April 2020 - It should be noted, due to new third-party oversight of an organizations compliance with CUI (800-171) requirements, UNH is not currently able to provide for CUI data management.
As a participant in federally-funded research programs, our University receives data from or generates information/widgets/devices for government agencies, corporate entities, and other institutions of higher education. Many of these awards and contracts require compliance with specific federal regulations enacted to protect categories of sensitive or labeled information, now commonly called “controlled unclassified information” or “CUI.”
Controlled Unclassified Information (CUI) refers to unclassified information that is to be protected from public disclosure. The CUI designation replaces "sensitive but unclassified" and other similar control markings. A CUI Office has been established at the National Archives to develop guidance (e.g. NIST 800-171), for implementing and enforcing the new CUI policy.
It is the executive agency that is providing funding for research at the University that is responsible for identifying what it considers CUI under their auspices and in accordance with the rules from NARA. They in turn are responsible to alert the University during, for example, the release of Requests for Proposal (RFP)information packet or in contract negotiation exchanges, that CUI is involved and that therefore the University will be required to be in compliance for sharing, handling or generating this type of data or risk default and all that it implies. Currently, executive branch agencies are defining their respective processes for meeting CUI standards and their expectations for contractors on funded projects. We expect more clarity in the coming months.
What you [the researcher who is responsible for CUI compliance throughout the project from start to finish] really need to know is that CUI agreements can take the shape of a contract, grant, license, memoranda of agreement, or information-sharing agreement. Understand the data categories on your contract, what data/widget/device you or your team may create during the performance of a contract, the requirements to protect that data/widget/device, and the costs associated with that protection before you sign the contract. If you receive the award, it is also recommended that you keep in regular contact with your sponsor to ensure data or widgets that are considered non-CUI have not been re-designated as CUI.
Patrick Messer
Enterprise IT Research Computing Center
Email: patrick.messser@unh.edu
Phone: (603) 862-2889