Regulated Data and Controls

Security and Compliance

The Research Data Security and Compliance Program helps the UTA community navigate the increasingly complex regulatory landscape to ensure that research data is managed, utilized, and shared responsibly. This is done in accordance with third-party obligations, privacy regulations, and University policies related to research data.

Areas of Support:

  • Research Data Acquisition and Sharing: Guidance on acquiring and sharing research data.
  • Data Use Agreements and Sponsored Projects: Reviewing and implementing agreements and projects involving sensitive data.
  • Data Protection Standards: Implementing standards such as Controlled Unclassified Information (CUI), Export Controlled Information, and human subjects data.
  • International Travel: Assisting with the secure handling of University-owned, controlled, or managed data during international travel.

Additional Information

CDI includes unclassified CTI or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls consistent with law, regulations, and Government-wide policies. CDI is:


Marked or identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the contract performance; or
Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the contract performance.
Essentially, CTI is a specific category of CUI (listed in the CUI Registry under the Defense organizational index grouping), while CDI is a DoD term that encompasses all categories of CUI plus any other information the DoD has not approved for public release. DFARS 252.204-7012 is the DoD contract clause that requires covered contractor information systems to adhere to the security requirements in NIST SP 800-171, the same standards that apply to CUI Basic. It also includes DoD-specific cyber incident reporting requirements.

DoD-funded research involving CDI must include DFARS 252.204-7012 and will almost certainly include DFARS 252.204-7000, which requires DoD prior approval for any publication or other public release.

On September 29, 2020, the DoD released an interim rule in the Federal Register to amend the DFARS, adding clauses 252.204-7019 (notice) and 252.204-7020 (contracts), which specify NIST SP 800-171 assessment requirements for DoD contracts involving CDI. These clauses became effective on November 30, 2020. Specifically, a recent assessment (within the last three years) at the level required by the contract must be on file in the Supplier Performance Risk System (SPRS) for the covered contractor information system before the contracting officer can award the contract. Contracts will be assigned one of three levels of assessment: Basic (self-assessment), Medium (DoD review), and High (DoD review and inspection). This requirement applies to the prime contractor and all subcontractors whose work will involve CDI.

Note 1: These new clauses do not apply to previously issued contracts unless added through a contract modification. Note 2: In the same Federal Register Notice adding DFARS 252.204-7019 and 252.204-7020, the DoD released DFARS 252.204-7021, which implements the requirements of the new safeguarding program the DoD will roll out in phases through October 1, 2025. This new program is the Cybersecurity Maturity Model Certification (CMMC) program, which is discussed separately on this page.

A covered contractor information system is an unclassified information system that is owned or operated by or for a contractor and processes, stores, or transmits CDI.

Controlled Unclassified Information (CUI) is defined in 32 CFR 2002 as information that the Government creates or possesses, or that an entity creates or possesses on behalf of the Government, which must be handled using safeguarding or dissemination controls as required or permitted by law, regulation, or Government-wide policy.

Key Points about CUI:

  • Research Data: Research data and other project information that a research team receives, possesses, or creates during federally funded research may qualify as CUI.
  • Federal Sponsor’s Role: The responsibility to determine whether an award involves CUI lies with the federal sponsor. Award documents should clearly identify CUI and specify applicable security requirements.
  • Applicability to UTA: CUI safeguarding requirements apply to UTA and its information systems only when mandated by a federal agency through a contract, grant, or other agreement.
  • Security Requirements: These requirements apply to nonfederal system components that process, store, or transmit CUI, or that provide security protection for such components.
  • CUI Registry: The CUI Registry is an online repository containing all information, guidance, policy, and requirements for handling CUI. It identifies all approved CUI categories and subcategories, provides general descriptions, establishes markings, and includes handling procedures. 

CUI Basic refers to the subset of Controlled Unclassified Information (CUI) for which the authorizing law, regulation, or Government-wide policy does not specify particular handling or dissemination controls. Agencies manage CUI Basic according to the uniform set of controls outlined in this part and the CUI Registry. CUI Basic is distinct from CUI Specified, and its controls apply whenever CUI Specified controls do not cover the involved CUI.

