Controlled Unclassified Information (CUI) FAQs

What is CUI?

CUI is defined as federal non-classified information that the U.S. Government creates or possesses, or that a non-federal entity (i.e. Northeastern) receives, possesses, or creates for, or on behalf of the U.S. Government, that requires certain information security controls to safeguard.  CUI may include research data and other project information that a research team receives, possesses, or creates during the performance of a contract funded by the federal government.

The CUI program was established to create consistency across agencies of the U.S. Government in how CUI is marked and safeguarded and provides clear expectations to contractors regarding required protections.  The National Archives and Records Administration (NARA) implements and oversees the CUI program to ensure compliance.  The CUI Program is implemented through 32 CFR 2002 “Controlled Unclassified Information.”

Classified information is excluded from the CUI program because it is subject to other rules and authorities.

The CUI Registry maintained by NARA is an online repository for government-wide guidance regarding CUI classification, policy and practice.  The following are examples of data that Northeastern faculty may encounter in the course of their work:

  • Critical Infrastructure
  • Export Control
  • Financial Information (i.e. budgets)
  • Intelligence
  • Law Enforcement
  • Transportation
  • Privacy
    • Genetic or health information
    • Personnel records
    • Student records
  • Procurement and Acquisition
    • Controlled Technical Information DoD ONLY – marked with one of the Distribution Statements B through F, in accordance with DoD Instruction 24 and the associated guidance document)
When will CUI apply to me?

CUI will apply when working on a contract containing one of the following FAR clauses:

Contract solicitations will outline expectations for contract recipients, including any technology standards.  Most frequently, the solicitation will reference require or allow elements of the system security plan, which demonstrate an implementation of NIST SP 800-171.  For awards with the Federal Acquisition Regulation (FAR) clauses listed below that do not specify NIST standards but require the safeguarding of CUI, an individual TCP will be required:

  • 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
  • 252.204-7008 Compliance with safeguarding covered defense information controls
  • 252.204-7012 Safeguarding covered defense information and cyber incident reporting
Will Northeastern accept and managed CUI clauses?

Yes, Northeastern will accept and manage contracts containing CUI requirements.  In order to manage the CUI process appropriately, all personnel working with CUI will require a special instance of Microsoft 365, called Government Cloud Computing (GCC). Research Compliance and ITS will work together to facilitate setting up the accounts.

Research Compliance will also work with you to review any additional requirements, to determine what protections will be required. When required, Research Compliance may work with you to establish a Technology Control Plan (TCP) to ensure the CUI is appropriately managed.

Who can I go to for additional questions or assistance?

Please direct questions to researchcompliance@Northeastern.edu.
The mailbox is staffed by Amanda Humphrey, Chief Research Operations Officer and Jeff Seo, Chief Research Compliance Officer. They will work with you to either answer your questions or connect you with stakeholders in the University to help work through your questions.

I have a contract that requires compliance with NIST 800-171 and/or DFAR 252.204-7012. What does that mean for how I will manage my data?

If you have a contract requiring compliance with NIST 800-171 or DFAR 252.204-7012, additional security measures must be taken to protect the research data. Northeastern has two environments that support the heightened security required for compliance that balance protection and flexibility.

The first is the Secure Data Enclave (SDE). The SDE is a remote environment that you can access online in the same manner as Office 365. This is suitable for most research. To gather information on the costs associated with the SDE, please work with Research Computing.

The second option is the MGHPCC in Holyoke, Massachusetts. This option is more suitable for those utilizing large amounts of data storage and computing power. Space may be arranged to install servers and/or server racks necessary for the project. To gather information on the costs associated with MGHPCCC, please work with Research Computing.

I will be accessing and storing CUI in the course of my research project. How should I access and store that research data?

CUI should only be stored on Northeastern ITS imaged and managed devices, such as a laptop provisioned to you by Northeastern. Please do not utilize personal devices to access or store CUI. In addition, Northeastern discourages the use of portable storage devices such as thumb drives or external hard drives.

The best place to store research data is on the Northeastern network using either Sharepoint or your One Drive on your GCC account. There are two critical advantages to utilizing these university managed resources: they are backed up automatically to a cloud server for reliability and these university systems have important security measures that prevent security breaches.

What do I need to know about CUI and The CHIPS and Science Act of 2022?

The CHIPS and Science Act of 2022 focuses on federal aid to encourage the construction of microprocessor manufacturing facilities in the United States. The overarching goal of the CHIPS Act is to reduce U.S. reliance on overseas chip supply chains and to provide subsidies to manufacture semiconductors in the U.S., boost science and technology research, and address China’s anti-competitive trade practices.

The CHIPS Act provides substantial budget increases for the Department of Energy (DOE), National Institute of Science and Technology (NIST), Department of Commerce (DOC), and the National Science Foundation (NSF), which are accompanied by new research security requirements.

Specifically, CHIPS directs the NSF to “develop a plan for identifying areas of research that may involve access to classified or controlled unclassified information and exercise due diligence processes in granting access to such information” (Sec. 10339).

NSF has plans to create an external CUI website, but for now recommends referencing the CUI registry for additional information.

What to do if you get an email labelled CUI?

Emails that contain CUI must be encrypted and the CUI must be sent as an encrypted attachment. The body of the email must not contain any CUI but must include the applicable CUI markings in a banner above the email text.

A subject-line indicator of CUI may be included. “Contains CUI” can appear in the subject line to alert recipients that CUI is present in the email.

When forwarding or responding to emails containing CUI, a banner marking above the email text must be included.

See this CUI Registry page for more details on email markings.

If you believe you have incorrectly received an email marked as CUI, please contact Research Compliance at ResearchCompliance@northeastern.edu.

How does this vary from CUI and CMMC?

CMMC 2.0 is the Department of Defense’s (DoD) method for requiring organizations in the DoD supply chain to protect certain types of data to the appropriate level determined. CMMC affects the Defense Industrial Base, specifically organizations that support the DoD or higher education research institutions that handle the following types of data:

  • Federal Contract Information (FCI)
  • Controlled Unclassified Information (CUI)/Covered Defense Information (CDI)
  • Controlled Technical Information (CTI)
  • International Traffic in Arms Regulations (ITAR) Data

All types of CUI require safeguarding, but not all types of CUI fall under CMMC. If you have questions on whether your type of CUI falls under CMMC, please contact Research Compliance at ResearchCompliance@northeastern.edu.
Additional information on CMMC at Northeastern can be found here .

CUI Guide
CUI Incident Reporting

A CUI/CDI incident can be thought of as a violation (or imminent threat of violation) of security or privacy policies or standard practices. CUI/CDI incidents could cause loss or damage to hardware, software, networks, or data (electronic or hard copy), or could affect personnel. CUI incidents include but are not limited to: ​

  • ​Improper storage of CUI/CDI ​
  • Actual or suspected mishandling of CUI/CDI ​
  • When unauthorized individuals gain access to CUI (physical or electronic) ​
  • Unauthorized release of CUI (to public facing websites or to unauthorized individuals) ​
  • Suspicious behavior from the workforce (Insider Threats) – General disregard for security procedures – Seeking access to information outside the scope of current responsibilities – Attempting to enter or access to sensitive areas (where CUI is stored, discussed, or processed)​

​The CMMC Assessment Guide Level 2 requires that organization tracks, documents, and reports incidents to designated officials and/or authorities both internal and external to the organization. Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling.

Please contact CUI@northeastern.edu with any CUI incident reports. Please do not include any specific details or actual CUI in your report.