CUI was defined in Executive Order 13556 as information held by or generated for the Federal Government that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies that isn’t classified under Executive Order 13526 or the Atomic Energy Act, as amended.
A few important points about CUI:
- Research data and other project information that a research team receives, possesses, or creates during the performance of federally funded research may be CUI.
- The obligation to determine whether or not an award will involve CUI belongs to the federal sponsor; award documents should specifically identify CUI and applicable security requirements.
- CUI safeguarding requirements are only applicable to UVA and UVA information systems when mandated by a federal agency in a contract, grant, or other agreement.
- The security requirements apply to the components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.
The CUI Registry is the online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI Executive Agent other than 32 CFR Part 2002. Among other information, the CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.
The subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. Agencies handle CUI Basic according to the uniform set of controls set forth in this part and the CUI Registry. CUI Basic differs from CUI Specified (see definition for CUI Specified), and CUI Basic controls apply whenever CUI Specified ones do not cover the involved CUI.
The subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. The CUI Registry indicates which laws, regulations, and Government-wide policies include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out the controls for CUI Specified information and does not for CUI Basic information. CUI Basic controls apply to those aspects of CUI Specified where the authorizing laws, regulations, and Government-wide policies do not provide specific guidance.
What is NOT controlled unclassified information?
When reviewing the CUI Registry it's easy to start thinking that everything is CUI but that's not true. It's important to remember that the definition of CUI limits the scope to certain categories of federal information, essentially government information requiring safeguarding pursuant to government requirements.
Research data is only likely to be CUI if 1) it is provided to you by the U.S. government (or another party on their behalf); or 2) it is developed by you during the performance of U.S. government sponsored research; and the contract or agreement specifies that the information is CUI. The following are illustrative examples of information that is not CUI:
- Proprietary research that is not funded by the federal government is not CUI. This is true even when the background information provided by the sponsor and/or your research results are proprietary technical information subject to the US export control regulations.
- Medical information and/or human subjects data subject to privacy protections (e.g., HIPAA or as part of informed consent representations) are not CUI.
- Exception: Such data may be CUI when provided by the U.S. government, e.g., medical information about federal employees, to the University for use in research.
- Student information subject to privacy protections (e.g., FERPA) is not CUI.
- Exception: Such data may be CUI when collected by the U.S. government, e.g., certain financial information provided by students and/or parents in federal financial aid applications, which is then passed to the University for use in financial aid administration.
- Information that is already in the public domain (e.g., published), including publicly available U.S. government data sets.
- Non-contextualized research data (e.g., raw output collected for a CUI project that must be correlated with additional input from a person, application or second data source in scope of the CUI research project to have meaning or context) will generally not be considered CUI unless it bears identifying marks linking it to specific CUI project.
- Note: Researchers are advised to discuss the possibility for designating certain output as "non-contextualized research data" with UVA administrators when developing the technology control plan for the CUI project for which it will be collected.
It may be prudent to handle controlled information (e.g., export controlled, HIPAA, or FERPA data) that is not CUI with the same safeguarding standards but this information should not be marked as CUI.
32 CFR 2002.14 details the safeguarding requirements for CUI. In general, authorized holders must take reasonable precautions to guard against unauthorized disclosure of CUI which must include the following measures:
- Establish controlled environments in which to protect CUI from unauthorized access or disclosure and make use of those controlled environments;
- Reasonably ensure that unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI;
- Keep CUI under the authorized holder's direct control or protect it with at least one physical barrier, and reasonably ensure that the authorized holder or the physical barrier protects the CUI from unauthorized access or observation when outside a controlled environment; and
- Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on in accordance with the applicable security requirements and controls.
The regulations identify two types of information systems that process, store, or transmit CUI and specifies different safeguarding standards for each.
- Federal information Systems are information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. An information system operated on behalf of an agency provides information processing services to the agency that the Government might otherwise perform itself but has decided to outsource.