CUI Specified is the subset of CUI where the authorizing law, regulation, or Government-wide policy includes specific handling controls that agencies are required or permitted to use, which differ from those for CUI Basic. The CUI Registry identifies which laws, regulations, and Government-wide policies include such specific requirements. CUI Specified controls may be more stringent or simply different from those required by CUI Basic. The key distinction is that the underlying authority explicitly defines the controls for CUI Specified information, whereas it does not for CUI Basic information. CUI Basic controls apply to aspects of CUI Specified where the authorizing laws, regulations, and Government-wide policies do not provide specific guidance.

What is NOT Controlled Unclassified Information?

When reviewing the CUI Registry, it might seem like everything is CUI, but that’s not the case. It’s important to remember that the definition of CUI limits its scope to certain categories of federal information, essentially government information requiring safeguarding according to government requirements.

Research data is likely to be CUI if:

  1. It is provided to you by the U.S. government (or another party on their behalf); or
  2. It is developed by you during the performance of U.S. government-sponsored research, and the contract or agreement specifies that the information is CUI.

Examples of Information that is NOT CUI:

  • Proprietary Research: Research not funded by the federal government is not CUI, even if the background information provided by the sponsor and/or your research results are proprietary technical information subject to U.S. export control regulations.
  • Medical Information and Human Subjects Data: Data subject to privacy protections (e.g., HIPAA or informed consent representations) are not CUI, unless provided by the U.S. government for research purposes.
  • Student Information: Data subject to privacy protections (e.g., FERPA) is not CUI, unless collected by the U.S. government and passed to the University for financial aid administration.
  • Public Domain Information: Information already in the public domain (e.g., published data) is not CUI.
  • Non-contextualized Research Data: Raw output collected for a CUI project that requires additional input to have meaning or context is generally not considered CUI unless it is marked as such.

Note: Researchers should discuss the possibility of designating certain output as “non-contextualized research data” with UVA administrators when developing the technology control plan for the CUI project.

While it may be prudent to handle controlled information (e.g., export controlled, HIPAA, or FERPA data) with the same safeguarding standards as CUI, this information should not be marked as CUI.

(Sub folder of Controlled Unclassified Information (CUI))

In academia, where most research data is intended for open publication, it may seem counterintuitive to worry about data security. However, even with the intent to publish, it is essential to protect data integrity, ensure accessibility, and control access. This allows the researchers who developed the idea, data, algorithm, methodology, hypothesis, model, analysis, etc., to decide what, when, how, and to whom it is released.


For sponsored research data, the data typically belongs to the institution (or in some cases, the sponsor), with the Principal Investigator acting as the data custodian. The custodian is responsible for ensuring that data is appropriately safeguarded and shared in accordance with institutional policies, terms and conditions, and applicable laws and regulations.
(Sub folder of Research Data Security and Compliance Program)

CTI refers to technical information with military or space applications that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. CTI would meet the criteria for distribution statements B through F, as set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. This term does not include information that is lawfully publicly available without restrictions.

Cybersecurity Maturity Model Certification (CMMC) 2.0

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is an updated framework developed by the Department of Defense (DoD) to enhance the cybersecurity posture of the Defense Industrial Base (DIB). This program aims to protect sensitive unclassified information shared by the DoD with its contractors and subcontractors1.

Key Features of CMMC 2.0:

  1. Simplified Model:

 

 

  1. Assessment Requirements:

 

 

  1. Implementation through Contracts:

 

Protected Information:

CMMC 2.0 Levels:

The CMMC 2.0 model provides assessments at three levels, incorporating security requirements from existing regulations and guidelines1:

  • Level 1: Foundational cybersecurity, requiring annual self-assessment and affirmation of compliance with basic safeguarding requirements.
  • Level 2: Advanced cybersecurity, requiring third-party assessments for critical national security information.
  • Level 3: Expert cybersecurity, involving comprehensive security measures and rigorous assessments for the most sensitive information.

