Home

Controlled Unclassified Information (CUI)听

The听CUI Program at CU 海角社区 is a cornerstone of the university鈥檚 broader commitment to research compliance, information security, and institutional integrity. Through this program, CU 海角社区 ensures that research involving federally controlled information meets all safeguarding and dissemination requirements established under 32 CFR Part 2002 and related federal standards.

Protecting Controlled Unclassified Information (CUI) is both a federal requirement and a strategic advantage for CU 海角社区. By meeting CUI standards, the university safeguards sensitive research data, protects students and faculty, and upholds the integrity of federally funded projects.

Strong CUI compliance demonstrates CU 海角社区鈥檚 commitment to research excellence and trustworthiness, positioning the university to compete for complex, high-value federal awards and partnerships. In short, protecting CUI protects our people, our research, and our reputation. Our proactive approach to CUI compliance strengthens CU 海角社区鈥檚 leadership in national research partnerships and prepares the campus for听 related Department of Defense Cybersecurity Maturity Model Certification (CMMC) requirements.

What Is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is federally defined information that requires protection from unauthorized access or release, even though it is not classified. It includes data created by, for, or on behalf of the U.S. government that must be safeguarded under laws, regulations, or federal policies.

CUI can appear in sponsored research or contracts that may reference CUI or 听 Cybersecurity Maturity Model Certification (CMMC). When these requirements apply, researchers at CU 海角社区 must use approved secure environments, and follow听CU 海角社区鈥檚 CUI Policy and听.

Understanding whether your project involves CUI is the first step in protecting sensitive information and maintaining CU 海角社区鈥檚 strong research partnerships.

CMMC is a unified assessment model created by the Department of Defense (DOD) in response to the growing threat of cyberattacks and data theft from defense contractors. CMMC is designed to ensure that DOD contractors and subcontractors adequately safeguard two categories of sensitive government information: CUI and Federal Contract Information (FCI).

While DOD contractors have already been subject to information security requirements in DFARS and FAR clauses, CMMC builds on existing requirements by requiring all DOD contractors and subcontractors who handle CUI and FCI during contract performance to certify compliance with security controls via mandatory self-assessments, third-party assessment, and affirmations of compliance.

The type of data (i.e., CUI or FCI) and the sensitivity of the contract being performed, dictates the type of assessment and the security controls that apply.

The CMMC framework is broken out into three levels:

  • CMMC Level 1 applies to contractors and subcontractors that store, process, or transmit FCI. CMMC Level 1 includes 17 of the NIST SP 800-171 security requirements, which are listed in the FAR 52.204-21 Basic Safeguarding clause, sections (b)(1)(i) through (b)(1)(xv). Level 1 requires a contractor鈥檚 self-assessment, conducted annually.
  • CMMC Level 2 applies to contractors and subcontractors that store, process, or transmit CUI. CMMC Level 2 consists of 110 requirements that correspond with the requirements found in NIST SP 800-171A. Level 2 requires either a self-assessment, conducted annually, or an external assessment conducted by a certified third-party assessor, conducted every three years.
  • CMMC Level 3 applies to a select group of contractors that store, process, or transmit high-value CUI, as determined by DOD. CMMC Level 3 includes all Level 2 requirements, as well as 24 selected requirements from NIST SP 800-172. All Level 3 certifications require a DOD-conducted assessment every three years. Level 3 will be phased in November 2027.

For more information about the Cybersecurity Maturity Model Certification (CMMC) and how it applies to research at CU 海角社区, visit the听Research Security: Cybersecurity and CUI page.听

Key Takeaways

  • CUI requires safeguarding. CUI is federal information that must be protected from unauthorized access or release under law and policy.
  • Compliance supports excellence. CU 海角社区鈥檚 Research Cybersecurity Program, the Office of Contracts and Grants (OCG), and Office of Compliance, Ethics and Policy(OCEP) partner with researchers to ensure projects meet federal and university standards.
  • Action is required. Before handling CUI, complete the updated听CUI 鈥 u00189 training in Percipio, review the听CUI Policy and CUI Data Use Standard, and coordinate with OCG and OIT Security for a compliance review.
  • Compliance builds trust and opportunity. Adhering to CUI requirements protects sensitive information, advances research excellence, reinforces sponsor confidence, and sustains CU 海角社区鈥檚 competitiveness for future funding.

Am I Working with CUI?

