Controlled Unclassified Information

About CUI

Controlled Unclassified Information (CUI) is federal non-classified information the U.S. Government creates or possesses, or that a non-federal entity (such as George Mason University) receives, possesses, or creates for, or on behalf of, the U.S Government, that requires information security controls to safeguard or disseminate.  These controls must be compliant with the federal regulations specified in 32 CFR Part 2002 and NIST SP 800-171r1.

Information” as defined by the federal CUI Program may include research data and other project information that a research team receives, possesses, or creates in the performance of a sponsored project.

The federal government’s CUI registry identifies broad categories of information that are considered to be CUI.  In addition to categories such as controlled technical information with military or space applications, information in areas such as statistical information (Census), transportation (railroad safety analysis records), law enforcement information (criminal history records information), and critical infrastructure (water and energy infrastructure and assessments, and other security issues) are all on the CUI registry.

We encourage you to review the CUI registry with your research interests in mind, because the scope of controlled information is wide.

Links to these and other regulations can be found on the “Federal Government Resources” page. Please also find the below drop downs for additional information about CUI at Mason.

A research project conducted by Mason faculty, students and/or their external collaborators requires the implementation of CUI information security and physical security controls when the federal contract, grant and/or information sharing agreement or other vehicle contains provisions requiring those controls.  The controls do not depend on the form of the agreement, but follow the data, regardless of the mechanism through which the data is shared. For example, a research project could be affected by CUI regulations if an investigator or project team is using data acquired under a Data Use Agreement and the data are information determined by the government to be CUI. To determine if such requirements pertain, the Office of Sponsored Programs (OSP) will review RFPs, solicitations, and other calls for proposals to flag ahead of time the likelihood that any subsequent awards will contain CUI language/clauses. OSP will also review grants, contracts, and data use agreements to determine the applicability of the clauses in negotiation with the sponsor and/or organization with whom we enter into a data use agreement. If CUI requirements are identified OSP will inform the principal investigator (PI), the Information Technology Services (ITS) Security Office, and the Office of Research Development, Integrity and Assurance (ORIA).
As a Mason investigator committed to the responsible conduct of research, you must acquaint yourself with CUI regulations and comply with CUI controls in relevant awards and data use agreements. To the extent possible, when routing proposals through Mason’s proposal submission process, PIs are asked to identify proposals likely to be affected by CUI requirements by checking the appropriate box on the proposal submission cover sheet. (OSP will also identify proposals likely to be impacted by CUI requirements and, with the ITS Security team, will track relevant pending proposals.) If CUI compliance is required for a research project, the PI and their unit IT contact(s) will work with the ITS Security team to:
  • Verify that the research project will receive, possess, and/or create CUI.  This step could involve extensive discussions with the sponsor.
  • Identify the appropriate information security system/technology solution to use to secure and store the information. Appropriate system solutions may include the use of on-premise or cloud services. Additional information on systems solutions will be posted on the OSP, ORIA and ITS websites as it becomes available.
  • Create the required information security plan for the research project.  This plan will outline the policies and procedures the research team MUST follow (e.g., information access restrictions, laboratory security, etc.) to comply with CUI requirements. Failure to comply with the information security plan developed may result in adverse administrative action.
The PI and their unit will also work with ORIA to ensure that a control plan is in place to describe and implement other required precautions, such as physical protections and shipping safeguards, are put into place.
For the purposes of CUI compliance in research programs, the information security program will be monitored by ORIA.  Monitoring will include the initial certification and periodic re-certification that the appropriate controls are in place for each research project. Representatives from OSP, ORIA and the ITS Security Team will host information sessions in the coming months to share more information about Mason’s Information Security Program in support of research as well as physical and administrative controls that may be necessary to support CUI projects.