Controlled Unclassified Information (CUI) is federal non-classified information the U.S. Government creates or possesses, or that a non-federal entity (such as George Mason University) receives, possesses, or creates for, or on behalf of, the U.S Government, that requires information security controls to safeguard or disseminate. These controls must be compliant with the federal regulations specified in 32 CFR Part 2002 and NIST SP 800-171r1.
“Information” as defined by the federal CUI Program may include research data and other project information that a research team receives, possesses, or creates in the performance of a sponsored project.
The federal government’s CUI registry identifies broad categories of information that are considered to be CUI. In addition to categories such as controlled technical information with military or space applications, information in areas such as statistical information (Census), transportation (railroad safety analysis records), law enforcement information (criminal history records information), and critical infrastructure (water and energy infrastructure and assessments, and other security issues) are all on the CUI registry.
We encourage you to review the CUI registry with your research interests in mind, because the scope of controlled information is wide.
Links to these and other regulations can be found on the “Federal Government Resources” page. Please also find the below drop downs for additional information about CUI at Mason.
- Verify that the research project will receive, possess, and/or create CUI. This step could involve extensive discussions with the sponsor.
- Identify the appropriate information security system/technology solution to use to secure and store the information. Appropriate system solutions may include the use of on-premise or cloud services. Additional information on systems solutions will be posted on the OSP, ORIA and ITS websites as it becomes available.
- Create the required information security plan for the research project. This plan will outline the policies and procedures the research team MUST follow (e.g., information access restrictions, laboratory security, etc.) to comply with CUI requirements. Failure to comply with the information security plan developed may result in adverse administrative action.