Defining procedures for the identification, protection, and handling of CUI data, as related to the University of Maryland (UMD) Controlled Unclassified Information Environment (CUIE).
Controlled Unclassified Information (CUI) is information that requires special safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but which is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. This information typically comes from the U.S. Federal government, its agencies, or related organizations.
The UMD CUI Environment (CUIE) is a NIST SP 800-171 and DFARS 252.204-7012 compliant IT environment used by UMD researchers for handling and analyzing Controlled Unclassified Information. Its physical equipment is hosted in one of the Division of Information Technology's (DIT) data centers. The system provides investigators a place to upload and store files, and access virtual machines for performing analysis. It uses a robust and per-object/document encryption system that prevents access to data by anyone but those designated by a principal investigator (PI) or data owner. The CUIE is also approved for data subject to ITAR and Export Control rules. Please see the UMD RSO under the Governance section below.
CUI, and data subject to ITAR and EAR, falls in the UMD data classification category of Restricted (Level 4) data; defined as data where access and use are strictly controlled and restricted by laws, regulations, or contracts. Unauthorized access, use, disclosure, or loss could have significant legal consequences, including civil and criminal penalties, loss of funding, inability to continue current research, and inability to obtain future funding or partnerships.
CUI falls in a restricted research category; as opposed to fundamental research, thus making it subject to federal regulations. Office of Research Administration (ORA) and the Research Security Office (RSO) work with sponsors to ensure appropriate agreements are in place to facilitate the use of CUI, and ensure appropriate compliance with UMD policies and procedures. Some additional information but in the contact of ITAR and EAR data, is available in the 18 June 2018 RE: Updates on restricted research and export laws memo.
DFARS 252.204-7012(b)(2)(i) defines adequate protections for Covered Technical Information and Covered Defense Information, aka Controlled Unclassified Information (CUI).
As a prerequisite to gaining access to the CUIE, users are required to complete the Research Technology CUI Environment Training Course which aims to provide basic guidance on Controlled Unclassified Data and includes best practices to be aware of when working with sensitive data. The course includes an in-depth look at University of Maryland’s Controlled Unclassified Information Environment (CUIE) which was launched as a solution for researchers working with CUI data. In the Securing CUI module of the training users are provided insight on the history and definition of CUI and the electronic and physical protection of CUI.
Export control is governed by a group of federal regulations designed to advance the national security, foreign policy, and economic interests of the United States. UMD’s Research Security Office (RSO) is responsible for preparing and administering Technology Control Plans (TCPs) for researchers needing access to export controlled material or data; which could come from a sponsoring organization.
The Office of Research Administration is responsible for ensuring that the research agreement is properly reviewed and approved according to university policies and procedures. ORA and RSO work together, and with sponsors and DIT, to ensure that appropriate language and solutions are in place for the agreement.
Organizations sponsoring a UMD research project should know if the data being collected, produced, and/or disseminated is classified as CUI. CUI is a federal classification; Project-specific documentation, part of the grant/contract, should identify which data provided or produced as part of the research will be CUI, and outline the end goals and objectives of the data being used.
USG sponsor organizations should provide guidance on how data should be shared (i.e. DoD Safe, encryption, etc.)
The Division of Information Technology asserts that the UMD CUIE is an compliant system for holding and processing CUI data; A copy of the CUIE System Security Plan (SSP) which details the NIST SP 800-171 (Protecting CUI in Non-Federal Environments)-mandated security controls in place that attest to the system’s compliance will be provided available upon request by sponsors.
The CUI Registry is the U.S. Government-wide online repository for Federal-level guidance regarding CUI policy and practice. However, agency personnel and contractors should first consult their sponsoring agency's CUI implementing policies and program management for guidance. The following resources provided additional guidance on procedures related to CUI: National Archives CUI Program Blog , CUI Resources , CUI Categories.
CUI must be stored behind a locking barrier inside of a controlled environment that prevents unauthorized access. Organizations have some flexibility in determining what qualifies as a controlled environment. CUI specified categories may have additional physical security requirements. Visit the CUI Program Blog Q&A for more information.
If there is a concern of mishandled, lost, and/or disclosed CUI data, users must report the issue as a security incident in ServiceNow and notify their USG sponsor. If an insider threat is suspected, this should be reported to DIT Security. If the user has access to the CUIE, the Research Computing team should be notified as well.
Upon completion of a CUI project, users should discuss contractual requirements with their US Government sponsor as well as the Office of Research Administration (ORA).Users should consider whether they will resume work on the data soon prior to discontinuing access to CUIE. If access to the CUIE is no longer needed, users should notify the Research Computing team to terminate access. Users will be instructed to to remove their encrypted private key from their device.
Be sure to consider archiving and/or retention periods that may be mandated under contract. Do not store CUI/ITAR data on other UMD, personal, or other organizations’ systems, no matter how secure you think they are, unless you have consulted with DIT’s Research Computing Group and/or the Office of Research Administration to determine if they are compliant with the mandates to handle CUI.
ORA’s Managing Your Sponsored Research guide and the Roles and Responsibilities charts should be used as additional resources for information and next steps.