The federal government requires cybersecurity controls on certain types of protected data often used or gathered in research projects. The protected data, referred to as Controlled Unclassified Information (CUI), is defined and described in the Code of Federal Regulations (CFR) at 32 CFR Part 2002. CUI includes a broad spectrum of information types, many of which are relevant to research conducted on campus. A full list of information types (categories & subcategories) is available at the CUI Registry of the National Archives.
In order to help researchers comply with CUI requirements, the UW–Madison Office of Cybersecurity and the Office of the Vice Chancellor for Research and Graduate Education have created a step-by-step process for researchers to follow. The process outline, forms and Q&As on these pages will help you determine if your research is impacted by the new requirements and if so, what steps you need to take.
Does this apply to you?
CUI compliance may be required if (1) your sponsor indicates that data in your award/contract is designated as CUI and/or is subject to NIST 800-171 controls or (2) your request for proposal/solicitation, award, or contract includes one of the following:
- 32 CFR 2002 Controlled Unclassified Information
- NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
- 252.204-7008 Compliance with safeguarding covered defense information controls
- 252.204-7012 Safeguarding covered defense information and cyber incident reporting
For questions regarding CUI terms in proposals, awards, or contracts contact cui-help@rsp.wisc.edu.
Who's requiring CUI compliance?
The Federal government requires the protection of Controlled Unclassified Information. The CUI program is overseen by the National Archives/Information Security Oversight Office (ISOO) and involves all executive branch agencies that designate or handle information that meets the standards for CUI. Compliance with the CUI program security standards has been codified in federal regulations; 32 CFR Part 2002 outlines the requirements for Federal agencies for designating and handling CUI. These requirements apply to UW–Madison when a federal agency incorporates them into agreements. One specific example is the Department of Defense, which has mandated that their contracts involving CUI (as indicated by inclusion of 252.204-7012) must comply with the NIST 800-171 standards after December 31, 2017.
CUI compliance process
1
Consult with local IT staff using the CUI Checklist about space, hardware, configuration, and access settings.
2
Please consult the Data Storage Finder tool to determine proper storage options for your data. For any additional assistance determining a proper and compliant tool, please contact the Research CyberInfrastructure team by clicking on the contact link at the bottom of this resource page.
3
If you continue to need a risk assessment to determine the proper handling of your data, please submit a risk assessment request to the Office of Cybersecurity at go.wisc.edu/g64qyl.
4
The Office of Cybersecurity will review the request and determine a timeline for completing a risk assessment to ensure that NIST 800-171 guidelines are met.
This is an accordion element with a series of buttons that open and close related content panels.
Ready to get started?
Further questions about NIST 800-171?
The Risk Management and Compliance Team in the Office of Cybersecurity can help.