Controlled unclassified information

The federal government requires cybersecurity controls on certain types of protected data often used or gathered in research projects. The protected data, referred to as Controlled Unclassified Information (CUI), is defined and described in the Code of Federal Regulations (CFR) at 32 CFR Part 2002. CUI  includes a broad spectrum of information types, many of which are relevant to research conducted on campus. A full list of information types (categories & subcategories) is available at the CUI Registry of the National Archives.

In order to help researchers comply with CUI requirements, the UW–‍Madison Office of Cybersecurity and the Office of the Vice Chancellor for Research and Graduate Education have created a step-by-step process for researchers to follow. The process outline, forms and Q&As on these pages will help you determine if your research is impacted by the new requirements and if so, what steps you need to take.

See the NIST publication for complete information

Does this apply to you?

CUI compliance may be required if (1) your sponsor indicates that data in your award/contract is designated as CUI and/or is subject to NIST 800-171 controls or (2) your request for proposal/solicitation, award, or contract includes one of the following:

  • 32 CFR 2002 Controlled Unclassified Information
  • NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
  • 252.204-7008 Compliance with safeguarding covered defense information controls
  • 252.204-7012 Safeguarding covered defense information and cyber incident reporting

For questions regarding CUI terms in proposals, awards, or contracts contact

Who's requiring CUI compliance?

The Federal government requires the protection of Controlled Unclassified Information.  The CUI program is overseen by the National Archives/Information Security Oversight Office (ISOO) and involves all executive branch agencies that designate or handle information that meets the standards for CUI.  Compliance with the CUI program security standards has been codified in federal regulations; 32 CFR Part 2002 outlines the requirements for Federal agencies for designating and handling CUI.  These requirements apply to UW–‍Madison when a federal agency incorporates them into agreements.   One specific example is the Department of Defense, which has mandated that their contracts involving CUI (as indicated by inclusion of 252.204-7012) must comply with the NIST 800-171 standards after December 31, 2017.

CUI compliance process


Consult with local IT staff using the CUI Checklist about space, hardware, configuration, and access settings.


If you continue to need a risk assessment to determine the proper handling of your data, please submit a risk assessment request to the Office of Cybersecurity at


Please consult the Data Storage Finder tool to determine proper storage options for your data.  For any additional assistance determining a proper and compliant tool, please contact the Research CyberInfrastructure team by clicking on the contact link at the bottom of this resource page.


The Office of Cybersecurity will review the request and determine a timeline for completing a risk assessment to ensure that NIST 800-171 guidelines are met.

This is an accordion element with a series of buttons that open and close related content panels.

Process Details For All Steps

Step 1

Consult with your local IT staff about space, hardware, configuration, and access settings that meet the NIST 800-171 requirements using the CUI Checklist.

Step 2

Submit a CUI intake form to alert the Office of Cybersecurity that your proposal contains CUI requirements. It is critical to get a head start on this at the proposal stage because if your proposal is awarded, you may have 30 days or less to report to the federal government that you are compliant.

Step 3

Based on the information you have provided in the intake form (step 2), the Office of Cybersecurity will assign a level of Availability, Integrity, and Confidentiality (AIC) to the data. Desired security levels are: Availability: moderate; Integrity: high, Confidentiality: moderate.

Step 4

The Office of Cybersecurity will help you select methods and controls to ensure that information system meets NIST 800-171 guidelines and test and evaluate controls prior to final implementation.

What’s required to comply with NIST 800-171?

Step 5

The Office of Cybersecurity will validate foreseeable project data risks and the UW Chief Information Security Officer (CISO) will sign off on the assessment and pass it on to you, the PI, for your information. Along with your Risk Executive—Dean, Director or other executive designated to review—you may (1) accept risk as stated, (2) take action to mitigate risk per the CISOs suggestions, or (3) determine this risk is too high as a measure of risk management. If (3), you will be informed of all risk that the project and data requirements may involve, and it will be up to you to determine if you are willing to assume the risk. The details of the project will be outlined in a report which will then be submitted to the appropriate Federal agency. See campus Risk Management Framework for details.

Step 6

Once the project begins and the system is active and operating (Step 6 RMF), the Cyber Security Operations Centers (CSOC) will monitor and report anomalies of concern for review and mitigation.


Ready to get started?

Further questions about NIST 800-171?

The Risk Management and Compliance Team in the Office of Cybersecurity can help.

Contact us