Controlled Unclassified Information Policy
This policy outlines requirements for receiving, collecting, developing, handling, storing, processing, and maintaining information that falls into at least one of the Controlled Unclassified Information (CUI) registry categories, as listed on the National Archives and Records Administration (NARA) website. University employees who access CUI must safeguard this information as outlined by the National Institute of Standards and Technology (NIST) “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” standards (NIST 800-171), NARA, applicable Presidential Executive Orders, and contract clauses. NIST 800-171 defines the requirements for the protection of CUI data to reduce or eliminate inappropriate release of CUI. NARA provides all other pertinent information needed to properly handle CUI. These standards include physical and information technology (IT) security controls including access control, physical security standards, and IT system security.
The following requirements apply to all University of Kansas faculty, staff, and students who receive federally sponsored funding and will have access to, store, and process CUI.
Proposals submitted for federal funding (including those submitted to federal prime contractors) that contain or have the potential to involve CUI program components must include appropriate budget line(s) to underwrite the cost associated with meeting NIST 800-171, contract, and NARA compliance requirements. This requirement applies regardless of the anticipated contracting vehicle that will be issued to the University (i.e., contract, grant, cooperative agreement, or subaward). The KU Office of Research, KU Global Risk and Security (GRS), and proposal or award information are resources for determining if sponsored funds require CUI compliance.
If the contracting vehicle supporting the collaboration does not include funding, such as unfunded Cooperative Research and Development Agreements (CRADA), researchers should correspond with the KU CUI contact by email at email@example.com for a consultation on how much funding to request.
System Security Plan
The University maintains a Controlled Unclassified Information System Security Plan (SSP) in compliance with federal standards. KU Information Technology (KU IT) and GRS are responsible for maintaining, updating, and controlling the SSP.
Researchers who receive federal funding subject to CUI security requirements shall:
- Complete a Technology Control Plan (TCP) with the TCP Assessment Team. The TCP Assessment Team includes staff from Global Risk and Security, the KU IT Security Office, the Kansas Applied Research Lab, and the KU IT Network Engineering team. TCPs are reviewed by the Principal Investigator (PI), Department Chair, and Dean. TCPs must be approved by the Director of GRS prior to beginning work on the project and spending funds.
- Use University approved CUI computing services and equipment for all information classified as CUI. Use of standalone computer systems or networks or systems not part of the University approved CUI program is prohibited.
- Store, process, and handle CUI data and materials in environments documented and approved in the TCP. Storing and handling CUI data and materials in areas not defined and approved in the TCP is prohibited.
- Email GOS at firstname.lastname@example.org and the KU Information Technology Security Office (ITSO) at email@example.com for questions regarding TCP and information technology security requirements.
Awareness and Training
Each researcher participating in a CUI project shall complete the appropriate training prior to engaging in research. Training requirements will be outlined in the TCP. Training must be completed annually. Training topics include, but are not limited to, proper handling of CUI, general cyber security topics, export control compliance, and insider threat training.
Monitoring and Auditing
The TCP Assessment Team shall conduct monitoring and audit reviews of any CUI-funded project. These reviews will cover both physical and information security.
Physical security: The TCP Assessment Team shall conduct annual reviews of the activities covered by the TCP for each project. Reviews may include, but are not limited to, the following:
- Implementation of physical security controls;
- Implementation of information security controls;
- Personnel review to ensure all researchers are listed in the TCP as participants; and
- Review of training compliance for all participants.
The TCP Assessment Team shall produce a report following the review and provide a copy to the PI and Department Chair. If deficiencies are found, the TCP Assessment Team shall work with the PI and unit to address the deficiencies. The specifics of self-assessment activities are outlined in each TCP.
In addition to the annual review, the PI is responsible for conducting periodic self-reviews throughout the life of their TCP. If there are changes in the project or individuals participating in the research, the PI must inform GRS immediately. The PI is responsible for informing the Director of GRS at firstname.lastname@example.org of any violations of the TCP immediately upon recognizing the issue.
Information security: Information logs must be collected and stored for continuous monitoring by the ITSO. The information logs include, but are not limited to, activities concerning management, resource and system security, and diagnostics. The activities to be logged must be specified in the TCP. The ITSO and GOS shall investigate in the case of anomalies or other concerns.
Any exceptions to this policy will be considered on a case-by-case basis by emailing the Director of GRS at email@example.com. The researcher requesting an exception will be required to provide a justification for the exception with concurrence of the Chair, Dean, and Vice Chancellor for Research.
Violation of this policy may result in the full range of sanctions, including loss of privileges to access KU’s approved CUI computing service without notice, a hold on research funding, disciplinary action, suspension, termination of employment, dismissal from the University, and legal action. Some violations may constitute criminal offenses under local, state, and federal laws. If appropriate, the University will carry out its responsibility to report such violations to the appropriate authorities.
Additionally, students could be subject to disciplinary action under the Code of Student Rights and Responsibilities.
Office of Global Risk & Security
2029 Becker Drive, Room 139
Lawrence, KS 66047
06/01/2023: Updated Global Operations and Security to Global Risk and Security; and updated Contact section.
09/30/2021: New Policy published in the Policy Library.