Controlled Unclassified Information in Research (S-32)

Standard: S-32
Responsible Executive: Vice President for Information Technology and Systems Chief Information Officer
Responsible Office: Office of the Vice President for Information Technology
Date Issued: November 1, 2025
Date Last Revised: N/A

Table of Contents

Contacts
Individuals and Entities Affected
Statement of Standard
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates
Appendix

Contacts

Clarification of Standard

Purdue Systems Security
765-494-4000| itpolicyanswers@purdue.edu

Regulatory and Contract Determinations

Research Security and Export Controls
765-496-2518 | rsec@purdue.edu  

Individuals and Entities Affected

This standard applies to all persons, departments, units, and campuses who may access, generate, store, process, or transmit Controlled Unclassified Information (CUI), Export Controlled Research, or any other information subject to a System Security Plan (SSP) or Technology Control Plan (TCP).

Statement of Standard

Purdue University adheres to federal requirements for safeguarding, disseminating, and handling of Controlled Unclassified Information (CUI) on University Information Systems. This standard applies only to CUI that is categorized as Defense, Export Control, Intelligence or otherwise subject to Cybersecurity Maturity Model Certification (CMMC). Applicable federal requirements include:

• 32 CFR Part 2002
• DFARS 252.204-7000 (Disclosure of Information)
• DFARS 252.204-7012 (Safeguarding CDI and Cyber Incident Reporting)
• DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements)
• DFARS 252.204-7021 (CMMC Requirements)
• FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)

Additional safeguarding or disclosure requirements, including the U.S. Cybersecurity Maturity Model Certification (CMMC) Program and other applicable clauses, may also apply depending on the terms of the contract.

This standard aligns Purdue University policy, federal requirements for protecting CUI, NIST SP 800-171 (as updated or amended), and CMMC Level 2 controls. The development of Purdue’s CMMC Compliance Program promotes adherence to these standards. Compliance ensures the University maintains the necessary security posture to protect CUI, supports federal contract requirements, and fosters a secure research environment.

CMMC Compliance Program

To ensure the security of CUI, the University follows the guidelines established in NIST SP 800-171 (as updated or amended), which identifies 14 control families. These families provide the foundation for Purdue University’s security strategy in protecting CUI resources and data. Detailed policy for each control family can be found in Purdue’s CMMC Compliance Program (Purdue login required).

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• Systems and Communications Protection
• System and Information Integrity

Violations

Any individual who fails to comply with this standard, associated University policy, applicable SSPs, TCPs, Purdue’s CMMC Compliance Programs, or applicable federal requirements, may be subject to disciplinary action, up to and including termination of employment. Noncompliance may also result in sponsor-imposed remedies, including contract termination, liability for damages, or loss of eligibility for federal funding, and can negatively impact national security and prosperity.

Responsibilities

Chief Information Security Officer (CISO)

• Oversee administration of this standard and Purdue’s CMMC Compliance Program.
• Ensure necessary resources are assigned to Purdue’s CMMC Compliance Program.
• Attest to University CUI compliance through established processes and recommendations.

Research Security and Export Controls (RSEC)

• Determination of CUI Handling Requirements: Identify when Purdue University is handling CUI and coordinate with Purdue IT to ensure compliance.
• Proposal and Contract Oversight: Work with Sponsored Program Services to ensure research proposals, contracts, and project instruments comply with applicable export control requirements.
• Access Review and Authorization: Review for authorization all requests for access to Purdue’s CUI systems or assets.
• TCP Management: Oversee the establishment and maintenance of TCPs for export controlled and CUI-related research projects.
• Personnel Security: Maintain personnel security requirements to ensure compliance with established CUI policies and protocols. 
• Training and Awareness: Ensure all individuals complete training, as required by their Technology Control Plan(s), before being granted access to the CUI computing environment. 
• ITAR Empowered Official Responsibilities: Serve as the ITAR (International Traffic in Arms Regulations) Empowered Official for Purdue University.
• JCP Data Custodian: Serve as the Joint Certification Program (JCP) Data Custodian for Purdue.
• Incident Reporting: Coordinate Defense Industrial Base Network (DIBNet) reporting and export control disclosures, in consultation with the Purdue Office of Legal Counsel and the CISO/ISSO, ensuring compliance with DFARS 252.204-7012’s requirements to report cyber incidents within 72 hours.