- Safeguarding: In accordance with the applicable security requirements and controls established in FIPS PUB 199, FIPS PUB 200, and NIST SP 800-53, and paragraph (g) of 32 CFR 2002.14.
- Non-Federal Information Systems are information systems that do not meet the criteria for a Federal information system. Agencies may not treat non-Federal information systems as though they are agency systems, so agencies cannot require that non-executive branch entities protect these systems in the same manner that the agencies might protect their own information systems.
- Safeguarding: NIST SP 800-171. Note: 32 CFR 2002.14(h)(2) requires that agencies must use NIST SP 800-171 unless CUI Specified or an agreement establishes requirements to protect CUI Basic at higher than moderate confidentiality.
UVA information systems are not Federal Information Systems and do not meet the referenced requirements.
The IvyCUI environment operated by Research Computing under the direction of the Vice Provost for Academic Technology is the only UVA system currently approved for CUI.
The CUI Program is implemented through 32 CFR 2002 Controlled Unclassified Information which specifies National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171) for safeguarding requirements applicable to non-federal information systems that store, process, or transmit CUI.
NIST SP 800-171 identifies 110 unique requirements that apply to University information systems that process, store, or transmit CUI. The requirements are organized into the following 14 families: access control (22 controls); awareness and training (3 controls); audit and accountability (9 controls); configuration management (9 controls); identification and authentication (11 controls); incident response (3 controls); maintenance (6 controls); media protection (9 controls); personnel security (2 controls); physical security (6 controls); risk assessment (3 controls); security assessment (4 controls); system and communications protection (16 controls); and system and information integrity (7 controls).
The IvyCUI environment operated by Research Computing under the direction of the Vice Provost for Academic Technology is the only UVA system currently approved for CUI.
Due to the nature of the controls, it is unlikely that locally managed (i.e., lab, department or school) systems will be able to fully comply, at least not without significant cost, effort and time for implementation. Before considering developing a one-off solution, researchers should carefully consider NIST SP 800-171 and NIST SP 800-171A Assessing Security Requirements for CUI. Additional considerations are necessary for DoD funded programs (see the Are covered defense information (CDI) and controlled technical information (CTI) the same as CUI? and Cybersecurity Maturity Model Certification (CMMC) Program topics on this webpage).
The Department of Defense (DoD) is the only agency that uses the terms covered defense information (CDI) and controlled technical information (CTI) which it defines in Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012. However, in order to understand scope of control, you also need to understand how DoD uses the term covered contractor information system, also defined in DFARS 252.204-7012.
- Controlled Technical Information (CTI) means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
- Covered Contractor Information System means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits CDI.
- Covered Defense Information (CDI) means unclassified CTI or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
- Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Essentially, CTI is a specific category of CUI (listed on the CUI Registry as part of the Defense organizational index grouping) while CDI is a DoD term that encompasses all categories of CUI plus any other information DoD has not approved for public release. DFARS 252.204-7012 is the DoD contract clause that requires covered contractor information systems be subject to the security requirements in NIST SP 800-171, the same standards that apply to CUI Basic; however, it also includes DoD-specific cyber incident reporting requirements.
On 9/29/20, DoD released an interim rule in the Federal Register to amend the DFARS, in part, to add 252.204-7019 (notice) and 252.204-7020 (contracts) which specify NIST SP 800-171 assessment requirements for DoD contracts involving CDI; these clauses became effective 11/30/20. Specifically, a recent assessment (< 3 years old) at the level required by the contract must be on file in the Supplier Performance Risk System (SPRS) for the covered contractor information system before the contracting officer can issue the award the contract. Contracts will be assigned one of three levels of assessment are identified: Basic (self-assessment), Medium (DoD review) and High (DoD review and inspection). The requirement applies to the prime and all subcontractors who's work will involve CDI.
- Note 1: These new clauses do not apply to previously issued contracts unless added through a contract modification.