A guided self-check section to help researchers determine whether their project involves CUI.听

cui 2

This simplified decision guide helps researchers quickly determine whether their project involves Controlled Unclassified Information (CUI). Start by confirming whether your work is funded by or conducted with a U.S. federal agency or defense contractor鈥攎ost CUI originates from these sources. Next, check whether your award or contract includes references to NIST 800-171r2, DFARS clauses, or other data protection requirements. If so, determine whether you will receive, create, or store information the sponsor identifies as CUI. Finally, assess whether you or your team will handle that information directly. If any step leads to a 鈥測es,鈥 your project involves CUI and must use a secure environment such as the Preserve, with support from the Office of Contracts and Grants, OIT Security, and Compliance as needed.

Roles and Responsibilities Across Campus

Managing Controlled Unclassified Information (CUI) at CU 海角社区 is a shared responsibility across departments, researchers, and campus support offices. Principal Investigators, Department Managers, and Users each play key roles in maintaining secure practices, while central offices鈥攕uch as the Office of Contracts & Grants, OIT Security鈥檚 Research Cybersecurity Program, and the Office of Compliance, Ethics and Policy鈥攑rovide oversight, guidance, and system support. Together, these groups ensure the campus meets all CUI requirements and protects sensitive research data.

An employee who has organizational and/or contractual responsibilities to ensure compliance of other CU Persons in their department or on their research project. The PI or department manager is responsible for ensuring that:听

  • All requests for system access and project groups have been properly vetted.听
  • Only approving access for people who have a business need to use the system and meet the criteria specified in the research contract. This may require proof of U.S. person status.
  • All Users have access only to data required for their job role.听
  • Access is removed (de-provisioned) for Users who change job roles or are terminated.听
  • PIs and Department Managers are also responsible for periodic access reviews for project groups and systems.
  • Ensure that project teams and staff have completed CUI campus, CUI system-specific and sponsor or contract-required training and any training.
  • Ensures that all project teams and staff have reviewed system-specific procedures and signed CUI system-specific user agreements.
  • Notify CUI System Administrators when a person leaves a project, has a change of position or leaves the institution that requires removal or a change to access.
  • Staff and project team have university-managed or university-owned devices for accessing the CUI System.
  • Following the Software Vetting Guidance for any software applications brought into CUI System to run on the infrastructure.听
  • Following the guidance for self-written software code contained in the Software Vetting Guidance.
  • Tracking, reviewing and logging changes made to the infrastructure project teams are managed in the environment if it is not being managed by the CUI System team.听
  • Monitor and control who has physical access to secure spaces, in conjunction with the Division of Public Safety.
  • In the event of an incident, PI鈥檚 and department managers are responsible for ensuring that their staff are available to participate as needed in risk assessment, containment and evidence capture activities听

A user is any CU Person that uses, accesses, processes, shares, or generates CUI as part of their job, i.e. researcher.听 The user is responsible for:听

  • Follows the campus CUI Policy, CUI Standards and CUI System-specific policies and standards.
  • Completing required campus, system and contract-specified training.
  • Protecting CUI data they encounter during daily activities.听
  • Notifying CUI-Incident@colorado.edu if an incident related to CUI is suspected.
  • Signing User Agreements for CUI Systems.
  • Users are prohibited from sharing CUI data with another internal or external party unless the other party is authorized internal and external users. This includes sharing or emailing files, sharing screens, taking screen captures and holding meetings where unauthorized persons can hear or see CUI.
  • Only accessing CUI systems with a university-managed (preferred), university-owned, or a sponsor-approved device.
  • Not downloading CUI to unauthorized devices.
  • If in receipt of a link to a sponsor鈥檚 meeting where CUI information will be discussed or shared, the meeting must be joined from an CUI System.
  • Requesting access for people who have a business need to use the CUI System.
  • Participating in Security Incident Response investigations as needed.听

Identifies and tracks research agreements that have clauses or other indications that projects will require handling听 CUI and manages negotiations of contract clauses with sponsors. OCG maintains awareness of campus system capabilities for compliance with sponsor requirements and refers Principal Investigators (PIs) to the Office of Information Technology Security and/or system owners for consultation on system needs, requirements, and cost for projects that require handling CUI.听

OIT Security Role - Assesses CUI Systems for compliance with CUI security controls, recommend systems for authority to operate, as well as for creating templates for the System Security Plan, the Plan of Action and Milestones (POA&M), and security documentation.

Facilitates decision-making, risk assessments, and communications within the CUI Steering Committee and with campus stakeholders. Manages the CUI Program including maintaining timelines, requesting and balancing resources and workloads and driving towards key CUI campus strategies including certifications, certification renewals and expansion or contraction of CUI services for the campus.