¹û½´ÊÓƵ

Skip to main content

Controlled Unclassified Information

CUI Processes and Procedures

 

 

   

Contact Us

Mario E. Caire, Ph.D.
Research Security Officer
Kelly Hall, 4th floor, North Wing
500 W University Ave
El Paso, TX 79968

  Office: 915-747-8470
  rso@utep.edu  
  mcaire@utep.edu

All ¹û½´ÊÓƵ projects with applicable CUI needs must go through a certification process wherein all environments involved with CUI must comply fully with the NIST 800-171 standards (either directly or through compensating controls).

Additionally, all environments that are involved with CUI must undergo an annual NIST 800-171 compliance assessment by Information Security before continued interaction with CUI. These assessments will result in an attestation report signed by the Chief Information Security Officer (CISO) or designee. All environments that are involved with CUI must also operate in a manner which facilitates rapidly reporting cyber incidents involving CUI. Report all CUI incidents immediately to security@utep.edu.
  1. The first point of contact for any research related CUI questions or support is the Research Protections Office. Contact rso@utep.edu for guidance or questions regarding the safeguarding of CUI.

  2. When a solicitation, request for proposal, contract, or agreement includes indicates that CUI will be provided or generated by the project (or contains CUI clauses), confirm with the cognizant federal agency or project sponsor (flow down) the need to receive, store, process, and safeguard CUI. You can find contact information for the cognizant agency on the National Archives CUI Contacts Web Page. Use this Quick Reference Guide for Identifying FCI and CUI as a guide to identifying CUI clauses.

  3. If the sponsor confirms safeguarding CUI is a project requirement, report this to your research administrator (RA) or to ORP (rso@utep.edu). The PI will then fill out and submit a CUI Questionnaire for approval by ORP and ¹û½´ÊÓƵ's Information Security Office (security@utep.edu). Upon approval of the CUI Questionnaire, ISO and ORP will work with the PI to set up the controlled environment. Please contact rso@utep.edu for information on obtaining and submitting the questionnaire. Note: 
    1. Everyone involved in the project who will require access to CUI will receive a notice from security@utep.edu to take required CUI training. Links to the training modules and instructions for submitting your certificates will be included.
    2. ISO Currently supports the following CUI environments:
      • CUI Laptop
      • CUI Café (under development)
      • Amazon Web Services (AWS) Commercial Cloud
      • Amazon Web Services (AWS) Government Cloud (GovCloud) for Export Controlled research

  4. Work with the ORP, ISO, and the CUI originator to negotiate how to properly receive CUI on the controlled environment. Options include:
    1. PreVeil
    2. DoD Safe
    3. Other ISO and Agency/Flow Down approved method

  5. If a controlled environment is needed to host collaborative meetings to discuss or share research related CUI, request a Zoom – GovCloud account through rso@utep.edu. Note: Consult with ISO if the CUI originator supports an alternate method.

  6. If you need to share CUI documents with other personnel at the University, you will need an approved CUI system and a PreVeil account. Preveil provides a secure email platform for sharing documents as attachments. Submit a request for a PreVeil account to security@utep.edu.
Visit the CUI training web page for guidance on taking the ISO approved Mandatory CUI training.

For more information or assistance on specific training requirements, contact either of the following:

Follow these guidelines when reproducing (copying, faxing, scanning, printing, electronic duplication) CUI.

