The federal government requires cybersecurity controls on certain types of protected data often used or gathered in research projects. The protected data, referred to as Controlled Unclassified Information (CUI), is defined and described in the Code of Federal Regulations (CFR) at 32 CFR Part 2002. CUI includes a broad spectrum of information types, many of which are relevant to research conducted on campus. A full list of information types (categories & subcategories) is available at the CUI Registry of the National Archives.
In order to help researchers comply with CUI requirements, the UW-Madison Office of Cybersecurity and the Office of the Vice Chancellor for Research and Graduate Education have created a step-by-step process for researchers to follow. The process outline, forms and Q&As on these pages will help you determine if your research is impacted by the new requirements and if so, what steps you need to take.
Does this apply to you?
CUI compliance may be required if (1) your sponsor indicates that data in your award/contract is designated as CUI and/or is subject to NIST 800-171 controls or (2) your request for proposal/solicitation, award, or contract includes one of the following:
- 32 CFR 2002 Controlled Unclassified Information
- NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
- 252.204-7008 Compliance with safeguarding covered defense information controls
- 252.204-7012 Safeguarding covered defense information and cyber incident reporting
For questions regarding CUI terms in proposals, awards, or contracts contact firstname.lastname@example.org.
Who's requiring CUI compliance?
The Federal government requires the protection of Controlled Unclassified Information. The CUI program is overseen by the National Archives/Information Security Oversight Office (ISOO) and involves all executive branch agencies that designate or handle information that meets the standards for CUI. Compliance with the CUI program security standards has been codified in federal regulations; 32 CFR Part 2002 outlines the requirements for Federal agencies for designating and handling CUI. These requirements apply to UW-Madison when a federal agency incorporates them into agreements. One specific example is the Department of Defense, which has mandated that their contracts involving CUI (as indicated by inclusion of 252.204-7012) must comply with the NIST 800-171 standards after December 31, 2017.
CUI Compliance Process
Consult with local IT staff using the CUI Checklist about space, hardware, configuration, and access settings.
Submit a CUI intake form to alert the Office of Cybersecurity that your proposal contains CUI requirements.
The Office of Cybersecurity will assign a level of Availability, Integrity, and Confidentiality (AIC) to the data.
The Office of Cybersecurity will select methods and controls to ensure that NIST 800-171 guidelines are met.
The Office of Cybersecurity will either sign off on the assessment or determine that the risk is too high.
Once the project begins, the Cyber Security Operations Centers will monitor and report anomalies.
Process Details For All Steps
Consult with your local IT staff about space, hardware, configuration, and access settings that meet the NIST 800-171 requirements using the CUI Checklist.
Submit a CUI intake form to alert the Office of Cybersecurity that your proposal contains CUI requirements. It is critical to get a head start on this at the proposal stage because if your proposal is awarded, you may have 30 days or less to report to the federal government that you are compliant.
Based on the information you have provided in the intake form (step 2), the Office of Cybersecurity will assign a level of Availability, Integrity, and Confidentiality (AIC) to the data. Desired security levels are: Availability: moderate; Integrity: high, Confidentiality: moderate.
The Office of Cybersecurity will help you select methods and controls to ensure that information system meets NIST 800-171 guidelines and test and evaluate controls prior to final implementation.
The Office of Cybersecurity will validate foreseeable project data risks and the UW Chief Information Security Officer (CISO) will sign off on the assessment and pass it on to you, the PI, for your information. Along with your Risk Executive—Dean, Director or other executive designated to review—you may (1) accept risk as stated, (2) take action to mitigate risk per the CISOs suggestions, or (3) determine this risk is too high as a measure of risk management. If (3), you will be informed of all risk that the project and data requirements may involve, and it will be up to you to determine if you are willing to assume the risk. The details of the project will be outlined in a report which will then be submitted to the appropriate Federal agency. See campus Risk Management Framework for details.
Once the project begins and the system is active and operating (Step 6 RMF), the Cyber Security Operations Centers (CSOC) will monitor and report anomalies of concern for review and mitigation.
Ready to get started?
Further questions about NIST 800-171?
The Governance, Risk Management and Compliance Domain Team within the Office of Cybersecurity can help.