Controlled Unclassified Information (CUI)

What is Controlled Unclassified Information (CUI)?

CUI is defined as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls”.

CUI categories and subcategories cover a range of data types. The responsibility for categorizing data as CUI lies with the government agency supplying the data.

Why Does CUI Matter to the University?

The University of Illinois Urbana-Champaign receives federal funding through grants and contracts. UIUC is considered an entity that acts on behalf of the government, and therefore has an obligation to properly handle and protect CUI. UIUC investigators and administrators generate, receive, store, and manipulate data types that may be CUI: either CUI Basic or CUI Specified.

CUI Basic and CUI Specified

CUI Basic is the subset of CUI for which the authorizing law, regulation, or government-wide policy does not set out specific handling or dissemination controls. CUI Basic controls apply whenever CUI Specified ones do not cover the involved CUI.

CUI Specified is the subset of CUI in which the authorizing law, regulation, or government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. The CUI Registry indicates which laws, regulations, and government-wide policies include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out the controls for CUI Specified information and does not for CUI Basic information. In other words, CUI Basic controls apply as a default, unless there is alternative specific guidance under CUI Specified.

The definition of CUI limits the scope to certain categories of federal information specifically requiring safeguarding pursuant to government requirements. 

UIUC General Requirements for Safeguarding CUI

To properly manage CUI, UIUC must provide or support:

1. One or more people who are trained and then designated as “authorized holders” of that CUI
2. Physical access control
3. Cybersecurity controls

Safeguarding CUI Basic

Authorized holders must take reasonable precautions to guard against unauthorized disclosure of CUI. They must include the following measures among the reasonable precautions: 

1. Establish controlled environments in which to protect CUI from unauthorized access or disclosure and make use of those controlled environments; 
2. Reasonably ensure that unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI; 
3. Keep CUI under the authorized holder's direct control or protect it with at least one physical barrier, and reasonably ensure that the authorized holder or the physical barrier protects the CUI from unauthorized access or observation when outside a controlled environment; and 
4. Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on Federal information systems in accordance with the applicable security requirements and controls.

Safeguarding CUI Specified

There are many different types of CUI Specified that may have particular safeguarding requirements. If you have a need to handle CUI Specified, please contact cui-support@illinois.edu for support.

Addressing CUI in Research Proposals and Agreements

Sponsored research and unfunded agreements may require certain cybersecurity measures to safeguard CUI and the measures may differ across funding agencies and projects. These requirements are still under development by the federal government and are expected to be finalized in the next two years. In the meantime, regulations are subject to change.

A research project at the UIUC may require implementation of CUI security controls when the Federal contract or grant contains language or clauses (e.g., FAR, DFARS, NIST SP) that require such controls. The Sponsored Programs Administration (SPA) reviews the contracts during negotiations with the contract sponsor to determine which information system security clauses may apply to a given contract. 

A research project may be subject to CUI regulations if:

• It uses data acquired under a Data Use Agreement or similar legal document, and the data is information classified by the Federal government as CUI or FCI.
• It includes information system security requirements under NIST SP 800-53r5, NIST SP 800-171r2, and/or NIST SP 800-172, even if no CUI is expected within the scope of a contract.
• DFARS 70 series (7012, 7019, 7021) is mentioned in pre or post award.

SPA and Technology Services will work with the Principal Investigator (PI) and designated project team members (including staff maintaining relevant information systems) to ensure that proper security requirements will be met. It is important to note that any CUI Basic or CUI Specific controls required to perform the research may need to be part of the budget of the research proposal, if such controls are not already part of the campus infrastructure. The Office of the Vice Chancellor for Research and Innovation and the Office of the Chief Information Officer are collaborating on developing such infrastructure to be compliant with these emerging CUI management requirements.

Official Government CUI websites

National Institutes of Standards and Technology (NIST) Special Publication

• NIST SP 800-171r2 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• NIST SP 800-172 – Enhanced Security Requirements for Protecting Controlled Unclassified Information
• NIST Protecting Controlled Unclassified Information

CUI Program

• CUI Main Informational Website
• CUI registry
• CUI Program Blog