Controlled Unclassified Information
Letter from Deborah L. Crawford, Ph.D., to Mason Researchers
Concerning Federal “Controlled Unclassified Information” Regulations
I want to make you aware of new government regulations around the safeguarding of controlled unclassified information, commonly known as CUI. As a recipient of federal funding Mason is responsible for complying with CUI regulations, which requires close collaboration and coordination among various administrative offices, academic units and faculty. While the Department of Defense is the first and only federal agency to implement a final CUI regulation, effective January 1, 2018, we expect that other federal agencies will follow suit in the coming months. More information is provided below.
Controlled Unclassified Information (CUI) is federal non-classified information the U.S. Government creates or possesses, or that a non-federal entity (such as George Mason University) receives, possesses, or creates for, or on behalf of, the U.S Government, that requires information security controls to safeguard or disseminate. These controls must be compliant with the federal regulations specified in 32 CFR Part 2002 and NIST SP 800-171r1.
“Information” as defined by the federal CUI Program may include research data and other project information that a research team receives, possesses, or creates in the performance of a sponsored project.
For general information on the federal CUI Program, see: https://www.archives.gov/cui/about
The federal government’s CUI registry identifies broad categories of information that are considered to be CUI. In addition to categories such as controlled technical information with military or space applications, information in areas such as statistical information (Census), transportation (railroad safety analysis records), law enforcement information (criminal history records information), and critical infrastructure (water and energy infrastructure and assessments, and other security issues) are all on the CUI registry.
We encourage you to review the CUI registry with your research interests in mind, because the scope of controlled information is wide, see https://www.archives.gov/cui/registry/category-list
A research project conducted by Mason faculty, students and/or their external collaborators requires the implementation of CUI information security and physical security controls when the federal contract, grant and/or information sharing agreement or other vehicle contains provisions requiring those controls. The controls do not depend on the form of the agreement, but follow the data, regardless of the mechanism through which the data is shared. For example, a research project could be affected by CUI regulations if an investigator or project team is using data acquired under a Data Use Agreement and the data are information determined by the government to be CUI.
To determine if such requirements pertain, the Office of Sponsored Programs (OSP) will review RFPs, solicitations and other calls for proposals to flag ahead of time the likelihood that any subsequent awards will contain CUI language/clauses.
OSP will also review grants, contracts and data use agreements to determine the applicability of the clauses in negotiation with the sponsor and/or organization with whom we enter into a data use agreement.
If CUI requirements are identified OSP will inform the PI, the Information Technology Services (ITS) Security Office, and the Office of Research Development, Integrity and Assurance (RDIA).
As a Mason investigator committed to the responsible conduct of research, you must acquaint yourself with CUI regulations and comply with CUI controls in relevant awards and data use agreements. More information is provided below.
To the extent possible, when routing proposals through Mason’s proposal submission process principal investigators are asked to identify proposals likely to be affected by CUI requirements by checking the appropriate box on the proposal submission cover sheet. (OSP will also identify proposals likely to be impacted by CUI requirements and with the ITS Security team, will track relevant pending proposals.)
If CUI compliance is required for a research project, the Principal Investigator and their unit IT contact(s) will work with the ITS Security team to:
- Verify that the research project will receive, possess, and/or create CUI. This step could involve extensive discussions with the sponsor.
- Identify the appropriate information security system/technology solution to use to secure and store the information. Appropriate system solutions may include the use of on-premise or cloud services. Additional information on systems solutions will be posted on the OSP, RDIA and ITS websites as it becomes available.
- Create the required information security plan for the research project. This plan will outline the policies and procedures the research team MUST follow (e.g., information access restrictions, laboratory security, etc.) to comply with CUI requirements. Failure to comply with the information security plan developed may result in adverse administrative action.
The PI and their unit will also work with RDIA to ensure that a control plan is in place to describe and implement other required precautions, such as physical protections and shipping safeguards, are put into place.
For the purposes of CUI compliance in research programs, the information security program will be monitored by RDIA. Monitoring will include the initial certification and periodic re-certification that the appropriate controls are in place for each research project.
Representatives from OSP, RDIA and the ITS Security Team will host information sessions in the coming months to share more information about Mason’s Information Security Program in support of research as well as physical and administrative controls that may be necessary to support CUI projects.
Deborah L Crawford, PhD
Vice President for Research
George Mason University