be working with CUI directly. In these cases, all CUI safeguarding & compliance requirements apply to the RA, including the requirement for training. *

* CUI proposals (proposals that themselves are CUI) will additionally require that the RA work with the agency to determine how to submit the proposal to the agency.

ResearchProtections (RP)/ Research Security Officer (RSO)

  1. Ensure members of the research community (including PIs, team members, RAs, etc.) are made aware of CUI policy and requirements and know where to find training materials and other guidance on CUI processes and procedures.
  2. Work with PIs in confirming CUI requirements prior to proposal submission and trigger an ISO CUI review for cases where the proposed project is confirmed to involve CUI. This includes
  3. Tracking NOI notices that have the CUI flag set
  4. Reaching out to the PI to confirm CUI is anticipated as part of the project. Upon certification that CUI will be involved, the RSO then triggers an ISO CUI review if the PI needs guidance in addressing a CUI environment within the proposal. *
  5. Providing the researcher with best practices on developing proposals with CUI requirements, including making a case for Fundamental Research.
  6. Conduct contract and document reviews for CUI at notice of award and trigger an ISO CUI review upon confirmation that CUI will be involved. *
  7. Upon confirmation of the receipt of CUI, either known or unsolicited, work with CUI owner (RA, PI, other research related personnel) in determining lawful government purpose to receive, store, or process the CUI.
  8. For cases where there is no lawful government purpose, trigger an ISO Secure Delete of the affected systems. This includes ensuring the receiver identifies all personnel and systems that may have received the CUI.
  9. For cases where there is a lawful government purpose, ensure a cohesive process is in place to receive, store, and process any information received from the originator. This includes ensuring CUI handlers are aware of requirements, fully specify the CUI environment, and that the CUI environment is fully compliant with NIST standards. **

* This involves having the PI submit a CUI Checklist for review and approval by the RSO. Upon approval, the RSO triggers a CUI Review by submitting the form to ISO.

** This involves having the PI submit a CUI Scope Form for review and approval by the RSO. Upon approval, the RSO triggers a CUI Review by submitting the form to ISO.

Information Security Office

  1. Upon approval from the RSO/R&I, work with affected individual to conduct CUI review and setup CUI protections.
  2. Distribute the Mandatory CUI Training Packages based on the list of affected project team members provided by the PI/CUI owner.
  3. Track compliance with CUI policy and report non-compliance to XXX.
500 West University Avenue | El Paso, TX 79968 | 915-747-5000