Controlled Unclassified Information (CUI) is federal non-classified information the U.S. Government creates or possesses, or that a non-federal entity (such as the University of Notre Dame) receives, possesses, or creates for, or on behalf of, the U.S Government, that requires information security controls to safeguard or disseminate. These controls must be compliant with the federal regulations specified in 32 CFR Part 2002 and NIST SP 800-171r1

"Information" as defined by the federal CUI Program may include research data and other project information that a research team receives, possesses, or creates in the performance of a sponsored contract.

A research project at the University of Notre Dame may require the implementation of CUI information security controls when the federal contract/award contains language/clauses (e.g., FAR, DFAR) requiring those controls. The Research Contracts and Awards team within Notre Dame Research Administration (NDRA) reviews the contracts to determine the applicability of the clauses in negotiation with the sponsor.

Researcher Roles and Responsibilities

If CUI compliance is required for a research project, the Principal Investigator and their unit information technology contact(s), such as Engineering and Science Computing, will work with NDRA and the Office of Information Technology to:

  • Verify that the research project will receive, possess, and/or create CUI.
  • Identify the appropriate information security system/technology solution to use to secure and store the information.  The Amazon Web Services GovCloud infrastructure is the approved University solution for handling CUI.
  • Create the required information security plan for the research project.  This plan outlines the policies and procedures the research team will follow (e.g., information access restrictions, laboratory security, etc.) to comply with the CUI requirements.