Controlled Unclassified Information (CUI)
When an NC State project involves CUI, the Export Controls Office (ECO), in consultation with OIT, will work with the Principal Investigator(s) (PI) to ensure that all safeguarding requirements outlined here are addressed in the applicable Technology Control Plan (TCP) before the project funds are released.
What is CUI
Controlled Unclassified Information (CUI): Controlled Unclassified information is defined in the Executive Order 13556 as information held by or generated for the federal government that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies that isn’t classified under Executive Order 13526 or the Atomic Energy Act, as amended. Federal CUI is divided into several categories and subcategories and is listed in the CUI registry, managed by National Archives and Records Administration (NARA). CUI, by definition, is federal information.
CUI categories are divided into 2 subsets:
CUI Basic
CUI Specified
What is not CUI
- Proprietary research that the federal government does not fund, even though it is subject to US export control regulations, is not CUI. Projects involving controlled information that is not CUI, may certainly be handled with the same safeguarding standards but should not be marked as CUI.
- Non-contextualized Controlled Research Data – such data generated under a project with CUI safeguarding requirements is still controlled and should be handled in accordance with the relevant TCP, but it is not CUI. PIs and researchers should refer to the relevant TCP for safeguarding requirements.
- Information that is otherwise in the public domain.
Marking of CUI
Documents and electronic files containing CUI must be marked in accordance with CUI Marking Handbook. If CUI Basic, it must include a banner of “CONTROLLED” or “CUI.” If CUI Specified, it must include the specific authority.
Frequently Used CUI Categories
The federal guidelines sort CUI into a long list of categories and subcategories.
CUI Category | CUI Subset (Basic or Specified) | Marking Type | Detailed Information |
---|---|---|---|
Export Controlled | Basic or Specified | CUI//SP-EXPT | CUI Category: Export Controlled (from the United States National Archives) |
Export Controlled Research | Basic | CUI//SP-EXPTR | CUI Category: Export Controlled Research (from the United States National Archives) |
Health Information | Basic or Specified | CUI//SP-HLTH | CUI Category: Health Information (from the United States National Archives) |
Controlled Technical Information | Specified | CUI/SP-CTI | CUI Category: Controlled Technical Information (from the United States National Archives) |
Safeguarding of CUI
The safeguarding standards discussed in this section are the minimum standards established for CUI Basic. These standards include marking, physical safeguarding, and electronic safeguarding. For CUI Specified, institutions must implement the specific requirements from the applicable law, regulation, or government-wide policy.
Physical Safeguarding of CUI
The purpose of physical safeguarding is to prevent unauthorized individuals from accessing, observing, or overhearing discussion of CUI. To meet the minimum standard, there must be at least one physical barrier protecting the CUI. That can be a locked door, drawer, or file cabinet, provided that only those individuals with a lawful government purpose can access the CUI.
Electronic Safeguarding of CUI
The minimum standard for electronic safeguarding of CUI in Non-federal system, which is the designation that NC State computer systems will fall, in most cases, is the NIST Special Publication 800-171, Safeguarding Controlled Unclassified Information is Non-Federal Systems. In most cases, NC State projects involving CUI will involve the use of the Secure University Research Environment (SURE), which addresses the 110 controls outlined in the NIST SP 800-171 in a system security plan overseen by Research Computing.
Note: When a document is encrypted for safeguarding, the title of the document is not encrypted. Therefore, never include information that is CUI in the document title of an electronic document.
Transmission of CUI must be done through a secure method. Each TCP that includes CUI information will include direction related to secure transmission. For more guidance on what transmissions methods, please see the relevant TCP.
What Federal Requirements Apply?
NC State is required to adhere to the following federal requirements when handling CUI/CDI:
- Code of Federal Regulations (CFR) Part 2002, Controlled Unclassified Information Program
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
- NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- DFARS 252.204-7021, Cybersecurity Maturity Model Certification (CMMC) Requirements