Published September 13, 2021
Securing Controlled Unclassified Information (CUI)
The federal government has introduced heightened security standards for university systems which house or transmit sensitive information known as Controlled Unclassified Information (CUI), set forth by the National Institutes of Standards and Technology (NIST).
As cybersecurity threats build in both intensity and impact, the Department of Defense (DoD) and other federal agencies are implementing the security standards identified in NIST SP 800-171 to ensure government contractors are properly safeguarding CUI. These standards are included in contracts awarded by the DoD and may also be incorporated in contracts from other agencies.
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is information held by or generated for the federal government that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations and government-wide policies.
CUI may include research data and other project information that a research team receives or creates during the performance of a contract funded by the federal government.
CUI includes a plethora of information types. Please visit the National Archives CUI pages for more information.
What do I need to do?
If you plan to respond to a federal government RFP or RFI and anticipate that CUI may be involved, then you must have adequate cybersecurity measures in place to accept the contract. Determine if your sponsor has indicated that your award will include CUI. The cybersecurity requirements may be noted in the RFP or RFI, including the requirement to comply with the NIST SP 800-171 security standards.
The Joint Research Office for Contracts (JROC) can help you determine if your contract may be subject to security requirements and will coordinate an assessment of the information security needs with the WashU CUI project team.
The process for meeting these security requirements includes the following:
- Background checks
- Computing in a secure enclave
- Physical security measures
What is on the horizon?
The DoD has created a certification program to rate contractors’ information systems into differing levels of compliance called the Cybersecurity Maturity Model Certification (CMMC).
CMMC is being phased in over several years and all DoD contract awards will require some level of CMMC certification by October 1, 2025.
Washington University is currently working to meet CMMC level 3 certification requirements through use of a secure data enclave.
Want to learn more?
Visit the WashU Information Security webpages on Controlled Unclassified Information in Sponsored Research.