Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI)

This website provides a general overview of capabilities to appropriately safeguard controlled unclassified information (CUI) at Northeastern. KRI, LLC at Northeastern University has separate processes related to CUI and computing security procedures. Those working with or at KRI will receive instructions from KRI.

The Office of Under Secretary of Defense for Acquisition and Sustainment, Department of Defense (DOD), is requiring contractors receiving DOD contracts to undergo an assessment to determine their cybersecurity maturity. The assessment will be performed by a 3rd party and will result in a Cybersecurity Maturity Model Certification (CMMC). Northeastern is currently working to meet CMMC level 3 certification requirements. New information will be added to this webpage as it becomes available.

What is CUI?
CUI is defined as federal non-classified information that the U.S. Government creates or possesses, or that a non-federal entity (i.e. Northeastern) receives, possesses, or creates for, or on behalf of the U.S. Government, that requires certain information security controls to safeguard.  CUI may include research data and other project information that a research team receives, possesses, or creates during the performance of a contract funded by the federal government.

The CUI program was established to create consistency across agencies of the U.S. Government in how CUI is marked and safeguarded and provides clear expectations to contractors regarding required protections.  The National Archives and Records Administration (NARA) implements and oversees the CUI program to ensure compliance.  The CUI Program is implemented through 32 CFR 2002 “Controlled Unclassified Information.”

Classified information is excluded from the CUI program because it is subject to other rules and authorities.

The CUI Registry maintained by NARA is an online repository for government-wide guidance regarding CUI classification, policy and practice.  The following are examples of data that Northeastern faculty may encounter in the course of their work:

  • Critical Infrastructure
  • Export Control
  • Financial Information (i.e. budgets)
  • Intelligence
  • Law Enforcement
  • Transportation
  • Privacy
    • Genetic or health information
    • Personnel records
    • Student records
  • Procurement and Acquisition
    • Controlled Technical Information DoD ONLY – marked with one of the Distribution Statements B through F, in accordance with DoD Instruction 24 and the associated guidance document)

CUI will apply when working on a contract containing one of the following FAR clauses:

Contract solicitations will outline expectations for contract recipients, including any technology standards.  Most frequently, the solicitation will reference require or allow elements of the system security plan, which demonstrate an implementation of NIST SP 800-171.  For awards with the Federal Acquisition Regulation (FAR) clauses listed below that do not specify NIST standards but require the safeguarding of CUI, an individual TCP will be required:

  • 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
  • 252.204-7008 Compliance with safeguarding covered defense information controls
  • 252.204-7012 Safeguarding covered defense information and cyber incident reporting

Yes, Northeastern will accept and manage contracts containing CUI requirements.  In order to manage the CUI process appropriately, all personnel working with CUI will require a special instance of Microsoft 365, called the Government Cloud Computing (GCC) instance.  Research compliance and ITS will work together to facilitate setting up the accounts.

Research compliance will also work with you to review any additional requirements, including establishing a Technology Control Plan (TCP) to ensure the CUI is appropriately managed.

Please direct questions to researchcompliance@Northeastern.edu.  The mailbox is staffed by Amanda Humphrey, Director of Research Integrity & Export Controls and Jeff Seo, AVP for Research Compliance.  They will work with you to either answer your questions or connect you with stakeholders in the University to help work through your questions.

Last Updated on September 16, 2021

Report a Concern

Northeastern University strongly encourages any member of the community to report unethical or questionable conduct including concerns about research misconduct.

To report a concern, you may email Research Compliance or contact the EthicsPoint confidential and anonymous reporting hotline.