University of Georgia Research Institute
Controlled Unclassified Information (CUI)
Research sponsored by federal mission agencies may require the generation, transmission, storage, and/or analysis of controlled unclassified information (CUI). The UGA Research Institute (UGARI) works closely with researchers, sponsors, and various units within UGA to meet the unique requirements of projects that involve CUI.
What is CUI?
CUI is information held by or generated by the Federal Government that, while not classified, requires safeguarding and dissemination controls. This may include research data and other project information that UGA researchers receive, possess, or create during the performance of a ferally funded project. Additional information about CUI and the applicable laws, regulations, and policies is available through UGA’s Office of Research Security.
How do I know if my project or proposed project will involve CUI?
The federal sponsor is responsible for determining whether an award will involve CUI, and for ensuring that potential performers have the necessary safeguarding measures in place before CUI artifacts are shared or generated. Often, the program solicitation or BAA will identify if the work they are soliciting will require or has the potential to require CUI safeguarding. BAA’s and solicitations often explicitly address this.
Some sponsored opportunities may develop from ongoing relationships with federal agencies and their program managers. In these situations, it is important to ask the program manager during the proposal stage whether a project will involve CUI, and to share this information with UGARI. Early notice will help ensure proposals address any preparations necessary for handling CUI and will make for a smoother project setup upon receipt of an award.
Researchers who are unsure whether CUI considerations are relevant to a particular funding opportunity should contact UGARI at ugari@uga.edu, and provide the announcement (RFP, BAA, website, etc.) for the opportunity in question.
How does CUI impact proposal development?
The data safeguarding and dissemination controls necessary for handling CUI require a CUI-compliant environment. This may include adjustments to physical facilities (i.e. access control improvements), adjustments to the scheduling/stationing of personnel, and security planning related to information technology. Depending upon the needs of the project, this may require a commitment of funds. In many cases, expenses required to handle CUI can be included in the budget for the respective project. While the budget allocation necessary will vary based on project needs (including number of personnel who will access CUI, software needs, facilities available, etc.), UGARI can help generate estimates and unite the key campus players that will be involved in the necessary preparations.
How does CUI impact project operations?
Projects that involve CUI require the development of and adherence to a Technical Control Plan (TCP) that outlines how sensitive data, technology, software, and other items will be managed, transmitted, and secured. Similarly, these projects require the development of and adherence to a System Security Plan (SSP) that identifies the functions and features of your information system (including hardware and software) and describes how UGA will meet the security requirements. These plans will include policies and procedures that the research team will need to follow (i.e. information access restrictions, use of specific communication channels, facilities security).
Prior to any project personnel handling CUI, they will need to attend a live training (hosted by the Office of Research) to review the TCP and SSP, to ensure that these plans are adhered to. Project personnel will also need to take an annual web-based training course that reviews CUI in detail. As several steps must occur prior to UGA personnel handling any CUI, researchers should plan for at least 3-6 months of ramp-up time after an award is made before they begin working with CUI. In some situations, sponsors may be able to identify fundamental (non-CUI) research tasks that can be completed while plans for CUI-safeguarding are being implemented.
What support is available for projects that include CUI?
Any faculty who plans to pursue a funding opportunity that may include CUI should contact the UGA Research Institute (UGARI) at ugari@uga.edu. Preparing for CUI involves many steps and UGARI is here to guide you through them! The sooner we know about a project the more assistance we can provide, and it’s best to incorporate plans for CUI at the proposal stage. UGARI works directly with unit research administrators and Sponsored Projects Administrators to ensure project narratives, budgets, and supplementary documents address plans for CUI when needed.
Once a project is awarded, UGARI will help facilitate conversations with the many players who will be involves with CUI preparations. These include the research team, their department(s) and IT staff, EITS, the Office of Research Security, Sponsored Projects Administration, the federal and/or pass-through sponsors, and sometimes external subcontractors and vendors. UGARI will help these parties draft and finalize approved TCP and SSPs, complete and track required trainings, and identify potential solutions to questions that arise.
Some projects that involve CUI may warrant, or require, the dedicated effort of a project manager through the life of the award. UGARI offers project management services on a cost-recovery basis at 5% of the total direct costs.