Benefits of CMMC 2.0:

  • Enhanced Security: Strengthens the overall cybersecurity posture of the DIB by ensuring consistent implementation of cybersecurity practices.
  • Flexibility: Provides a more flexible and scalable approach to cybersecurity, accommodating organizations of different sizes and capabilities.
  • Reduced Complexity: Simplifies the certification process, making it easier for organizations to achieve and maintain compliance.

The CMMC 2.0 program is designed to ensure that the DIB can protect sensitive information from increasingly frequent and complex cyberattacks, thereby safeguarding national security interests1.

(Sub folder of Controlled Unclassified Information (CUI))

Properly protecting research data is a fundamental obligation rooted in the values of stewardship, data integrity, and honoring commitments to data providers and sources. It is the responsibility of everyone involved in the development, proposal, conduct, administration/support, and reporting of research. Ensuring research data security is crucial for maintaining the health of the research environment, including public trust and support for research.

Safeguarding Requirements for CUI (32 CFR 2002.14)

32 CFR 2002.14 outlines the safeguarding requirements for Controlled Unclassified Information (CUI). Authorized holders must take reasonable precautions to prevent unauthorized disclosure of CUI, including the following measures:

  • Controlled Environments: Establish and use controlled environments to protect CUI from unauthorized access or disclosure.
  • Access Prevention: Ensure that unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI.
  • Physical Barriers: Keep CUI under the direct control of the authorized holder or protect it with at least one physical barrier, ensuring protection from unauthorized access or observation when outside a controlled environment.
  • Confidentiality Protection: Protect the confidentiality of CUI processed, stored, or transmitted by agencies or authorized holders in accordance with applicable security requirements and controls.

 

Types of Information Systems

The regulations identify two types of information systems that process, store, or transmit CUI, each with different safeguarding standards:

  1. Federal Information Systems: These are systems used or operated by an agency, a contractor of an agency, or another organization on behalf of an agency. They provide information processing services that the Government might otherwise perform itself but has outsourced.

 

    • Safeguarding: In accordance with the security requirements and controls established in FIPS PUB 199, FIPS PUB 200, NIST SP 800-53, and paragraph (g) of 32 CFR 2002.14.

 

  1. Non-Federal Information Systems: These systems do not meet the criteria for Federal information systems. Agencies cannot treat non-Federal systems as agency systems and cannot require non-executive branch entities to protect these systems in the same manner.

 

    • Safeguarding: In accordance with NIST SP 800-171. Note: 32 CFR 2002.14(h)(2) requires agencies to use NIST SP 800-171 unless CUI Specified or an agreement establishes higher confidentiality requirements for CUI Basic.

Protecting CUI in Nonfederal Systems and Organizations (NIST SP 800-171)

The CUI Program is implemented through 32 CFR 2002, which specifies NIST Special Publications (SP) 800-171 for safeguarding requirements applicable to non-federal information systems that store, process, or transmit CUI.
NIST SP 800-171 identifies 110 unique requirements for University information systems that process, store, or transmit CUI. These requirements are organized into 14 families and will dramatically alter the operations of your lab:

  • Access Control: 22 controls
  • Awareness and Training: 3 controls
  • Audit and Accountability: 9 controls
  • Configuration Management: 9 controls
  • Identification and Authentication: 11 controls
  • Incident Response: 3 controls
  • Maintenance: 6 controls
  • Media Protection: 9 controls
  • Personnel Security: 2 controls
  • Physical Security: 6 controls
  • Risk Assessment: 3 controls
  • Security Assessment: 4 controls
  • System and Communications Protection: 16 controls
  • System and Information Integrity: 7 controls

(Sub folder of Controlled Unclassified Information (CUI))

The Department of Defense (DoD) is the only agency that uses the terms covered defense information (CDI) and controlled technical information (CTI), as defined in the Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012. To fully understand the scope of control, it’s also important to know how the DoD uses the term covered contractor information system, also defined in DFARS 252.204-7012.

Please reach out to Research Security Review at rsreview@uta.edu and a member of the CUI governance council will be able to answer all your CUI questions.