CUI is divided into two broad groups: Basic and Specified.

CUI Basic

Information labeled as CUI Basic must be safeguarded, handled, disseminated, marked and destroyed in accordance with the basic or “default” requirements set forth in the U.S. Code of Federal Regulations (32 CFR Part 2002).

CUI Specified

While not necessarily a higher level of information, CUI Specified is information for which there are certain requirements for handling and protection, as outlined in laws, regulations or government-wide policies. 

One example is information that may have military or space application, which is categorized as “controlled technical information.” This type of information is regulated under federal code (48 CFR 252.204-701) and must be clearly marked as such (e.g., with the markings CUI, CUI//SP-CTI or CONTROLLED//SP-CTI). 

CUI Markings

CUI markings should be at the top of the page of the information you receive. If information is sent to you via email, the body of the email should also include the markings. If you receive CUI via regular mail or a mail delivery service, the outer envelope or box may not be marked; however, the documents inside the envelope must be clearly marked.

Covered Defense Information

Covered Defense Information (CDI) is a type of CUI that will usually only come up in connection with Defense Department research agreements and other DOD contracts. CDI is marked or otherwise identified in the contract, task order or delivery order and provided to the contractor by or on behalf of the Defense Department in support of the performance of the contract.

Definition of Controlled Defense Information (CDI)

Information That Is Not CUI

The following types of information are not considered CUI:

• Information that is already in the public domain
• Information that is generated under a fundamental research project, not subject to publication restrictions and intended for publication and broad dissemination
• Information generated under research not funded by the federal government (though it may be considered confidential or proprietary for other reasons)

If you have received information that you believe is erroneously marked as CUI, contact Export Control to discuss.

There are a number of ways to know whether your project involves CUI or CDI, including:

• Your sponsor tells you directly that it expects the project to involve CUI or CDI.
• Your research application requires the submission of a CUI Control Plan.
• The research announcement states that the research is expected to involve or generate CUI.
• A research collaborator informs you in writing or verbally that you will be receiving CUI or CDI.
• Your research contract includes a CUI clause. If CUI or CDI is involved, your research contract will include one of the following clauses, and you will be contacted by Sponsored Projects to discuss next steps:
  • FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
  • DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
• You receive information that is marked as CUI. If that is the case, you must contact Export Control immediately.

Safeguarding CUI

CUI must be handled and stored in ways that protect it from unauthorized access or accidental public disclosure.

• Store information in an environment that prevents unauthorized access, such as rooms/areas and online storage (for electronic information) with access controls.
• Prevent physical access by storing documents in locked cabinets and drawers.
• Store electronic information in compliance with the requirements outlined by the National Institute of Standards and Technology.
• Appropriately mark CUI prior to distribution.
• Only distribute CUI to authorized individuals.
• Follow all decontrol and destruction guidelines provided by NARA.
• Immediately report incidents involving CUI including unauthorized access, improper storage or other types of mishandling, and in accordance with your CUI Control Plan.

Brown University has the required technical infrastructure to house CUI; however, if you want to receive or work with CUI in connection with a research project, or if you think you might generate CUI or CDI in a research project, additional reviews and approvals are required to ensure compliance with Brown policies.

First, you must identify the category of information you will be working with, then familiarize yourself with and follow existing federal policies regarding the handling, storing, marking and destruction of this type of material. You also will need to work with Brown’s Export Control team to implement a CUI Control Plan.

Related Brown Policies

• Openness in Research Policy
• Export Control and U.S. Economic Sanctions Policy
• Policy on the Handling of Brown Restricted Information

CUI Control Plan

Researchers who work with CUI must have a Brown-issued CUI Control Plan in place that will outline the safeguarding requirements, describe how the information is secured and stored at Brown and detail how unauthorized access will be prevented. CUI must be properly handled, stored, marked and destroyed in accordance with applicable laws, regulations and policy if it is no longer in use.

Receiving and Storing Electronic CUI

If you receive CUI in electronic format or if you plan to store it electronically, you must also work with the Office of Information Technology (OIT) to set up a Stronghold environment in which to store the information before it arrives on campus. If you already have a Stronghold environment, you still must contact OIT to request permission to store the new CUI in your existing environment. As part of the Stronghold setup, you will receive a Stronghold control plan and will need to complete Stronghold training.

Stronghold Research Environment for Data Compliance