Controlled Unclassified Information (CUI) is sensitive information that requires safeguarding or dissemination controls in accordance with applicable laws, regulations, and government-wide policies. However, it is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. The CUI Program defines the standards and best practices necessary to protect CUI throughout its lifecycle.

CUI must be safeguarded at a minimum of the Moderate Confidentiality Impact level, as defined by federal security standards. NIST SP 800-171 outlines the requirements for protecting CUI in non-federal information systems, including those operated by universities, research institutions, and contractors that handle CUI under agreements with the executive branch.

There are two types of CUI data: CUB Basic and CUI Specified, described below. 

Types of Data Subject to CUI Controls

  • Critical Infrastructure
  • Defense
  • Export Control
  • Financial
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • NATO
  • Nuclear
  • Patent
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax
  • Transportation

Additional information regarding CUI categories is available at: https://www.archives.gov/cui/registry/category-list

CUI Basic

  • Requires adherence to the NIST 800-171 controls.

CUI Specified

  • Requires adherence to NIST 800-171 controls, as well as any laws, regulations, or government policies that mandate specific protections. This can include unique markings, enhanced physical safeguards, and limits on who can access the information.
  • For example, export controlled information may require a US government export license before it can be shared with foreign
    persons. This additional "specified" control exists under US export control law and applies in addition to the cybersecurity
    controls required by NIST 800-171.
CUI Data Security

Princeton's Approach to CUI

Princeton University has taken several steps to manage CUI effectively through its Secure Research Infrastructure Environment, Citadel:

  • Security Measures: Princeton utilizes the NIST 800-171 controls, which include 110 specific security controls designed to protect CUI.
  • Cyber Incident Reporting: Procedures are established for reporting cyber incidents as outlined in NIST 800-171.
  • System Security Plan: Princeton has developed a specific System Security Plan to address the controls outlined in NIST 800-171.
  • Secure Research Infrastructure:  The Citadel environment supports the secure management of CUI by providing a robust and secure infrastructure.

Through these measures, Princeton aims to ensure the effective protection and management of restricted data within its research infrastructure.