Controlled Unclassified Information (CUI) - What You Need to Know

Contact Brown’s Export Control Team to discuss CUI or with general questions about CUI.

1. What is Controlled Unclassified Information (CUI)?
2. What is not CUI?
3. What is an example of CUI?
4. What is Covered Defense Information (CDI), and is it different from CUI?
5. How do I know if CUI or CDI is involved in my research? How do I know if I am going to receive or work with CUI?
6. Can Brown accept CUI?
7. What is required to safeguard CUI?
8. What do I need to do if I receive, work with, or generate CUI?
9. What additional resources are available to learn more about CUI?

1. What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is defined as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulations, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”[1]

CUI is an umbrella term that encompasses many different categories of information that require protection from public disclosure, including but not limited to CUI related to Immigration, Finance & Banking, Intelligence, Defense, Law Enforcement, Legal, Tax, and Transportation. A comprehensive list of all CUI categories can be found in the CUI Registry. 

CUI is divided into two broad groups: CUI Basic and CUI Specified.

• CUI Basic must be safeguarded, handled, disseminated, marked, and destroyed in accordance with the basic—or so-called “default”—requirements set forth in the Code of Federal Regulations at 32 CFR Part 2002.  See question # 7 for more information about the safeguarding requirements.

• CUI Specified is CUI for which there are laws, regulations or government-wide policies that address specific safeguarding and handling. CUI Specified is not necessarily a higher level of CUI. Being categorized as “CUI Specified” means that certain requirements for handling and protecting such CUI are set forth in specific regulations or policies.

(back to top)

2. What is not CUI?

CUI, by definition, is information that is created or possessed by or on behalf of the United States Government. CUI does not include information (a) that is already in the public domain, or (b) that is generated under a Fundamental Research project, not subject to publication restrictions, and intended for publication and broad dissemination. Lastly, information generated under research not funded by the federal government is also not considered CUI. Note that, though not CUI, some information generated under research not funded by the federal government could still be considered confidential or proprietary for other reasons.

If you have received information that you believe is erroneously marked as “CUI,” please contact the Export Control Team to discuss.

(back to top)

3. What is an example of CUI?

One of the CUI categories is “Controlled Technical Information.”Controlled Technical Information is technical information with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. It is a CUI Specified because the Safeguarding and/or Dissemination Authority applicable to Controlled Technical Information is specified in regulation: 48 CFR 252.204-7012,“Safeguarding covered defense information and cyber incidence reporting”.

Controlled Technical Information must be clearly marked as such. Possible markings may be: CUI or CUI//SP-CTI  or CONTROLLED//SP-CTI.

These marking should be at the top of the page of the information you receive. If the information is sent to you via email, the body of the email should also include the markings. If you receive CUI via regular mail or a mail delivery service, the outer envelope or box may not be marked; however, the documents inside the envelope must be clearly marked.

(back to top)

4. What is Covered Defense Information (CDI), and is it different from CUI?

The term Covered Defense Information (CDI) will usually only come up in connection with Department of Defense (DoD) research agreements and other DoD contracts. CDI is essentially CUI. It specifically means “unclassified controlled technical information or other information, as described in the CUI Registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is:

1. (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
2. (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”[2] 

(back to top)

5. How do I know if CUI or CDI is involved in my research? How do I know if I am going to receive or work with CUI?

There are a number of ways in which you may learn that your project involves CUI or CDI. The most common are described below.

1. Your sponsor tells you directly that it expects the project to involve CUI or CDI.
2. Your research application requires the submission of a CUI Control Plan.
3. The research announcements (RFPs/RFAs/BAAs) state that the research is expected to involve or generate CUI.
4. A research collaborator informs you in writing or verbally that you will be receiving CUI or CDI.
5. Your research contract includes a CUI clause. If CUI or CDI is involved, your research contract will include FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems or DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. If your research contract includes a CUI clause, you will be contacted by Brown’s Office of Sponsored Programs (OSP) to verify that CUI is involved and discuss next steps.
6. You receive information that is marked CUI. If that is the case, you must contact Brown’s Export Control Team immediately.

If CUI/CDI is or may be involved in your research, please see questions #6, #7 and #8 for information about the steps you must take.

(back to top)

6. Can Brown accept CUI?

Brown University has the required technical infrastructure to house CUI. However, if you want to receive or work with CUI in connection with a research project, or if you think you might generate CUI in a research project, additional reviews and approvals are required to ensure compliance with Brown’s Openness in Research policy, Brown’s Export Control and U.S. Economic Sanction’s Policy and the Policy on the Handling of Brown Restricted Information. See question #8 for more information about the steps you need to take when CUI may be involved in your research project.

(back to top)

7. What is required to safeguard CUI?

CUI must be handled and stored such that it is protected from unauthorized access or accidental public disclosure. This includes, but is not limited to:

• Storing CUI in an environment that prevents unauthorized access, such as rooms/areas and online storage (for electronic CUI) with access controls.
• Preventing physical access by storing CUI documents in locked cabinets and drawers.
• Storing electronic CUI in compliance with the requirements set forth in NIST 800-171.
• Appropriately marking CUI prior to distribution.  Please see the Marking Guide issued by the National Archives and Records Administration (NARA).
• Only distributing CUI to authorized individuals.
• Following all CUI decontrol and destruction guidelines provided by NARA.
• Reporting[3] CUI incidents immediately, including unauthorized access, improper storage, or other types of mishandling of CUI, and in accordance with your CUI Management Plan.

Researchers who work with CUI must have a Brown-issued CUI Control Plan in place that will outline the safeguarding requirements, describe how the CUI is secured and stored at Brown, and detail how unauthorized access will be prevented. CUI must be properly handled, stored, marked, and destroyed [in accordance with applicable laws, regulations, and policy] if it is no longer in use.

(back to top)

8. What do I need to do if I receive, work with, or generate CUI?

If you intend to receive or work with CUI, or if you may generate CUI in your research, you must do the following:

1. identify the Category of CUI you will be receiving/working with/generating;

2. work with Brown’s Export Control Team to implement a CUI Control Plan; and

3. familiarize yourself with and follow existing federal policies regarding the handling, storing, marking, and destruction of the type of CUI at issue.

If you receive CUI in electronic format or if you plan to store CUI electronically, you must also work with the Office of Information Technology (OIT) Stronghold Team to set up a Stronghold environment in which to store the CUI before the CUI arrives on campus. If you already have a Stronghold environment, you must still contact OIT to request permission to store the new CUI in your existing environment. As part of the Stronghold set up, you will receive a Stronghold control plan and you will need to complete Stronghold training.

(back to top)

9. What additional resources are available to learn more about CUI?

The Brown Export Control Team in the Office of Research Integrity is your main resource. We can help you plan ahead, discuss whether CUI is necessary for your research project, and evaluate potential impacts on your research program. We also provide comprehensive training to you and anyone in your research team who will be working with CUI.

Additionally, the federal agency responsible for the CUI program is the National Archive and Record Administration (NARA). NARA has several resources about CUI, including training videos, brochures, and guidance documents.

Contact Brown’s Export Control Team to discuss CUI or with general questions about CUI.