CUI Guidance

University Security of Controlled Unclassified Information in Sponsored Research 

GUIDANCE ON NIST 800-171 COMPLIANCE

 

 

Background:

National Institute of Standards and Technology (NIST) created information security standards to safeguard and distribute material or data deemed sensitive but not classified as Controlled Unclassified Information (CUI) in any Non-Federal Information Systems and Organizations doing research or procuring other goods and services for the US federal government. These standards (NIST 800-171) are included in Defense Federal Acquisition Regulation Supplement (DFARs) clauses (effective December 31, 2017) and are anticipated to be included in Federal Acquisition Regulation (FAR) clauses (in process, expected by end of 2019).  

Under DFARs and FARs, Universities and federal agencies must jointly protect applicable agency assets and CUI.  For institutions of higher education, information security (IS) and information technology (IT) investments should:

(i)              be beneficial and relevant to the research enterprise.

(ii)            balance the administrative burden for the conduct of research.

(iii)           meet the needs and requirements of each agreed-upon research program and protocol. 

Purpose:

The purpose of this document is to provide negotiation guidance, options, and strategies on how to work with federal agencies on required information security compliance for CUI. This guidance includes IT control alternatives for compliance and suggestions for projects where the compliance standards do not apply.

General Strategies and Approaches:

When applying for or accepting a research project that may include CUI or require NIST 800-171 compliance, always, as a first step, establish if CUI or data controls are needed and relevant for the scoped project, RFP, proposal, award, etc. For example, on April 24, 2018, DoD drafted guidance for procurements requiring implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, for comment. Previously, universities, including UT System members, had noted a concern that CUI data types are often not fully defined by prospective awarding agencies ahead of proposal and/or in award documents, nor are CUI and CUI data types and standards always fully categorized or tailored to individual project research needs. Many universities asked that assessment be a required element. The updated DoD assessment chart includes prescribed identification of CUI (there is a series of “must require” and “must identify” security items, which any DoD agency must address in its Solicitation or RFP). This is expected to be approved in at least this form. While it complements university preference to avoid circumstances where unnecessary IS or IT protections are requested or required beyond existing provisions and security compliance requirements, we suggest that universities still be vigilant to identify on each’s own, that CUI requirements apply or not, as silence on requirements may not mean absence of CUI protection.

When NIST requirements are invoked, a complete assessment will need to be made by the University Principal Investigator (PI), in coordination with centralized IT and IS experts, to determine how his or her data handling and administrative practices match the specific requirements as stipulated by funding agency.

NIST 800-171 controls can be distilled to three categories:

Administrative practices – Policies, standards and procedures that the PI must maintain (e.g. access control, awareness or technical training).

Physical security – Guard against data loss in the event of theft or environmental conditions (flood, fire, etc.), or unauthorized access (e.g. cable locks, computer cages, etc.)

Technical safeguards – Guard against unauthorized access, data corruption, data loss, malware, etc. (e.g. implementing encryption, backups, RAID arrays, antivirus, NetIQ authentication, etc.)  

The PI should consider the consequences of potential data loss or corruption (such as reputation, compromised or scooped discovery, loss of future funding, etc.) in determining whether to implement best practices beyond the minimum requirements for compliance.

Each University may be at a different stage in the process of determining whether certain centrally provided resources meet specific controls pursuant to requirements in NIST 800-171. This guidance and the attached decision trees for proposal and award stage negotiations may be helpful to engage in research projects as appropriate.

The high-level objective is to clarify the involvement/inclusion of data and information requiring safeguard or dissemination controls (e.g., CUI) as early as possible, preferably at proposal or even pre-proposal. If not addressed at application, University still has options at award or agreement stage. If the prospective or actual awarding agency has not taken responsibility for making the determination, the PI and sponsored project office should assume responsibility to ask questions, drive answers as needed, and negotiate to applicable standards and administrative burdens.

Ultimately, always be prepared to meet the stipulated minimum requirements. If you are fortunate to have a fully compliant solution that is of the highest level to cover all data transmittal, storage, generation and use, then deploy it. If you do not have that solution, then implement only the level of specific control requirement that applies, and then document any gaps if required by the DFARs to show how University will bring itself into required compliance.

Typically, there are 3 available options for University compliance, each with differing cost structures. Decision points are detailed in the table below.

