Controlled Unclassified Information (CUI)
This website provides a general overview of capabilities to appropriately safeguard controlled unclassified information (CUI) at Northeastern. KRI, LLC at Northeastern University has separate processes related to CUI and computing security procedures. Those working with or at KRI will receive instructions from KRI.
The Office of Under Secretary of Defense for Acquisition and Sustainment, Department of Defense (DOD), is requiring contractors receiving DOD contracts to undergo an assessment to determine their cybersecurity maturity. The assessment will be performed by a 3rd party and will result in a Cybersecurity Maturity Model Certification (CMMC). Northeastern is currently working to meet CMMC level 3 certification requirements. New information will be added to this webpage as it becomes available.
The CUI program was established to create consistency across agencies of the U.S. Government in how CUI is marked and safeguarded and provides clear expectations to contractors regarding required protections. The National Archives and Records Administration (NARA) implements and oversees the CUI program to ensure compliance. The CUI Program is implemented through 32 CFR 2002 “Controlled Unclassified Information.”
Classified information is excluded from the CUI program because it is subject to other rules and authorities.
The CUI Registry maintained by NARA is an online repository for government-wide guidance regarding CUI classification, policy and practice. The following are examples of data that Northeastern faculty may encounter in the course of their work:
- Critical Infrastructure
- Export Control
- Financial Information (i.e. budgets)
- Law Enforcement
- Genetic or health information
- Personnel records
- Student records
- Procurement and Acquisition
Contract solicitations will outline expectations for contract recipients, including any technology standards. Most frequently, the solicitation will reference require or allow elements of the system security plan, which demonstrate an implementation of NIST SP 800-171. For awards with the Federal Acquisition Regulation (FAR) clauses listed below that do not specify NIST standards but require the safeguarding of CUI, an individual TCP will be required:
Research compliance will also work with you to review any additional requirements, including establishing a Technology Control Plan (TCP) to ensure the CUI is appropriately managed.
Last Updated on September 16, 2021
Report a Concern
Northeastern University strongly encourages any member of the community to report unethical or questionable conduct including concerns about research misconduct.