  1. Printing and hard copy storage should be kept to a minimum.
  2. Reproduction of CUI is allowed if it is in furtherance of a Lawful Government Purpose where
    1. The recipient has a need to receive/view/handle CUI.
    2. All Federal and University CUI policies and handling safeguards are followed.
    3. The authorized holder is assured that any recipient can safeguard CUI within a controlled environment certified by the ¹û½´ÊÓƵ Information Security Office (ISO).
  3. The ISO recommended printer setup is a printer/copier that
    1. Does not retain data
    2. Is physically connected via USB to a CUI compliant system.
    3. Does not support network or WIFI connections or has these disabled.
  4. The authorized holder of physical CUI needs to ensure CUI is
    1. Not shared with anyone who has not taken mandatory ISO approved CUI Training Modules.
    2. Properly destroyed using an approved when no longer needed.
    3. Kept under direct control of an authorized holder.
    4. Protected by at least one physical barrier (e.g., a locked door or drawer) if left unattended. Even where the facility/building is secure, CUI must not be left unattended in open spaces.
  5. Use of a is strongly recommended. The cover sheet identifies CUI, alerts observers from a distance that CUI is present, and serves as a shield to protect the CUI from inadvertent disclosure. Cover sheet (or transmittal letter if faxing) best practices include:
    1. List any CUI Specified Categories contained in the document or transmission;
    2. List any applicable Limited Dissemination Controls (markings); and
    3. List any special handling or dissemination requirements called for by the underlying law, regulation, or Government-wide policy related to the CUI Specified information.
  6. In general, network printers are not an acceptable means of printing CUI documents unless the printer is part of a physically secure ¹û½´ÊÓƵ network with appropriate access controls. If you intend to print to a network printer, contact ISO (security@utep.edu) to ensure the entire physical environment and network on which the printer is attached meets NIST 800-171 standards.

Please reach out to ISO (security@utep.edu) or Research Protections (rso@utep.edu) for any questions or assistance.

References

What is Unsolicited CUI?

Unsolicited Controlled Unclassified Information (CUI) refers to information that is shared or received without a specific request and is designated as CUI according to federal regulations. 

How is Unsolicited CUI obtained?

Unsolicited CUI might be received through various means, such as emails, faxes, regular mail, or verbal communications. Handling such information requires

  1. Adherence to established protocols to ensure its protection and proper dissemination
  2. Proper training

Lookout for potential indicators of CUI

  1. Are you receiving any communication from a Federal Agency or Federal Flowdown (e.g. DoD, DoT)?
  2. Do any attachments have CUI in the file name?
  3. Is the Email Marked CUI in the header or footer?

How to Safeguard Unsolicited CUI

If you have received or believe you have received unsolicited CUI via Outlook Email in a non-compliant environment (i.e. a workstation that does not meet NIST 800-171 requirements):

  1. Reach out to the sender to determine if what was sent is actual CUI. If it is, inform the sender that it was improperly sent. The originator will need to report the mishandling of CUI to their appropriate next level contact. Contact your RSO for guidance on how to proceed.
  2. Do not delete any CUI email messages.
  3. Do not open any attachments.
  4. Do not save attachments to your workstation.
  5. If you do open or download an attachment, do not delete it and do not empty your recycle bin
  6. Contact your research security officer (RSO) at   rso@utep.edu  to report the incident. Be sure to include the following information
    1. Office Location
    2. ¹û½´ÊÓƵ Tag Number
    3. Who you have shared the CUI with
  7. The RSO will coordinate with the Information Security Office to
    1. Securely delete any CUI from your system
    2. Provide you with a secure environment for properly handling CUI
  8. If it is determined that you have a lawful government purpose to store, process, or otherwise transmit any unsolicited CUI, you will be required to take mandatory CUI training and gain access to a compliant environment for doing so.

CUI Training

If access to CUI is required in the conduct of your work, you will be required to take approved training before you access any type of controlled unclassified information. The training modules and instructions for certifying completion can be found on the   Controlled Unclassified Training  webpage. Upon reporting an unsolicited CUI training incident, you will also receive an email notification with instructions on how to complete the training and how to submit your training certificates.

