Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. The steps start after the professor or researcher has been granted funding, and has gone through contract. This page is intended to show the steps one can expect to get a project approved with CUI data.

For more information, see the UMOR site on Controlled Unclassified Information.

What You Need to Know!

This is the general process we have seen for CUI projects:

Note: Everyone involved in the project needs to have completed the CUI training in MyLINC

https://maislinc.umich.edu/ – Advanced Search for: ITSE106 Securing Controlled Unclassified Information (self-study)

CUI training has been updated from DoD. https://securityhub.usalearning.gov/index.html

1. The U-M Office of Research (UMOR) must be notified of the project:
   • UMOR contacts – Steve Dawson ([email protected]) and Krista Campeau ([email protected])
   • Also check for DFAR, ITAR, EAR, etc and notify any other parties.
   • If IT Security is notified, we will always go to UMOR to let them know about potential CUI.
   • If a PI/Researcher is not sure where they are in a submittal process of a project, contact Steve Dawson first.
2. UMOR will review contract terms to determine if the project uses CUI.
   • If Yes, then UMOR/IT Security:
     • UMOR will notify IT Security about the project.
     • A meeting will be setup to discuss CUI and the System Security Plan (SSP) for the project: Completed SSPs go to UMOR CUI Guy Steve Dawson ([email protected])
       • Attendees may include CoE-IT-Compliance and ARC-TS Yottabyte Research Cloud (YBRC) team members
       • Refer to CUI Meeting Topics and Questions
       • ARC-TS Yottabyte Research Cloud (YBRC) overview
       • Discuss Select Environment and Security Controls – Select the proposed system to use for the project and what security controls will relate to it. (ref CUI Risk Management Framework chart)
   • If No (this step is for internal IT Security ref, No Action for PI/Researcher):
     • No SSP is required, basic hardening recommendations are provided, and the project continues as normal.
3. PI/Researcher then contacts/submits to CoE-IT-Compliance that SSP and other documents are ready for review. This will start the process to get reviewed by the CUI Governance Committee.
4. Wait for approval from CUI Governance Committee BEFORE actually working with CUI data.