Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) – Proper Handling and Safeguarding

Revision 2 – 12/4/2020

Helpful Links:

• Connecting to Weber
• Covered Information System Baseline Standard
• Quick Reference for Marking Research Documents

When a Purdue project involves CUI/CDI, the Export Controls Office (ECO), in consultation with Purdue System Security (PSS), will work with the Principal Investigator(s) (PI) to ensure that all safeguarding requirements outlined here are addressed in the applicable Technology Control Plan (TCP) before the project funds are released.

CUI and CDI – What is it?

Controlled Unclassified Information (CUI): Controlled Unclassified information was defined in the Executive Order 13556 as information held by or generated for the Federal Government that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies that isn’t classified under Executive Order 13526 or the Atomic Energy Act, as amended.(Controlled Unclassified Information n.d.) Federal CUI is divided into several categories and subcategories and is listed in the CUI registry, managed by National Archives and Records Administration (NARA). CUI, by definition is federal information.

CUI categories are divided into 2 subsets:

• CUI Basic – the subset of CUI for which the authorizing law, regulation or Government-wide policy does not set out specific handling or dissemination controls (32 CFR 2002)
• CUI Specified – The subset of CUI for which the authorizing law, regulation or Government- wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic.

What is not CUI –

• proprietary research that is not funded by the federal government, even though it is subject to the US export control regulations, is not CUI. Projects involving controlled information that is not CUI, may certainly be handled with the same safeguarding standards but should not be marked as CUI.
• Non-contextualized Controlled Research Data – such data generated under a project with CUI safeguarding requirements is still controlled and should be handled in accordance with the relevant TCP, but it is not CUI. PIs and researchers should refer to the relevant TCP for safeguarding requirements.
• Information that is otherwise in the public domain.

Covered Defense Information (CDI): Is a term defined in the DFAR clause 252.204-7012 Safeguarding Covered Defense Information as unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI)  registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations and government wide policies and is (1) Marked or otherwise identified in a contract, task order or delivery order and provided to Purdue by or on behalf of the DoD in support of the performance of a contract or (2) collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract.

The Department of Defense’s (DoD) CUI implementation is laid out in the DoD Instruction 5200.48, Controlled Unclassified Information and DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. When this DFARS clause is included in a contract, Purdue must identify what Covered Defense Information (CDI) it needs to handle during the conduct of the contract and protect it in accordance with the safeguarding standards outlined below. In addition, any cyber incidents involving the relevant CDI must be reported to the DoD within 72 hours of discovery.

When Purdue receives a DoD contract with the DFAR 252.204-7012 clause, it is not a given that the resulting research is CDI. In order to be CDI, it must be subject to some form of dissemination restriction. One common restriction often found in DoD contracts is the DFARS 252.204-7000 (Disclosure of Information). The inclusion of this clause in a contract limits the performer’s ability to release any unclassified information related to the contract to anyone outside the performer’s organization. However, the clause includes a few exceptions for that control which may apply to research:

• The information is otherwise in the public domain before the date of release. This exception might apply if the funded effort is a literature review.
• The information results from the effort does not involve any CDI and the government contracting officer has agreed in writing that the effort was scoped to be fundamental research in accordance with National Security Decision Directive (NSDD) 189.

For research subject to the DFARS 252.204-7000 clause, if Purdue receives a written determination of fundamental research from the government contacting officer, the research generated is not CDI. It is important to note, however, that the authority to make the fundamental research determination rests solely with the government contracting officer; a government program officer would not have that same authority. Without the government contracting officer’s written confirmation, the resulting research will be controlled. The ECO will work with the PI to determine if it is appropriate to request the fundamental research determination. For more on how to scope your research effort to be fundamental research, please see the guidance document: https://www.purdue.edu/research/dimensions/fundamental-research-and-government-contracts-implications-for-export-controls/

Safeguarding of CUI/CDI -

The safeguarding standards discussed in this section are the minimum standards established for CUI Basic. These standards include marking, physical safeguarding, and electronic safeguarding. For CUI Specified, institutions must implement the specific requirements from the applicable law, regulation, or government-wide policy.

Marking of CUI

Documents and electronic files containing CUI must be marked in accordance with CUI Marking Handbook. If CUI Basic, it must include a banner of “CONTROLLED” or “CUI.” If CUI Specified, it must include the specific authority. For more information on Marking CUI, visit: https://www.archives.gov/cui/training.html#intro-to-marking

Common types of CUI Purdue researchers will handle include:

If a researcher is unsure what category of CUI information generated or received under a research contract, contact the ECO for further guidance.

Portion mark are not required but are encouraged. When marking CUI, if a portion of the document does not contain CUI, it can be denoted as Uncontrolled (U).

Quick reference for Marking documents – will link to the marking guide

Note: While Non-CUI technology or technical data subject to the export control regulations doesn’t require banner marks, documents containing such controlled information should be cleared labeled with the following disclaimer:

WARNING - This document contains technical data whose export is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et seq.) or the Export Administration Act of 1979, as amended (Title 50, U.S.C., App. 2401 et seq.). Violations of these export laws are subject to severe criminal penalties. 

Physical Safeguarding of CUI

The purpose of physical safeguarding is to prevent unauthorized individuals from accessing, observing, or overhearing discussion of CUI. To meet the minimum standard, there must be at least one physical barrier protecting the CUI. That can be a locked door, drawer, or file cabinet, provided that only those individuals with a lawful government purpose can access the CUI. For more information on Controlled Environment, visit: https://www.archives.gov/cui/training.html#controlled-environments

Electronic Safeguarding of CUI

The minimum standard for electronic safeguarding of CUI in Non-federal system, which is the designation that Purdue computer systems will fall, in most cases, is the NIST Special Publication 800-171, Safeguarding Controlled Unclassified Information is Non-Federal Systems. In most cases, Purdue projects involving CUI/CDI will involve the use of the research cluster Weber, which addresses the 110 controls outlined in the NIST SP 800-171 in a system security plan overseen by Research Computing.

Note: When a document is encrypted for safeguarding, the title of the document is not encrypted. Therefore, never include information that is CUI in the document title of an electronic document.

Transmission of CUI must be done through a secure method. Each TCP that includes CUI information will include direction related to secure transmission. For more guidance on what transmissions methods may be authorized, please review the following guidance document. https://www.purdue.edu/research/oevprp/regulatory-affairs/export-controls/guidance-documents/dod-safe-outage.php

What Federal Requirements Apply?

Purdue University is required to adhere to the following federal requirements when handling CUI/CDI:

• Code of Federal Regulations (CFR) Part 2002, Controlled Unclassified Information Program
• Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
• DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements
• National Institute of Standards and Technology (NIST) Special Publication (SP) Rev. 2
• DFARS 252.204-7021, Cybersecurity Maturity Model Certification (CMMC) Requirements