- Note 2: In the same Federal Register Notice adding DFARS 252.204-7019 and 252.204-7020, DoD released DFARS 252.204-7021 which implements the requirements of the new safeguarding program DoD will rolli out in phases through 10/1/2025. This new program is the Cybersecurity Maturity Model Certification (CMMC) program, which is discussed as a separate topic on this page.
UVA's basic (self) assessment for the IvyCUI environment was completed on 12/1/2020 and filed in SPRS on 12/11/2020.
What is the CMMC Program?
The Department of Defense (DoD) developed the CMMC Model as a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable third-party certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the DoD that a DIB company or institution can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.
The CMMC model has five levels (1-5) with Level 1 being the minimum safeguarding required for DoD contracts, including those for fundamental research. The model is cumulative whereby each level builds on the practices and processes of the lower levels. Having five levels in the model provides the opportunity for more consistency (within a level) and flexibility (across the levels) than the current structure.
The CMMC Model is being rolled out in phases with full implementation expected in 2025.
What CMMC Level is required for CDI?
CMMC Level 3 will be the base requirement for contracts involving CDI but higher levels may be required, i.e. to address advanced persistent threats. CMMC Level 3 consists of the 110 requirements specified in NIST SP 800-171 plus 20 additional controls.
How will I know what CMMC Level is required?
In November 2020, DoD issued a new DFARS clause implementing CMMC requirements to support the issuance of the acquisition activities piloting the CMMC Model. As part of the same Federal Register Notice, DoD issued new DFARS clauses to support an interim cybersecurity program that will remain in place until the CMMC Model is fully implemented. The new DFARS clauses and brief descriptions are provided below:
- DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements. This is a notice clause for use in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items.
- It states that in order to be considered for an award, if the Offeror is required to implement NIST SP 800-171, the Offeror shall have a current assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204-7020) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order. The Basic, Medium, and High NIST SP 800-171 DoD Assessments are described in the NIST SP 800-171 DoD Assessment Methodology.
- DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements. This is the clause that will be used in contracts involving CDI to implement the Basic, Medium, and High assessment requirements.
- These are the same requirements listed in DFARS 252.204-7019 but expanded descriptions are provided for the processes around the conduct and reporting of Medium and High assessments by DoD.
- DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirements. This is the clause that will be used in the phased rollout of the CMMC Model requirements.
- This requires that the Contractor have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.
Given the CMMC Level descriptions, we expect Level 1-3 requirements to be applied to research contracts issued to UVA. However, based on the risk-based phased rollout approach being taken by DoD we do not anticipate receiving contracts containing DFARS 252.204-7021 routinely for the next few years although.
Will UVA information systems meet CMMC requirements?
UVA information systems were not designed for CMMC Model requirements. At this time, we do not anticipate that the information systems operated by ITS will meet CMMC requirements. Similarly, locally managed systems (school, department or lab) are unlikely to meet CMMC requirements; further, the costs of achieving and maintaining CMMC certifications for locally managed systems are likely to be prohibitive but may be possible in limited circumstances.
The Research Data Security Governance Group will pursue CMMC Level 1 certification for the Ivy Secure Environment and CMMC Level 3 certification for the IvyCUI environment. However, third-party assessors have not yet been fully accredited to perform CMMC certifications. Once approved, the third-party assessors will prioritize contractors selected for awards under a program requiring CMMC (currently limited to a small group of pilot programs). Rollout of the CMMC program will be done in phases through 2025; for that reason, until 10/1/25 DFARS 252.204-7021 may only be included in contracts when specifically authorized by the OUSD(A&S).
At this time, UVA does not anticipate pursuing CMMC Level 4 or 5 certification. Researchers wishing to participate in programs requiring these higher levels of certification are advised to seek out government, industry or university partners who have attained or plan to attain appropriate certifications. While vendor-provided or project-specific solutions may be an option, significant lead time and resources will be required to develop those options.
