Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
The CUI Program establishes standards and best practices built to safeguard sensitive information for the entire lifecycle.
CUI should be protected at no less than the Moderate Confidentiality Impact level. NIST SP 800-171 establishes the standard to safeguard CUI and non-Federal information systems, such as those owned by universities and research labs, and other partners that receive or use CUI under contracts or agreements with the executive branch.
Read more - National Archives - about CUI
Review - Princeton University CUI Handbook and Workflow (requires authentication)
Types of Data Subject to CUI
- Critical Infrastructure
- Defense
- Export Control
- Financial
- Immigration
- Intelligence
- International Agreements
- Law Enforcement
- Legal
- Natural and Cultural Resources
- NATO
- Nuclear
- Patent
- Privacy
- Procurement and Acquisition
- Proprietary Business Information
- Provisional
- Statistical
- Tax
- Transportation
CUI Specified
- Requires compliance with NIST 800-171 controls
- As well as any laws, regulations or government policies that require specific protections. For example:
- Unique markings
- Enhanced physical safeguards
- Limits on who can access the information
CUI Basic
- Requires compliance with the NIST 800-171 controls
What Princeton is doing?
- CUI controls require contractors to provide adequate security per NIST 800-171 controls
- NIST 800-171 outlines the security controls (110 controls) applicable to CUI, including reporting of cyber incidents
- Entities develop their own specific System Security Plan
- Princeton established Secure Research Infrastructure Environment, Citadel, in place to comply with these requirements