Controlled Unclassified Information (CUI) and NIST SP 800-171

In federal grants, contracts, and subcontracts that involve sensitive data, including personally identifiable information, the Department of Defense (DOD) and certain other agencies now require institutional certifications that the institution’s electronic systems comply with National Institute of Standards and Technology (NIST) SP 800-171 (“NIST 800”) for the protection of electronic systems storing CUI. Office of Research Integrity (ORI) and Rice’s Information Security Office (ISO) are working together to incorporate procedures addressing NIST 800 requirements with regard to proposal and award processing.

ORI will process an award only once ORI confirms with ISO that an IT Security Management Plan has been completed. This can be a time consuming process, so it is best to start early, plan ahead, and seek guidance from ORI and ISO.

For questions, contact:

exportcontrols@rice.edu, x6200

Barry Ribbeck at the Information Security Office, helpdesk@help.rice.edu, x4012 (include “CUI” in the subject line)

What is CUI?

CUI is non-classified information (i.e. information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the government) that requires safeguarding or dissemination controls compliant with law, regulations, and government-wide policies.
There are 23 categories and 84 subcategories of CUI. Categories relevant to research universities include:

  • export controlled technology and information
  • proprietary business information
  • federal statistical data such as census data
  • critical infrastructure
  • information systems vulnerability information, intelligence; and
  • information protected by HIPAA and FERPA.
What is NIST 800?

NIST 800 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit CUI or provide security protection for such systems. NIST 800 compliance is currently required by some DOD contracts via DFARS clause 252.204-7012.

What does NIST SP 800-171 require?

There are over 100 mandatory controls , including access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, systems and communication, and system and information integrity.

These controls could mean the PI and his/her research team must implement an IT Security Plan with the following protections:

  • Physical and verbal protection of information
  • Physical and verbal protection of information
  • Escorting/monitoring of visitors within the “controlled” environment
  • Control and management of physical access to “controlled” devices/information
  • Recognizing and reporting potential indicators of insider threats
What does an IT security plan look like?

Here is a template: https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-1/final/documents/CUI-SSP-Template-final.docx

Each IT Security Plan is tailored to every particular research project, so the final draft may be longer than this 20-page template.

Why is this important?

Failure to comply may result in contract challenges to, or loss of, research awards and may result in future ineligibility to be awarded contracts from DOD and other government agencies.

How do I know if research involves CUI and is subject to NIST 800?

Here are three ways to know if these requirements apply:

**ORI will be reviewing proposals and awards for these references. However, if a proposal requires submission of a CUI Risk Mitigation Plan, please contact ORI (exportcontrols@rice.edu) or ISO (helpdesk@help.rice.edu (include “CUI” in the subject line)) as soon as possible to ensure this document is completed before the proposal deadline.

  1. The project’s proposal announcement guidelines or the research award documentation contain references to any of the following:
    • NIST SP 800-171
    • NIST 800-53
    • FAR 52.204.21
    • DFARS 252.204-7008, -7012
    • Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), Controlled Defense Information (CDI)
  2. Documents from a project sponsor or collaborator is labeled with any of the following:
    • Controlled
    • Controlled Unclassified Information or CUI
    • Controlled Technical Information or CTI
    • Controlled Defense Information or CDI

  3. Personnel from ORI or ISO contacts you and informs of you these requirements
What is the process here at Rice?
Evaluation of NIST 800 requirements involves coordination with several offices.

1. PROPOSAL STAGE

CUI flowchart proposal stage

2. AWARD STAGE

CUI flowchart award stage