More information about the Cybersecurity Maturity Model Certification (CMMC) program and implementation is available on the CMMC Accreditation Board (training and accreditation of assessors; and marketplace for CMMC service providers) and the OUSD(A&S) CMMC (CMMC model, assessment guides and FAQs) websites. The assessment guides on the OUSD(A&S) website are what will ultimately be used by the accredited third-party assessors to perform the certification assessments; CMMC Levels 1 and 3 assessment guides are currently available.
|Kelly Hochstetler||Director, Research Regulatory Affairsfirstname.lastname@example.org||982-5725||Regulatory landscape, contract clauses, UVA resources and processes|
|Andrew Bedotto||Senior Compliance Analystemail@example.com||924-3852||Administrative processes, technology control plans, and applicability of export controls|
|Margaret Gokturk||Director, Information Security Compliancefirstname.lastname@example.org||243-3389||Compliance consultations and validation reviews|
|Wade Komisar||Computer Systems Engineer (SEAS)||email@example.com||924-7828||SEAS Only: Technical consultations: pre-proposal (planning) and post-award (implementation)|
|Rick Downs||Director of Advanced Research Computing Servicesfirstname.lastname@example.org||924-0653||IvyCUI capabilities, services and onboarding|
|Clayton Lockhart||Assistant VP for Enterprise Infrastructureemail@example.com||924-0631||AWS-GovCloud (US) and AWS-CUI Services and Onboarding (under development)|
|Philip Napier||Information Security Officer, Health Systemfirstname.lastname@example.org||924-5922||HS Only: Technical and compliance consultations|
Is a Technology Control Plan required for CUI?
Yes. Regardless of form (e.g., hard copy or electronic), all CUI that will used, stored or transmitted using UVA resources, whether for research or other contractual purposes, must be covered by a CUI Technology Control Plan (TCP; Word and PDF versions are available). The CUI-TCP details how and where CUI will be secured and who will have access to it and for projects involving electronic CUI, identifies the Data Manager responsible for managing/approving requests for import/export of data from the secure environment (e.g., IvyCUI). The completed CUI-TCP form must be submitted to email@example.com for review and approval.
Note: You must have an approved CUI-TCP in order to request an account in the Ivy Secure Environment for CUI (Ivy-CUI).
How do I Request an IvyCUI Instance (Account)?
Background: A designated region of the Ivy Secure Environment (IvyCUI) has been designated as the on Grounds solution available to researchers requiring a NIST SP 800-171 compliant information system. Ivy-CUI consists of virtual machines (VM), a computer instance, that can be used to process and store CUI/CDI data. CentOS7 Linux and Windows Server 2012R2 platforms are available in Ivy-CUI. Each VM in Ivy-CUI has a unique IP address that can support multiple users. A separate CUI instances should be used for each CUI project; this assures appropriate access controls are applied and supports direct allocation of sponsored program funds.
The Ivy Secure Environment's Data Transfer Node (DTN) is the only approved method to move data into and out of Ivy-CUI. This server has 100TB of storage and can be configured for NIST SP 800-171 compliant data transfer.
Account Request Process: Use the "Request an Ivy Account" button on the Ivy Secure Environment website to initiate a request. Authentication through NetBadge is required to access the Ivy Account Request web form. As part of the account request you will be asked to provide
- specify the applicable regulatory controls (e.g., CUI or CUI and HIPPA; note that all CUI/CDI is "highly sensitive data" as defined in the policy IRM-003 Data Protection of University Information);
- complete the Research Use Data Agreement (RUDA);
- the number for your approved CUI Technology Control Plan (CUI-TCP);
- the UVA computing ID(s) for any individual(s) who will need access to the requested environment (this personnel list must be the same as that provided as part of your approved TCP);
- provide the PTAO to be used for billing; and
- specify the features of the requested environment
- platform (choose VM for CUI/CDI data storage and processing);
- VM configuration (small, medium, or large);
- VM operating system (Windows or Linux); and
- select software options (these are in addition to the pre-installed software list, link provided in the form)
Process: Once your request is submitted, it will kick off a review process to ensure that all project personnel have
- been approved to work on the Technology Control Plan (this includes a restricted party screening and, for foreign national personnel, availability of appropriate export authorizations);
- undergone a background check (see policy HRM-034 Background Checks & Ongoing Responsibility for Employees to Disclose Criminal Convictions) with no unresolved red-flags; and
- completed the Safeguarding Controlled Unclassified Information course in Workday Learning.
