Controlled Unclassified Information (CUI) applies to data the Federal Government has shared with the university including:
- Federal data received as part of a research grant
- Federal data received to conduct university business (e.g., student financial aid information)
Researchers and university staff should review federal contracts or agreements to determine if the data is specifically identified as CUI. If so, the university must follow the Requirements and related Security Controls specified in NIST 800-171 to protect CUI data.
Security Control Families
CUI Requirements from NIST 800-171 are identified in the following Security Control families:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Security Assessment and Authorization (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Media Protection (MP)
- Physical and Environmental Protection (PE)
- Planning (PL)
- Program Management (PM)
- Personnel Security (PS)
- Risk Assessment (RA)
- System and Service Acquisition (SA)
- System and Communication Protection (SC)