Information System Security Officer (ISSO), CUI

• Maintain and promote adherence to Purdue’s CMMC Compliance Program.
• Conduct or coordinate periodic audits and self-inspections of technical controls to confirm that approved security controls are operating as expected and that authorization conditions remain valid.
• Oversee development and delivery of Information System security education, awareness, and training for affected employees handling CUI.
• Establish and monitor procedures and guidelines to ensure continuing compliance with Purdue policies and federal CUI safeguarding requirements.
• Coordinate technical reviews to ensure that implementation or changes to applications, hardware, or systems remain compliant with current standards.
• Identify and communicate unique local threats and vulnerabilities related to CUI.
• Coordinate Purdue’s CMMC Compliance Program activities with other University IT security and privacy programs to align controls and ensure consistent application of requirements across covered systems.
• Reviews and approves SSPs and TCPs and provides signatory assurance that required resources and procedures are in place to protect CUI, per federal requirements.

Sponsored Program Services

• Ensure research proposals, contracts, and other project instruments potentially subject to export control regulations and/or CUI requirements are routed to RSEC, so that Technology Control Plans can be implemented, as appropriate.

Covered IT Resource Owner(s)

• Implement required security controls outlined in the SSP.
• Ensure all controls are properly tested and functioning.
• Immediately report system flaws or vulnerabilities to Purdue System Security and RSEC.

Users Accessing or Generating CUI

• Comply with this standard and Purdue’s CMMC Compliance Program, and any applicable TCP and/or SSP requirements.
• Immediately report any real or perceived system flaws or vulnerabilities to Purdue Systems Security and RSEC.

Vice President for Information Technology and Systems Chief Information Officer

• In cases where responsibilities overlap or conflicts arise, serve as the final authorizing official and the Authorizing Official (AO) equivalent for NIST and DFARS purposes.

Definitions

All defined terms are capitalized throughout the document. Refer to the central Policy Glossary for additional defined terms.

Controlled Unclassified Information (CUI)
As defined in Executive Order 13556, information held by or generated for the federal government that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies that is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Federal CUI is divided into several categories and subcategories and is listed in the CUI registry managed by the National Archives and Records Administration.

Cybersecurity Maturity Model Certification (CMMC)
The U.S. certification program institutionalizing processes and implementation of cybersecurity practices for contractors handling CUI.

Information System Security Officer (ISSO), CUI
The primary point of contact for all matters regarding the processing of CUI on an IT Resource. 

SSP (System Security Plan)
The formal document used to identify the protection measures to safeguard information being processed in a controlled unclassified environment.

Technology Control Plan (TCP)
A customized management plan that outlines the physical, electronic, and procedural safeguards required to protect information, materials, or technology subject to contractual, regulatory, or sponsor-imposed restrictions. TCPs are used to implement controls related to CUI, CDI, export controls (ITAR/EAR), or other national security obligations.

Related Documents, Forms and Tools

This standard is issued in support of the policies on Information Security and Privacy (VII.B.8), Acceptable Use of IT Resources and Information Assets (VII.A.4) and Export Controls and OFAC Regulations (I.A.2), as amended or superseded.

• Purdue University CMMC Compliance Program
• Office of Research CUI and CDI – Proper Handling and Safeguarding
• 32CFR Part 2002: Provides legal frameworks relevant Controlled Unclassified Information (CUI).
• Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting.
• DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirements.
• DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements.
• Executive Order 13556:  Established a program for managing all unclassified information in the Executive branch that requires safeguarding or dissemination controls in accordance with applicable law, regulations, and government-wide policies.
• National Institute of Standards and Technology (NIST) 800-171 Rev. 2: Provides guidelines for protecting CUI in non-federal systems and organizations, forming the basis for many CMMC requirements.
• Cybersecurity Maturity Model Certification (CMMC): The official framework that defines the levels of cybersecurity maturity required for DoD contractors, with specific requirements for each level.
• CMMC Assessment Guide (Level 2): Details the specific practices and processes necessary to achieve CMMC Level 2 certification, aligned with NIST SP 800-171.
• Federal Information Processing Standards (FIPS): Provides standards for data encryption and other security measures applicable to federal systems and contractors.
• Federal Risk and Authorization Management Program (FedRAMP): Provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, relevant for universities using cloud-based systems
• The National Archives and Records Administration provides links to the CUI categories, markings, training, and controls.
• DoD CMMC Reference defines the CMMC 2.0 model structure.

History and Updates

November 1, 2025: This is the first standard to address this issues.

Appendix

There are no appendices to this standard.