Controlled Unclassified Information (CUI)

CUI is information created by the Federal government, or possessed by an entity or created by or on behalf of the Federal government, that is controlled by a Federal law, Federal regulation, or Federal policy. For a more detailed definition, see the CUI Registry. When the University of Akron accepts a Federal grant, contract, or purchase order, the work carried out under that agreement is done on behalf of the Federal government. Even though CUI is not classified information, it is still required to be protected, per 32 C.F.R. Part 2002. Therefore, if you receive CUI or create CUI in the process of conducting the project, you must ensure it is appropriately protected and marked in accordance with applicable law, regulation, or policy.

Examples of CUI

CUI is any information restricted in dissemination by Federal law, regulation or policy. Thus, it includes information such as social security numbers, protected health information, export controlled information, personal DNA information, any many other pieces of information. For a full list, see the CUI Registry Category List.

How to Protect CUI

If you receive, collect, access, or create CUI during the course of a Federal project, you must protect it according to the applicable standards. The ORA can assist you in identifying the appropriate standard. The applicable standard is typically in the terms of the grant, contract, or purchase order. Common security standards or clauses include:

Researcher Responsibilities

When CUI is involved, all researchers are responsible for safeguarding the information. The PI, Information Technology (IT) and the Research Compliance Officer (RCO) work together to ensure appropriate safeguarding. Such safeguarding includes:

Verifying whether the project will involve CUI (some research agreements mention a required security environment, but go on to describe the environment as required when applicable. When CUI is not involved, the environment may not be applicable).
Work with IT and the RCO to identify the level of controls required. IT makes the ultimate determination on the level required.
Create a technology control plan (TCP). IT and the RCO are available for assistance with then plan.
Ensure each individual interacting with CUI is appropriately trained.
Promptly report any security breaches to IT, the RCO, and/or the sponsor as required.

FAQS

Is there anything that is not CUI?

Lots of information is not CUI. CUI does not include information that is:

Already fully published;
Generated under in a Fundamental Research project. Fundamental Research projects are those where there are no restrictions on publication, no restrictions on the involvement of foreign nationals, and/or contain no other restrictions on broadly disseminating the information**; or
Generated under a project that is funded, directly or indirectly, by the Federal government. Note in this case, there may still be information protection requirements.

**Note that technical data controlled by the ITAR regulations may not be considered fundamental research until the data are actually published. Thus, during the course of the research project, the data may not be excluded from export controls.

How do I know if I will have access to CUI?

There are several indicators that you will have access to CUI. However, the best way to find out is to ask your sponsor. They should be able to provide you guidance on whether they expect you to receive or generate CUI. The following are some indicators that you may be receiving or working with CUI:

The research application requires a technology control plan or a CUI control plan;
The FOA/RFA indicates the research will involve CUI;
You receive information that has CUI markings. In that case, contact ORA immediately;
There are restrictions in the research agreement, either for foreign national participation or regarding proprietary information (e.g. a requirement to sign an NDA);
The research is funded by the DOD, DOE, NASA, or directly through a military agency.

Are there costs associated with protecting CUI?

Typically, yes. UA maintains a secure environment for such information, which costs the University funds and personnel time to maintain. Further, each research project that interacts with CUI must have a secure space setup in the larger environment. The cost of that project-by-project space must be paid by the researcher. The costs of the space include:

An annual license fee for each user. The license fee includes standard cloud-based storage and use of Microsoft Office products (e.g. Teams, Word, Excel, etc.);
Costs for compute resources. If you do not need any special resources, the base cost for this line item is ~$250/month. Costs go up with requests for high RAM compute, GPU compute, or other non-standard needs;
Any software licenses (if not already purchased) for deploying the analysis software in the secured environment.

Sponsored Programs, Pre-Award, include a line item in the budget template, to assist in calculating the costs as you apply for grants. IT can assist with a more in depth discussion of the compute time and power costs.

Some of the work I do uses shared equipment. How can I protect CUI when using shared equipment?

When research involving CUI is conducted on shared equipment, additional safeguards must be put in place. These safeguards are made on a project-by-project basis. Some safeguards may be:

Reserving the shared equipment and working with it when no other personnel are around;
Removing the CUI from the shared equipment computer and putting it on an encrypted external drive; and
Performing a "secure wipe" of the hard drive sectors where CUI were used or created, for each session and before the researcher leaves the shared equipment, thereby permitting access by other researchers;