Research Security

Controlled Unclassified Information

Overview

Controlled unclassified information, CUI,听is defined in听听as information held by or generated for the Federal Government that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies that isn鈥檛 classified under听听or the Atomic Energy Act, as amended.

A few important points about CUI:

  • Research data and other project information that a research team receives, possesses, or creates during the听performance of federally funded research may be CUI.
  • The obligation to determine whether an award will involve CUI belongs to the federal sponsor; award documents should specifically identify CUI and applicable security requirements.
  • CUI safeguarding requirements听are only applicable to UGA and UGA information systems when mandated by a federal agency in a contract, grant, or other agreement.
  • The security requirements apply to the components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.

罢丑别听听is the online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI Executive Agent other than听. Among other information, the CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.

What assistance is available?

UGA does not currently have an off-the-shelf CUI compliant environment. As such, Principal Investigator鈥檚 will have to work closely with their department and college IT, as well as EITS, which has developed a template System Security Plan. PIs鈥 should begin this process by reaching out to the Office of Research Security and Export Control.

Due to the nature of the controls, there may be significant cost, effort, and time necessary for implementation.听 Before considering developing a one-off solution, researchers should carefully consider听听补苍诲听听Assessing Security Requirements for CUI.

Will UGA meet the requirements of Cybersecurity Maturity Model Certification (CMMC) Program 2.0?

Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award. Otherwise, UGA will not be able to compete for certain DOD contracts.

Additional Information

More information about the CMMC program and implementation is available from听听(training and听accreditation听of assessors; and marketplace for CMMC service providers) and the听听(CMMC model,听assessment guides and FAQs) websites.

The CUI Program is implemented through听听Controlled Unclassified Information听which specifies National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171听Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations听(NIST SP 800-171) for safeguarding听requirements applicable to non-federal information systems that store,听process, or transmit CUI.

NIST SP 800-171听identifies听110 unique requirements that apply to University information systems听that process, store, or transmit CUI.听The requirements are organized into the following 14 families: access control (22 controls); awareness and training (3 controls); audit and accountability (9 controls); configuration management (9 controls); identification and authentication (11 controls); incident response (3 controls); maintenance (6 controls); media protection (9 controls); personnel security (2 controls); physical security (6 controls); risk assessment (3 controls); security assessment (4 controls); system and communications protection (16 controls); and system and information integrity (7 controls).

The Department of Defense (DoD) is the only agency that uses the terms covered defense information (CDI) and controlled technical information (CTI) which it defines in听.听 However, in order to understand scope of control,听you also need to understand how DoD uses the term听covered contractor information system,听also defined in听DFARS 252.204-7012.

  • Controlled Technical Information (CTI)听means听technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
  • Covered Contractor Information System听means听an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits CDI.
  • Covered Defense Information (CDI)听means unclassified CTI or other information, as described in the听, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is鈥
    1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
    2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Essentially, CTI is a specific category of听CUI (listed on听the听CUI Registry听as part of the Defense organizational index grouping) while听CDI is a DoD term that encompasses all categories of CUI plus any other information听DoD has not approved for public release.听DFARS 252.204-7012听is the DoD contract clause that requires covered contractor information systems be subject to the security requirements in听NIST SP听800-171. It also includes DoD-specific cyber incident reporting requirements.

DoD funded research involving CDI must include听听补苍诲听will almost certainly include听听which requires DoD prior approval for any publication or other public release.

On 9/29/20, DoD released an听听in the Federal Register to amend the DFARS, in part, to听add听听(notice) and听听(contracts) which听specify听NIST SP 800-171 assessment requirements for DoD contracts involving CDI;听these听clauses became effective 11/30/20.听Specifically,听a recent听assessment (< 3 years old) at the level required by the听contract must be on file in the Supplier Performance Risk System (SPRS) for the covered contractor information system before the contracting officer can issue the听award the contract. Contracts will be assigned one of three levels of assessment are identified: Basic (self-assessment), Medium (DoD review) and High (DoD review and inspection). The requirement applies to the prime and all subcontractors whose work will involve CDI.

  • Note 1: These new clauses do not apply to previously issued contracts unless added through a contract modification.
  • Note 2: In the same Federal Register Notice adding DFARS 252.204-7019 and 252.204-7020, DoD released DFARS听听which implements the requirements of the new safeguarding program听DoD will听roll out in phases through 10/1/2025. This new program is the Cybersecurity Maturity Model Certification (CMMC) program, which is discussed as a separate topic on this page.

What is the CMMC Program?

The Cybersecurity Maturity Model Certification (CMMC) program is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department increased assurance that contractors and subcontractors are meeting these requirements.

The framework has three key features:

  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.
  • Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

What CMMC Level is required for Covered Defense Information (CDI)?

CMMC Level 2 will be听the base requirement for contracts involving CDI but听higher levels may be required, i.e. to address听advanced persistent threats. CMMC Level 2 consists of the 110 requirements specified in听NIST SP 800-171.

How will I know what CMMC Level is required?

In November 2020, DoD issued a new DFARS clause implementing听CMMC requirements to support the issuance of the听acquisition activities piloting the CMMC Model. As part of the same Federal Register Notice, DoD issued new DFARS clauses to support an interim cybersecurity program that will remain in place until the CMMC Model is fully implemented.听The new DFARS clauses and brief descriptions are provided below:

  • 听Notice of NIST SP 800-171 DoD Assessment Requirements.听This is a notice clause听for use in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items.听
    • It states that in order to be considered for an award, if the Offeror is required to implement NIST SP 800-171, the Offeror shall have a current assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204-7020) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order. The Basic, Medium, and High NIST SP 800-171 DoD Assessments are described in the听.
  • 听NIST SP 800-171 DoD Assessment Requirements.听This is the clause that will be used in contracts involving CDI to implement the Basic, Medium, and High assessment requirements.
    • These are the same requirements listed in DFARS 252.204-7019 but expanded descriptions are provided for the processes around the conduct and reporting of Medium and High assessments by DoD.
  • 听Cybersecurity Maturity Model Certification Requirements.听This is the clause that will be used in the phased rollout of the CMMC Model requirements.
    • This requires that the Contractor have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.
(Infographic Source: https://www.acq.osd.mil/)cmmc/about-us.html)