Skip to main content

Controlled Unclassified Information (CUI)

When an NC State project involves CUI, the Export Controls Office (ECO), in consultation with OIT, will work with the Principal Investigator(s) (PI) to ensure that all safeguarding requirements outlined here are addressed in the applicable Technology Control Plan (TCP) before the project funds are released.

What is CUI

Controlled Unclassified Information (CUI): Controlled Unclassified information is defined in the Executive Order 13556 as information held by or generated for the federal government that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies that isn’t classified under Executive Order 13526 or the Atomic Energy Act, as amended. Federal CUI is divided into several categories and subcategories and is listed in the CUI registry, managed by National Archives and Records Administration (NARA). CUI, by definition, is federal information.

Back to Top

What is not CUI

  • Proprietary research that the federal government does not fund, even though it is subject to US export control regulations, is not CUI. Projects involving controlled information that is not CUI, may certainly be handled with the same safeguarding standards but should not be marked as CUI.
  • Non-contextualized Controlled Research Data – such data generated under a project with CUI safeguarding requirements is still controlled and should be handled in accordance with the relevant TCP, but it is not CUI. PIs and researchers should refer to the relevant TCP for safeguarding requirements.
  • Information that is otherwise in the public domain.

Back to Top

Marking of CUI

Documents and electronic files containing CUI must be marked in accordance with CUI Marking Handbook. If CUI Basic, it must include a banner of “CONTROLLED” or “CUI.” If CUI Specified, it must include the specific authority.

Back to Top

Frequently Used CUI Categories

The federal guidelines sort CUI into a long list of categories and subcategories.

CUI CategoryCUI Subset (Basic or Specified)Marking TypeDetailed Information
Export ControlledBasic or SpecifiedCUI//SP-EXPTCUI Category: Export Controlled (from the United States National Archives)
Export Controlled ResearchBasicCUI//SP-EXPTR

CUI Category: Export Controlled Research (from the United States National Archives)
Health InformationBasic or SpecifiedCUI//SP-HLTHCUI Category: Health Information (from the United States National Archives)
Controlled Technical InformationSpecifiedCUI/SP-CTICUI Category: Controlled Technical Information (from the United States National Archives)

Back to Top

Safeguarding of CUI

The safeguarding standards discussed in this section are the minimum standards established for CUI Basic. These standards include marking, physical safeguarding, and electronic safeguarding. For CUI Specified, institutions must implement the specific requirements from the applicable law, regulation, or government-wide policy.

Back to Top

Physical Safeguarding of CUI

The purpose of physical safeguarding is to prevent unauthorized individuals from accessing, observing, or overhearing discussion of CUI. To meet the minimum standard, there must be at least one physical barrier protecting the CUI. That can be a locked door, drawer, or file cabinet, provided that only those individuals with a lawful government purpose can access the CUI.

Back to Top

Electronic Safeguarding of CUI

The minimum standard for electronic safeguarding of CUI in Non-federal system, which is the designation that NC State computer systems will fall, in most cases, is the NIST Special Publication 800-171, Safeguarding Controlled Unclassified Information is Non-Federal Systems. In most cases, NC State projects involving CUI will involve the use of the Secure University Research Environment (SURE), which addresses the 110 controls outlined in the NIST SP 800-171 in a system security plan overseen by Research Computing.

Note: When a document is encrypted for safeguarding, the title of the document is not encrypted. Therefore, never include information that is CUI in the document title of an electronic document.

Transmission of CUI must be done through a secure method. Each TCP that includes CUI information will include direction related to secure transmission. For more guidance on what transmissions methods, please see the relevant TCP.   

What Federal Requirements Apply?

NC State  is required to adhere to the following federal requirements when handling CUI/CDI:

Back to Top