So, you have controlled unclassified information (CUI) or are assessing your project for CUI compliance. We've put together some frequently asked questions to help our research community navigate this compliance initiative that centers on the protection of data.
- Georgia Tech's DFARS/NIST 800-171 Compliance Program Website
- Contact Form for Georgia Tech's CUI Team (led by Blake Penn, Office of Information Technology)
- Georgia Tech's CUI Policy
Frequently Asked Questions
When do U.S. Government CUI Program safeguarding requirements, e.g., NIST SP 800-171, apply to Georgia Tech research activities?
Georgia Tech activities are primarily subjected to CUI safeguarding requirements through contractual requirements. e.g., via the terms and conditions of research contracts, data use agreements, or other non-funded agreements.
Currently, the contract clause encountered most frequently at Georgia Tech is the Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting in prime contracts from the Department of Defense (DoD) to Georgia Tech or in subcontracts to Georgia Tech from prime recipients of DoD contracts. The instructions to DoD contracting personnel direct them to use DFARS 252.204-7012 in all solicitations and contracts, except for solicitations and contracts solely for the acquisition of commercial-off-the-shelf (COTS) items; DFARS 252.204-7012 requires DoD contractors to include the clause in subcontracts when performance by the subcontractor will involve covered defense information (CDI), a DoD term that is defined similarly to CUI.
What is CDI? And does that only apply to military projects?
Covered defense information (CDI) is not always military. It includes any unclassified controlled technical or Controlled Unclassified Information (CUI), as defined in the CUI registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies used in support of the contract.
Are CUI safeguarding requirements, e.g., NIST SP 800-171, only applicable to research activities?
No. The U.S. Department of Education (DoEd) issued Dear Colleague Letters in July 2015 and July 2016 to institutions of higher education regarding the obligation to safeguard student information used in the administration of the Title IV Federal student financial aid programs and referencing NIST SP 800-171 as the relevant standard.
What should I look for in DoD solicitations and contracts to determine if NIST SP 800-171 applies?
In DoD solicitations look for any indication that exchange of CUI or CDI is intended. You should also check for any reference to DoD solicitation provision DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls which provides that by submitting the proposal the Institute is representing its compliance with NIST SP 800-171. It also provides a procedure by which the Institute may request that the DoD Chief Information Officer (CIO) authorize a variance from any of the NIST SP 800-171 requirements as being non-applicable, or because the Institute has a different but equally effective security measure.
Look for DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting in prime contracts from DoD to Georgia Tech or in subcontracts to Georgia Tech from prime recipients of DoD contracts. Please note that the instructions to DoD contracting personnel direct them to use DFARS 252.204-7012 in all solicitations and contracts, except for solicitations and contracts solely for the acquisition of commercial-off-the-shelf (COTS) items. In addition, DFARS 252.204-7012 requires DoD contractors to include the clause in subcontracts when performance by the subcontractor will involve covered defense information (CDI), a DoD term that is defined similarly to CUI.
Our sponsor is not providing any Covered Defense Information (CDI) or Controlled Unclassified Information (CUI). Can we remove the DFARS 252.204.7012 clause?
The “7012 clause” is only required for projects that involve Covered Defense Information (which includes Controlled Unclassified Information).
If no CDI or CUI is involved, the clause is not required. However, many sponsors, especially small businesses do not know this. Your contract negotiator in OSP should work with the sponsor to find a solution. In some cases, there may be contracts containing the 7012 clause in place with or without CUI. Compliance with NIST 800-171 (thus a System Security Plan (SSP) by the Office of Information Technology in place to guide the project’s compliance) is required when we have accepted the contractual obligation to comply.
My project was previously cleared by Export Control. Do I still have to satisfy NIST SP 800-171?
Export Control and NIST 800-171 CUI compliance are not the same thing.
If you are working with CUI or if you are contractually obligated to comply with NIST 800-171, you must satisfy NIST 800-171, regardless of your status with Export Control. Furthermore, a Fundamental Research Exemption (FRE) determination by Export Control does not apply to NIST 800-171 compliance requirements.
Georgia Tech’s Export Control process evaluates research for the applicability and management of controlled subject matter (e.g., research with military use, lasers, encrypted software, controlled chemicals, etc.) and advises on restrictions including those regarding transfer to or access by non-US persons, and sanctioned entities/persons/nations, etc. When applicable, Export Control assists in applying for necessary export licenses. A Technology Control Plan (TCP) is a vehicle used by the Export Control team to guide research teams for compliant performance of research.
CUI Compliance, on the other hand, deals with cybersecurity and the protection of controlled data from inappropriate access, whether domestic or abroad. A System Security Plan (SSP) is a vehicle used by the Office of Information Technology that guides researchers for research performance compliant with NIST 800-171.
I am told that the System Security Plan (SSP) process will take several weeks to complete. How will this impact my project timeline?
The SSP can be developed concurrently and should not prevent you from beginning your work, absent other restrictions. However, the Office of Sponsored Programs will not release funds until the process has been initiated.
We have created a System Security Plan (SSP) for my project. Will it cover all of my future projects requiring NIST compliance?
The Office of Information Technology can evaluate your past or present SSPs and advise you on appropriate steps to satisfy compliance requirements for future projects.
Where can I find Georgia Tech’s final policy on Controlled Unclassified Information?
The Controlled Unclassified Information policy went into effect in December 2017. It can be found online in the Policy Library in the Information Technology section. Click here to link directly to this policy.
How do personnel satisfy the required training mandated for those working with CUI?
The training team in Georgia Tech’s Office of Sponsored Programs is currently building a training module. In the meantime, an alternative to satisfy the training necessary to comply with NIST 800-171 is available. Click here for the most up-to-date information on this topic.
Which cloud storage offerings are available to Georgia Tech researchers – and do they differ for different security classifications?
Georgia Tech Office of Information Technology (OIT) has provided a useful table outlining cloud storage offerings with details about storage amount, audience, sharing capabilities, and security categories. GTRI researchers have additional options that can be viewed here (“Where Do I Store My Data?” on Webwise) with a GT Account and Password.