Student Theses/Dissertations Involving Controlled Research (CUI, CDI, or Export Controlled) 

In general, most students involved in university research will fall under fundamental research. However, in some circumstances, a student’s academic path may lead them to participate in research involving a company’s proprietary information, export-controlled information and/or Controlled Unclassified Information (CUI) or Covered Defense Information (CDI). Participation in such research may enrich the student’s experience but may result in a portion of a student’s thesis or dissertation including proprietary or controlled information. Faculty advisors must closely evaluate how controlled research requirements (i.e., publication restrictions) will impact the student’s ability to complete the project and meet academic or graduation requirements.   

This guidance is intended to provide information to students and faculty regarding student involvement and the parameters around graduate work that is subject to controlled information and/or export control requirements. 

Scope 

The below process is applicable to theses and dissertations that were derived from or contain data that is designated as controlled by government regulation or designated as proprietary by the provider.  

Students are encouraged and expected to seek a pre-research review of their thesis or dissertation plans with their PI and sponsor whenever there is a possibility that certain findings may be subject to restriction. 

Definitions for the acronyms used here are in the Appendix section of this page. 

Process 

  1. PIs: Students are not allowed to be listed or function as the Primary Investigator (PI) on any controlled research project. The involved faculty member/advisor is responsible for the project and must be listed as the Principal Investigator (PI). Students should be listed on the project Technology Control Plan (TCP) as a responsible individual if they will use data or information from the project in their thesis/dissertation work. 
  1. Publication/Foreign National Restrictions: If publication and/or foreign national restrictions are applicable to the project: 
    • The final publication of the student thesis/dissertation may be restricted for a certain period, or permanently, given the sensitivity of the work. 
    • The PI must notify the point of contact for graduate studies for their college as soon as they are aware publication restrictions are applicable to a student thesis/dissertation. This notification is to ensure the college can appropriately manage and embargo the information. Graduate program contact information by college can be found here.   
    • For ITAR controlled projects and other projects specifically restricting access by foreign nationals, only U.S. persons can have access to the information in the Graduate Program Office. The person(s) identified in the Graduate Program Office must be vetted and approved by NU-RES Research Compliance prior to the thesis/dissertation information being provided. 
  1. Formatting: Controlled theses are limited to access by U.S. persons only. For guidance with formatting, please schedule a formatting consultation with NU-RES Research Compliance.  
    • Marking: The thesis or dissertation document must be marked in accordance with the relevant controlled information regulations per the CUI Registry. Each page of the thesis or dissertation document designated CUI should include a banner/header with the determined CUI category: i.e., CUI//SP-CTI – Controlled Technical Information.  
  1. General export disclaimer on title page: Research that is subject to Export Control Regulations under the EAR, ITAR or regulatory agency (NRC/DOE), will need to include a disclaimer identifying the research as export controlled, it is also a good practice to confirm with the sponsor the specific language that should be used and specific controls.  
    • Example “WARNING – This document contains technical data whose export is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et seq.) or the Export Administration Act of 1979, as amended (Title 50, U.S.C., App. 2401 et seq.)  Violations of these export laws are subject to severe criminal penalties.” It is recommended to include the specific category or control classification.   
  1. Printing/Dissemination: Unless the sponsor of the project and/or NU-RES Research Compliance has reviewed and approved the release of the information and/or publication, the student and faculty committee will not be allowed to print or distribute draft or final copies of their thesis/dissertation. Students and faculty must ensure that publication restrictions are closely followed, and that information is not released prior to receiving approval. 
  1. Submittal: Each college will have their own process for thesis submittals including which repositories can be used. Controlled theses cannot be submitted through a general repository.  
  1. Committees/Presentations: For controlled thesis projects, NU-RES Research Compliance must review and approve anyone selected to be a part of the student’s committee. Participation in the final presentation of the thesis/dissertation is limited to U.S. persons.  
  1. Archive/Storage Location: Controlled theses must be stored in an encrypted and monitored environment. Requests to move controlled theses out of a compliant environment must be reviewed and approved by the Office of Information Security (OIS) (when applicable) and NU-RES Research Compliance. 
    • Note: specific devices may be needed for committee members to access the controlled thesis in a secure environment. 
  1. Authentication: Controlled theses are required to be securely stored until approval from the sponsor is received to publish the information. 

Questions  

If you have questions or need clarification about the process for a controlled thesis, please contact NU-RES Research Compliance for assistance: ResearchCompliance@northeastern.edu

Appendix

Definitions

Controlled Unclassified Information (CUI): Is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see definition above) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.  

Additional information regarding CUI can be found at the CUI Registry.  

Covered Defense Information (CDI): Is used to describe information that requires protection under DFARS Clause 252.204-7012. It is defined as unclassified controlled technical information (CTI) or other information as described in the CUI Registry under defense, that requires safeguarding/dissemination controls AND IS EITHER marked or otherwise identified in the contract and provided to the contractor by DoD in support of performance of the contract; OR collected/developed/received/transmitted/used/stored by the contractor in performance of contract. 

Export Administration Regulations (EAR): Issued by the United States Department of Commerce, Bureau of Industry and Security (BIS) under laws relating to the control of certain exports, reexports, and activities. 

Additional information on the EAR can be found here.  

International Traffic in Arms Regulation (ITAR): Establishes controls regarding the export and import of defense-related items and services that appear on the United States Munitions List (USML). ITAR is meant to limit access to specific technologies and their associated data resources. 

Helpful Diagrams

The highlighted section “CUI, CDI, Export Controlled (ITAR, EAR Dual-Use) is the research space referred to in this document. These types of research involve certain protections (i.e., foreign national restrictions, publication restrictions) that may impact the ability for the data or information produced to be used in a thesis or dissertation.

There are different levels of CUI that require different levels of protection. Basic CUI (i.e., transportation, law enforcement, immigration, etc.) is information that does not have specific handling or dissemination requirements. Specified CUI is information that does have protection requirements, such as dissemination and access restrictions. Some CUI categories also overlap with export controls, such as nuclear or critical infrastructure information. In these circumstances, an export control review must be completed to evaluate if there are any restrictions on the information and/or technology if tangible items are in use (i.e., shipping or access controls). Finally, defense-related CUI (e.g., critical defense information or CDI) is heavily regulated and in many cases has dissemination, access, and publication restrictions imposed on the results produced from the research effort.  Therefore, it is advisable to discuss the potential for the use of defense-related CUI in any thesis or dissertation with the funding agency before the project commences.

last updated 11.15.2023