Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI)

This website provides a general overview of capabilities to appropriately safeguard controlled unclassified information (CUI) at Northeastern. KRI, LLC at Northeastern University has separate processes related to CUI and computing security procedures. Those working with or at KRI will receive instructions from KRI.

The Office of Under Secretary of Defense for Acquisition and Sustainment, Department of Defense (DOD), is requiring contractors receiving DOD contracts to undergo an assessment to determine their cybersecurity maturity. The assessment will be performed by a 3rd party and will result in a Cybersecurity Maturity Model Certification (CMMC). Northeastern is currently working to meet CMMC level 2 certification requirements. New information will be added to this webpage as it becomes available.

What is CUI?
CUI is defined as federal non-classified information that the U.S. Government creates or possesses, or that a non-federal entity (i.e. Northeastern) receives, possesses, or creates for, or on behalf of the U.S. Government, that requires certain information security controls to safeguard.  CUI may include research data and other project information that a research team receives, possesses, or creates during the performance of a contract funded by the federal government.

The CUI program was established to create consistency across agencies of the U.S. Government in how CUI is marked and safeguarded and provides clear expectations to contractors regarding required protections.  The National Archives and Records Administration (NARA) implements and oversees the CUI program to ensure compliance.  The CUI Program is implemented through 32 CFR 2002 “Controlled Unclassified Information.”

Classified information is excluded from the CUI program because it is subject to other rules and authorities.

The CUI Registry maintained by NARA is an online repository for government-wide guidance regarding CUI classification, policy and practice.  The following are examples of data that Northeastern faculty may encounter in the course of their work:

  • Critical Infrastructure
  • Export Control
  • Financial Information (i.e. budgets)
  • Intelligence
  • Law Enforcement
  • Transportation
  • Privacy
    • Genetic or health information
    • Personnel records
    • Student records
  • Procurement and Acquisition
    • Controlled Technical Information DoD ONLY – marked with one of the Distribution Statements B through F, in accordance with DoD Instruction 24 and the associated guidance document)

CUI will apply when working on a contract containing one of the following FAR clauses:

Contract solicitations will outline expectations for contract recipients, including any technology standards.  Most frequently, the solicitation will reference require or allow elements of the system security plan, which demonstrate an implementation of NIST SP 800-171.  For awards with the Federal Acquisition Regulation (FAR) clauses listed below that do not specify NIST standards but require the safeguarding of CUI, an individual TCP will be required:

  • 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
  • 252.204-7008 Compliance with safeguarding covered defense information controls
  • 252.204-7012 Safeguarding covered defense information and cyber incident reporting

Yes, Northeastern will accept and manage contracts containing CUI requirements.  In order to manage the CUI process appropriately, all personnel working with CUI will require a special instance of Microsoft 365, called Government Cloud Computing (GCC). Research Compliance and ITS will work together to facilitate setting up the accounts.

Research Compliance will also work with you to review any additional requirements, to determine what protections will be required. When required, Research Compliance may work with you to establish a Technology Control Plan (TCP) to ensure the CUI is appropriately managed.

Please direct questions to  The mailbox is staffed by Amanda Humphrey, Director of Research Integrity & Export Controls and Jeff Seo, AVP for Research Compliance.  They will work with you to either answer your questions or connect you with stakeholders in the University to help work through your questions.

If you have a contract requiring compliance with NIST 800-171 or DFAR 252.204-7012, additional security measures must be taken to protect the research data. Northeastern has two environments that support the heightened security required for compliance that balance protection and flexibility.

The first is the Secure Data Enclave (SDE). The SDE is a remote environment that you can access online in the same manner as Office 365. This is suitable for most research. To gather information on the costs associated with the SDE, please work with Research Computing.

The second option is the MGHPCC in Holyoke, Massachusetts. This option is more suitable for those utilizing large amounts of data storage and computing power. Space may be arranged to install servers and/or server racks necessary for the project. To gather information on the costs associated with MGHPCCC, please work with Research Computing.

CUI should only be stored on Northeastern ITS imaged and managed devices, such as a laptop provisioned to you by Northeastern. Please do not utilize personal devices to access or store CUI. In addition, Northeastern discourages the use of portable storage devices such as thumb drives or external hard drives.

The best place to store research data is on the Northeastern network using either Sharepoint or your One Drive on your GCC account. There are two critical advantages to utilizing these university managed resources: they are backed up automatically to a cloud server for reliability and these university systems have important security measures that prevent security breaches.

Last Updated on April 6, 2022

Report a Concern

Northeastern University strongly encourages any member of the community to report unethical or questionable conduct including concerns about research misconduct.

To report a concern, you may email Research Compliance or contact the EthicsPoint confidential and anonymous reporting hotline.