Controlled Unclassified Information (CUI)
This website provides a general overview of capabilities to appropriately safeguard controlled unclassified information (CUI) at Northeastern. KRI, LLC at Northeastern University has separate processes related to CUI and computing security procedures. Those working with or at KRI will receive instructions from KRI.
The Office of Under Secretary of Defense for Acquisition and Sustainment, Department of Defense (DOD), is requiring contractors receiving DOD contracts to undergo an assessment to determine their cybersecurity maturity. The assessment will be performed by a 3rd party and will result in a Cybersecurity Maturity Model Certification (CMMC). Northeastern is currently working to meet CMMC level 2 certification requirements. New information will be added to this webpage as it becomes available.
The CUI program was established to create consistency across agencies of the U.S. Government in how CUI is marked and safeguarded and provides clear expectations to contractors regarding required protections. The National Archives and Records Administration (NARA) implements and oversees the CUI program to ensure compliance. The CUI Program is implemented through 32 CFR 2002 “Controlled Unclassified Information.”
Classified information is excluded from the CUI program because it is subject to other rules and authorities.
The CUI Registry maintained by NARA is an online repository for government-wide guidance regarding CUI classification, policy and practice. The following are examples of data that Northeastern faculty may encounter in the course of their work:
- Critical Infrastructure
- Export Control
- Financial Information (i.e. budgets)
- Law Enforcement
- Genetic or health information
- Personnel records
- Student records
- Procurement and Acquisition
Contract solicitations will outline expectations for contract recipients, including any technology standards. Most frequently, the solicitation will reference require or allow elements of the system security plan, which demonstrate an implementation of NIST SP 800-171. For awards with the Federal Acquisition Regulation (FAR) clauses listed below that do not specify NIST standards but require the safeguarding of CUI, an individual TCP will be required:
Research Compliance will also work with you to review any additional requirements, to determine what protections will be required. When required, Research Compliance may work with you to establish a Technology Control Plan (TCP) to ensure the CUI is appropriately managed.
The first is the Secure Data Enclave (SDE). The SDE is a remote environment that you can access online in the same manner as Office 365. This is suitable for most research. To gather information on the costs associated with the SDE, please work with Research Computing.
The second option is the MGHPCC in Holyoke, Massachusetts. This option is more suitable for those utilizing large amounts of data storage and computing power. Space may be arranged to install servers and/or server racks necessary for the project. To gather information on the costs associated with MGHPCCC, please work with Research Computing.
The best place to store research data is on the Northeastern network using either Sharepoint or your One Drive on your GCC account. There are two critical advantages to utilizing these university managed resources: they are backed up automatically to a cloud server for reliability and these university systems have important security measures that prevent security breaches.
Last Updated on December 16, 2021
Report a Concern
Northeastern University strongly encourages any member of the community to report unethical or questionable conduct including concerns about research misconduct.