Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) Program – Proper Handling and Safeguarding

Purdue University is committed to protecting CUI/CDI in compliance with federal regulations and contractual requirements. When a Purdue project involves CUI/CDI, Research Security and Export Controls (RSEC), in consultation with Purdue System Security (PSS), will work with the Principal Investigator(s) (PI) to ensure that all safeguarding requirements outlined are addressed in a Technology Control Plan (TCP) before the project funds are released.

CUI and CDI – What is it?

Controlled Unclassified Information (CUI): CUI is defined in Executive Order 13556 and 32 CFR § 2002.4(h) as information "the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls." CUI is divided into several categories and subcategories and is listed in the CUI Registry, managed by the National Archives and Records Administration (NARA). CUI, by definition is unclassified federal information. CUI is not:

• Proprietary research that is not funded by the federal government. Even though this may be subject to U.S. export control regulations, it is not CUI. Projects involving controlled information that is not CUI may certainly be handled with the same safeguarding standards, but should not be marked as CUI.
• Non-contextualized controlled research data. Such data generated under a project with CUI safeguarding requirements may still be safeguarded, but because the data must be correlated with additional input from a person, application or second data source to be contextualized, it is not considered CUI.
• Information that is otherwise in the public domain.

CUI categories are divided into 2 subsets:

• CUI Basic: The subset of CUI for which the authorizing law, regulation or government-wide policy does not set out specific handling or dissemination controls.
• CUI Specified: The subset of CUI for which the authorizing law, regulation or government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic.

Covered Defense Information (CDI): Defined in DFARs 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, CDI means unclassified controlled technical information or other information, as described in the CUI Registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, and is:

1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

The Department of Defense's (DoD) CUI implementation is laid out in the DoD Instruction 5200.48, Controlled Unclassified Information and DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. When the DFARS clause is included in a contract, Purdue must safeguard CDI in accordance with the safeguarding standards outlined below. In addition, any cyber incidents involving the relevant CDI must be reported to the DoD within 72 hours of discovery.

When Purdue receives a DoD contract with the DFARS 252.204-7012 clause, it is not a given that the resulting research is CDI. In order to be CDI, it must also be subject to some form of dissemination restriction. One common restriction often found in DoD contracts is the DFARS 252.204-7000 Disclosure of Information. The inclusion of DFARS 252.204-7000 in a contract limits the performer's ability to release any unclassified information related to the contract to anyone outside the performer's organization. However, the clause includes a few exceptions which may apply to research:

• The information is otherwise in the public domain before the date of release. This exception might apply if the funded effort is a literature review.
• The information results from the effort does not involve any CDI, and the DoD Contracting Officer has provided a written determination that the information arising or resulting from the research is fundamental research in accordance with National Security Decision Directive (NSDD) 189.

For research subject to DFARS 252.204-7000, if Purdue receives a written determination of fundamental research from the government contracting officer, the research generated is not CDI. It is important to note, however, that the authority to make the fundamental research determination rests solely with the government contracting officer; a government program officer would not have that same authority. Without the government contracting officer's written determination, the resulting research will be controlled. RSEC will work with the PI to determine if it is appropriate to request the fundamental research determination. For more information review Fundamental Research & Government Contracts: Implications for Export Controls.

Safeguarding of CUI/CDI

When Purdue receives, processes, or stores CUI/CDI, Technology Control Plans are implemented to outline the proper handling procedures. Review the Elements of a Technology Control Plan. These Plans are developed to ensure compliance with the following contractual requirements, as applicable:

• DFARS 252.204-7000 Disclosure of Information
• DFARS 252.204-7012 Safeguarding of Covered Defense Information and Cyber Incident Reporting
• DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements
• DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements
• DFARS 252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement

Marking of CUI

Documents and electronic files containing CUI must be marked in accordance with the CUI Marking Handbook. If CUI Basic, it must include a banner of "CONTROLLED" or "CUI". If CUI Specified, it must include the specific authority. For more information on marking CUI, NARA provides CUI Training.

The most common types of CUI Purdue researchers will handle include:

If a researcher is unsure what category of CUI information is generated or received under a research contract, contact RSEC for further guidance. Portion marks are not required but are encouraged. When marking CUI, if a portion of the document does not contain CUI, it can be denoted as Uncontrolled (U).

The Defense Counterintelligence and Security Agency also provides a CUI Marking Job Aid.

Note: While non-CUI technical data or technology doesn't require banner markings, documents containing controlled information should be clearly labeled with the following disclaimer:

Warning – This document contains technical data whose export is restricted by the Arms Export Control Act (Section 2751 of Title 22, United States Code), or the Export Control Reform Act of 2018 (Chapter 58 Sections 4801-4852 of Title 52, United States Code). Violations of these export laws are subject to severe criminal penalties.

Physical Safeguarding of CUI

The purpose of physical safeguarding is to prevent unauthorized individuals from accessing, observing, or overhearing discussions of CUI. To meet the minimum standard, there must be at least one physical barrier protecting CUI. This can be a locked door, drawer, or file cabinet, provided that only those individuals with a lawful government purpose can access the CUI. For more information, NARA provides training on Controlled Environments.

Electronic Safeguarding of CUI

The minimum standard for electornic safeguarding of CUI in Purdue systems is NIST SP 800-171 Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Oragnizations. In most cases, Purdue projects involving CUI/CDI will involve the use of the Purdue Hybrid Agile System for Research (PHASR) which addresses the 110 controls outlined in NIST 800-171 in a System Security Plan (SSP) overseen by Purdue Systems Security (PSS). PHASR provides powerful on-premises capability through Weber with a flexible and adaptive cloud environment through Luna.

Note: When a document is encrypted for safeguarding, the title of the document is not encrypted. Therefore, never include information that is CUI in the document title of an electronic document.

What Federal Requirements Apply?

Purdue University is required to adhere to the following requirements when handling CUI/CDI:

• 32 CFR Part 2002, Controlled Unclassified Information
• 48 CFR Part 204.75 Cybersecurity Maturity Model Certification
• DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
• DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements
• DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements
• DFARS 252.204-7021 Contractor Compliance with Cybersecurity Maturity Model Certification Level Requirement
• DoD Instruction 5200.48 Controlled Unclassified Information (CUI)
• DoD Instruction 5230.24 Distribution Statements on DoD Technical Information
• NIST SP 800-171 Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

For more information on CUI, check out the CUI FAQs or contact the RSEC team at rsec@purdue.edu.