Skip Navigation
Controlled Unclassified Information (CUI) 

Excerpts of this page are from the National Archives

What is Controlled Unclassified Information (CUI)?

CUI is sensitive information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. 

Examples include (but are not limited to) health documents, proprietary material, export controlled information, or any other information that the government may mark as "for official use only" or "confidential".

What are the federal regulations for CUI?

Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).

32 CFR Part 2002 "Controlled Unclassified Information" was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.

How could a researcher receive CUI?

A researcher may receive CUI from the federal government or a federal government prime contractor when conducting CONTRACT work for the federal government. 

The Department of Defense has enacted specific guidelines for the protection of CUI.  Other federal agencies are expected to follow the Department of Defense in adopting federal acquisition clauses specific to the protection of CUI. 

Department of Defense (DoD)

Covered Defense Information (CDI) is  a term defined in  DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting  as unclassified controlled technical information, or other information, as described in the CUI registry that requires safeguarding or dissemination controls. 

What is required to comply with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting?

The clause requires that the researcher and the university meet specific National Institute of Standards and Technology (NIST) standards (NIST 800-171 Rev 1) to safeguard CDI/CUI.

Are Stony Brook University systems compliant with the NIST 800-171 Rev 1 standards?

Our institution’s internal network is not currently compliant with this requirement.  Any potential projects would need to be fully reviewed and additional costs may need to be included in applications.

What does a researcher need to do if they want to apply for DoD contracts or subcontracts?

Applications for contracts and subcontracts and any agreements which contain (or could potentially contain) DFARS Clause 252.204-7012 require a detailed review by the Office of Sponsored Programs in close collaboration with the Export Compliance and Privacy Officers.