The same review process will be used to process requests to add users after initial account set-up, i.e., they must be added to the Technology Control Plan, have undergone a background check, complete training, and complete a RUDA before Ivy-CUI access will be approved.
The following documents have been developed to provide specific suggestions for steps individuals can take to characterize research, assess CUI/CDI involvement, identify and manage CUI/CDI safeguarding requirements. Note: These documents are working drafts, so please send your suggestions for improving their clarity and usefulness to Kelly Hochstetler or Andrew Bedotto.
- Faculty Members
- Department/School Research Administrators
- OSP Contract Negotiators and Pre-Award Administrators
Insider Threat Awareness Information
A brief overview of insider threat concepts and reporting is available HERE. Note: Reading this document does not fulfill the training requirement for access to CUI. See the CUI Training topic on this webpage for information about required training.
UVA Information Security Resources
- Policy Library: recent changes; access to policies and associated standards, procedures, and guidance; exception process; and definitions
- University Data Protection Standards: covers roles and responsibilities for protecting the four categories of University data (highly sensitive, sensitive, internal use and public)
- Security Guidance: best practices, compliance, IT abuse, role-based guidance, and security tools
- Securing Electronic Devices: why and how
- Encryption Methods: hard drive/file encryption and virtual private network (VPN) software
- Traveling Securely Abroad: best practices for before you go, during international travel, and upon your return.
Cybersecurity & Infrastructure Security Agency (CISA)
UVA's Safeguarding Controlled Unclassified Information Course
NIST SP 800-171 requires that individuals who are developing or have access to CUI receive training on insider threats. Completion of UVA's Safeguarding Controlled Unclassified Information course fulfills this requirement. In addition, the course provides a general introduction to CUI/CDI and discusses how CUI controls may impact the conduct of research. All individuals who need access to CUI/CDI must complete this course before access will be approved.
The course is only delivered through the Workday Learning application so that training completion is tracked for audit purposes.
Required Training: Project personnel on a Technology Control Plan (TCP) including CUI will be enrolled in the course as part of the onboarding process. Each individual will receive an automated notification email from Workday. Access the course by following the steps below:
- Login to Workday.
- Select the Learning application.
- Look for the Safeguarding Controlled Unclassified Information course in "Your Assigned Learning" section or by clicking on "Not Started" in the Progress menu.
- Note: If you've started but not completed the course, you will need to click on "In Progress" rather than "Not Started" in the Progress menu.
- Lesson 2, Course Completion Attestation, is required for the course to be considered successfully completed.
Voluntary Enrollment: Anyone with access to Workday Learning can self-enroll in the Safeguarding Controlled Unclassified Information course.
- Login to Workday.
- Select the Learning application.
- Under the "Learn" menu select either "Search Digital Courses" or "Search All Learning" for all or part of the the course name.
- Click on the "Safeguarding Controlled Unclassified Information" course entry
- Click the "Enroll" button at the bottom of the screen.
If you do not have access to Workday Learning, please email Andrew Bedotto for assistance.
U.S. Government CUI Training Materials
DoD Mandatory Controlled Unclassified Information (CUI) Training. Note: At this time, completion of this course by University researchers is not required by DoD. Other DoD-specific CUI training materials may be accessed HERE.
NARA CUI Training Modules. Developed by the CUI Executive Agent these training modules for the CUI Program are designed for a widespread audience at multiple levels within the government and beyond. They are intended to supplement any training or awareness efforts by Executive branch entities or other stakeholders (i.e., Nonfederal organizations).