Controlled Unclassified Information
Wright State University, as a participant in federally-funded research programs, receives data from government agencies, corporate entities, and other institutions of higher education. Many of these awards and contracts require compliance with specific federal regulations enacted to protect categories of sensitive information, now commonly called “controlled unclassified information” or “CUI.”
Controlled Unclassified Information (CUI) and the associated security requirements stem from Executive Order 13526 that tasked the National Archives and Records Administration with reviewing and categorizing all of the types of unclassified, but sensitive, information used within the executive branch agencies of the US government. Common examples of CUI that exist are identified by the following markings: Proprietary, Confidential, FOUO, and all Defense Department Distribution Statements B-F.
The National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” sets forth the types and levels of controls that must be in place to protect CUI. NIST SP800-171 contains over 100 different controls that Wright State must meet.
Wright State has developed a Plan of Action and Milestones (POAM) that identifies the requirements, resources needed to meet the requirements, and an associated timeline.
Currently, executive branch agencies are defining their respective processes for meeting CUI standards and their expectations for contractors on funded projects. We expect more clarity in the coming months.
Requirements
Under Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which invokes NIST 800-171, Wright State University is required to:
- Provide adequate security to safeguard covered defense information (a category of CUI) that resides on or is transiting through our internal IT systems or networks;
- Report cyber incidents that affect our covered IT systems or the covered defense information therein;
- Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center;
- If requested, submit media and additional information to support damage assessment;
- Flow down the clause in subcontracts for operationally critical support or for which subcontract performance will involve covered defense information.
Types of CUI
Some common types of information that meet the definition of CUI:
- Proprietary Business Information
- Export Controlled Information
- Controlled Technical Information
- Nuclear
- Agriculture
- Critical Infrastructure
Available Solutions to Meet Compliance Requirements
- Virtual Desktop Infrastructure (VDI) – This type of system runs on a secure server in WSU’s data center and can be connected to from nearly any computer. Two Factor Authentication is required. The VDI system is behind a firewall that separates the system from the general campus network.
- Secure Network Environment – This solution places a computer system on secure network behind a firewall that separates the computer system from the general campus network. Note: Physical security measures that meet NIST 800-171 standards must be in place.
- AWS GovCloud – A secure cloud computing environment meeting the NIST 800-171 security standards when properly configured.
Please contact CaTS, (937) 775-4827, for information on these solutions.
Additional Information
- Wright State CaTS Information Security website
- National Archives and Records Administration website on CUI