Controlled Unclassified Information

Controlled Unclassified Information (CUI) refers to unclassified information that is to be protected from public disclosure. The CUI designation replaces “sensitive but unclassified” and other similar control markings.

CUI Office has been established at the National Archives to develop guidance for implementing and enforcing the new CUI policy.

DFARS 7012

DFARS clause 252.204-7012 was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of cyber security clauses and contract language by the various entities across DoD.

NIST 800-171

The purpose of NIST 800-171 is to provide guidance for federal agencies to ensure that certain types of federal information are protected when processed, stored, and used in non-federal information systems. NIST 800-171 applies to Controlled Unclassified Information (CUI) shared by the federal government with a nonfederal entity.

In the higher education context, the federal government often shares data with institutions for research purposes or in carrying out the work of federal agencies. In many of those instances, other federal laws or regulations might address how that information must be protected (e.g., FISMA). In some cases, however, there may not be a law that specifically addresses how the CUI data received from the federal government must be protected. In those instances, NIST 800- 171 will apply when the federal government shares controlled unclassified information with higher education institutions. As such, the controls specified in NIST 800-171 will need to be addressed in those higher education institutional systems that store CUI.

Controls

110 controls derived from NIST SP 800-53 provide specific requirements for access control, awareness and training, auditing, configuration management, communications protection and more. Some controls may be met through process or policy; some will require a technology solution.

Georgia Tech Controlled Unclassified Information Policy

NIST Special Publication 800-171 (NIST 800-171), is a Federal standard that standardizes security controls applied to Controlled Unclassified Information (CUI) and systems and processes involved with this data within federally funded environments. Georgia Tech is obligated to ensure that all systems and processes involved with CUI are compliant with NIST 800-171 to continue receiving Federal funds associated with the use of this data (either directly received from the government or indirectly through associated covered contracts and contractors).  The full policy can be viewed here.