Menu

What is Controlled Unclassified Information?

By Andy Howard on September 25, 2017

December 31: DFARS/NIST 800-171 and New Mandatory Standards for Federal Research

The National Institute of Standards and Technology’s (NIST) Special Publication 800-171 aims to consolidate the Federal government’s procedures for handling Controlled Unclassified Information (CUI), including CUI found in systems operated by federal contractors such as Georgia Tech. In the spirit of open government, these regulations aim to share government data with appropriate entities such as research universities, while keeping it out of the hands of prohibited audiences.

There are 110 total mandatory controls (basic and derived) to be implemented by or before December 31, 2017, including access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, systems and communication, and system and information integrity.

There are 23 categories and 84 subcategories of CUI. Among those categories that may be in the systems of a research university are export controlled technology and information, proprietary business information, federal statistical data such as census data, critical infrastructure, information systems vulnerability information, intelligence, and information protected by HIPAA and FERPA.

DECISION TREE:   Does your project need compliance by December 31?  Answer these questions or reach out to us.

  • Does your research project receive funding from the Department of Defense (DoD) or a DoD-funded prime contractor?
    • Does the contract contain DFARS 252.204.7012’s clause, safeguarding covered defense information and cyber incident reporting?
  •  Have you been informed by your OSP Contracting Officer that you have a project funded by a non-DoD sponsor subject to NIST 800-171?
  • Does your project involve funding from DoD’s Small Business Innovation Research (SBIR) or Strategic Technology Transfer Research (STTR) programs?
  • Does the project result in storage, processing, or transmission of CUI?

If you answered ‘yes’ to any of the above bullets, contact us to schedule a preparedness presentation and connect you with new resources in place that meet the 110 new controls.  

Note: The Office of Sponsored Programs (OSP) Contracting Officer assigned to each project will ultimately determine if that project is subject to these controls. If you aren’t sure if your project involves CUI, contact your Contracting Officer in OSP.  Visit: http://osp.gatech.edu/staff-directory

Helpful Links: 

Related Links: 
Georgia Tech Initiative Website
Category: 
Handout, Reference or Tip Sheet
News & Announcements
Research Compliance
Tips and Learning Opportunties
Authors / Team: 
Compliance
Contracts
Grants
Sponsor: 
Department of Defense
U.S. Federal Sponsors (General)
Map of Georgia Tech

Georgia Institute of Technology
North Avenue, Atlanta, GA 30332
Phone: 404-894-2000

Staff Directories

Funding Organizations

COVID-19 Resources