When developing a proposal for submission to a federal agency or flow down, researchers are advised to,

  1. Conduct a thorough review of the CUI implications before proposal submission. Things to do include:
    1. Review the funding announcement or agency guidelines.
    2. Contact the agency sponsor.
    3. Indicate CUI is part of the proposal in the Notice of Intent.
  2. If CUI protections are outlined by the agency
    1. Clearly define the CUI Scope, including all systems, networks, storage, facilities, and personnel that will store, process, or transmit CUI.
    2. Identify any CUI data that will be used or generated and ensure that the proposal includes appropriate security measures.
    3. Consult with the RSO for guidance on addressing CUI requirements to ensure all appropriate safeguards are addressed. If applicable, the RSO will initiate a request for ISO guidance on identifying CUI safeguards during the proposal phase.
    4. When applicable, include a CUI compliance statement within the proposal. This statement should outline the steps the research team will take to safeguard CUI in accordance with federal regulations.

Research Protections advises that any project involving CUI must have a designated CUI coordinator who is responsible for overseeing compliance throughout the research lifecycle. In the absence of a CUI coordinator, the PI is responsible for overseeing compliance.

Follow this general process to ensure CUI safeguards are in place prior to working on a new Federal (or Federal flow down) award with CUI safeguarding requirements:

  1. Award documents (contracts, sub-agreements, etc.) are reviewed by the principal investigator (PI), research administrator (RA), and/or the Office for Research Protections (ORP) to confirm CUI safeguarding requirements.
  2. When confirmed, ORP notifies the PI to complete an Information Security Office (ISO) CUI Questionnaire.
  3. Upon completion, the PI submits the CUI Questionnaire for review and approval by ORP and ISO.
  4. Upon approval, ISO will
    1. Request that all individuals who will work with CUI take mandatory ISO approved CUI training. It is the PI’s responsibility to ensure all individuals complete training and submit certificates to security@utep.edu.
    2. Coordinate with the PI to ensure all systems and physical environments specified in the CUI Questionnaire are set up to meet CUI safeguarding requirements. The project environment must be set up to meet all controls specified in the NIST Special Publication 800-171.
  5. Upon completion of the steps above, the award funds are released to the PI by the Office of Sponsored Projects.
  6. The project is monitored and periodically audited to ensure compliance with the ISO approved protection plan.

Follow this process to determine if an award requires access to CUI. It may be necessary to search various documents (contracts, subagreements, security questionnaires, exhibits, addendums, etc.) for keywords and clauses that may indicate access to CUI is required. Refer to the Quick Reference Guide for Identifying FCI and CUI for guidance on what to look for.

  1. Does the award originate from a Federal Agency (or flow down)?
    • Yes: proceed to step 2.
    • No: Stop. If the sponsor is not a Federal agency or federal flow down, it cannot be CUI.
  1. Does the information meet the standards for classification according to instruction ?
    • Yes:
      a. Stop and refer to DoDM 5200.01, Volume 1, for guidelines on processing classified information.
             b. Report immediately to the campus FSO.
    • No: proceed to step 3.
  1. Does the information fall within a current Federal law, regulation, or government policy or do any of the contract documents contain CUI Clauses? Refer to the CUI Quick Reference Guide for examples of clauses.
    • No: the information cannot be designated CUI and is therefore not subject to NIST 800-171.
    • Yes: proceed to step 4.
  1. Can the CUI requirements be negotiated or do fundamental research exclusions exist? Work with your RA, RSO, and/or the sponsor to make this determination.
    • Yes: Clarify in contract documents CUI negotiated out and/or fundamental research exclusions.
    • No: proceed to step 5.
  1. Fill out and submit the ISO CUI Questionnaire. Upon approval ISO will conduct a CUI review and reach out with next steps to follow. Contact rso@utep.edu for the latest copy of the CUI Questionnaire and for tips on how to fill out the form. 

Tips:

  • The DoD offers access to its online CUI Registry, which lists specific categories of information that the government requires to be protected. The list includes critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements and law enforcement.
  • The DoD CUI Registry goes on to specify additional categories of information, including legal, natural and cultural resources, NATO, nuclear, privacy, procurement and acquisition, proprietary business information, provisional, statistical and tax information.