  1. *Isolated: CUI applicable technical controls, work for anyone who wants to use the solution, without necessarily requiring compliance for entire University IT infrastructure (e.g., self-encrypting hard drives or portable drives, designated scheme-compliant server(s)).
  2. ** Partially Compliant: Solution available for University-wide use by any PI, but which will be tailored as a single, one-off option (e.g., use resources as narrowed to project proposal or project at hand, including a PI-specific plan of action and milestones (sometimes abbreviated by industry consultants as POAM), to address any gaps or deficiencies to correct).
  3. ***Fully compliant: Third party compliant options or outside collaborator systems, or University internal or affiliated (such as TACC) systems. In some instances, the funding agency may be able to provide resources to the PI.

 

Detailed Options, Track Decision Tree:

The following chart shows more detailed information to suggested processes and tips, and selected NIST CUI standards for institutions to consider.

PROPOSAL STAGE

 

DETAILED OPTIONS, REFER TO APPLICABLE DECISION TREE

NIST STANDARDS (SP 800-171); SELECTED COMMENTS

 

Ask if controlled data (e.g., CUI) is applicable to the project. If the prospective awarding agency has not taken responsibility, University PI should assume responsibility to ask questions, drive answers as needed.

  • In reviewing and questioning, consider whether there is any information requiring safeguards or dissemination controls, including what project data will be transmitted or created, where it will be stored, and accessed. If you do not have a fully compliant solution that is of the highest level to cover all data transmittal, storage, generation and use, then determine if and how you will be able to meet the requirements quickly within the research budget.

If planned data exchanges or storage DOES require controlled data compliance, AND University complies:

  • Congratulations: submit your data plan (option: ”Fully compliant”, above)

If planned data exchanges or storage DOES NOT require controlled data compliance:

  • Contact the federal program officer to discuss the standard selected (or not selected, as the case may be). PI should write to or propose that level necessary for the type of work being scoped., INCLUDING that no special or unique controls need to be used (if needed, options “Isolated”, “Partially Compliant” or “Fully Compliant”, above)
  • Submit the application with a statement on data use and storage applicability, that for any named date, if later controlled applies, University IT and IS requirements will be negotiated as appropriate at time of award.

If planned data exchanges or storage DOES require controlled data compliance AND University CANNOT or does NOT comply in whole or in part:

  • Explore creative solutions where project data and controlled data requirements may be isolated and separated from the rest of the project (“Isolated”)
  • Maintain a list of compliance gaps and create a Plan of Action and Milestones (POAM) to mitigate the gaps. Preserve POAM documentation as evidence in the event of an audit. (“Partially Compliant”)
  • Consider if data could be stored under an independently compliant organization (as a vendor or sub-recipient arrangement), such as PI performs applicable work and data analysis by gaining access to a controlled data compliant organization tasked with meeting applicable requirements (“Fully Compliant”)
  • Separate performance and analysis work, to use the data security resources of applicable organizations or collaborators who can fill any gaps in University IS systems
  • Detail and explain where, as with many universities, our University already has strong IS policies, systems and tools as sufficient alternative to full data control requirements, and an action plan as needed to address deficiencies
  • Develop boilerplate to describe security requirements and standards as an alternative to full controlled data or CUI compliance for any of the scenarios described above.

 

National Institute of Standards and Technology: “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations” (2016) – regulates safeguarding and dissemination of CUI.

These ‘cyber security’ protections and requirements also map to ISO/IEC 27001 controls, which make compliance more feasible.

800-171 (Rev 1 is current as of this guidance) has 14 control families with (now) 110 requirements and is derived from 800-53 (which is intended for federal information systems and has 18 control families with 600+ requirements).

CUIs and CUI data types are often not defined in award documents, nor are the CUIs often categorized.

Institutions typically already comply with significant IS rules.

 

 

AWARD STAGE

 

If University has not had the opportunity to review, or has not reviewed and considered data use at proposal stage, or has not been addressed, but has been fortunate to receive an award anyway:

ALWAYS:

  • Negotiate to applicable standards and administrative burdens. (options “Isolated”, “Partially Compliant” or “Fully Compliant”, above)
  • Cite to Risk Assessment (if any) that the awarding agency-performed, to determine whether in fact recipient’s research needs to have statutorily required, enhanced compliance. Added compliance includes any required CUI, under NIST 800-171
  • Define and categorize data types as may be needed

If University CANNOT meet all requests:

  • Segregate federal data and University data systems from other institutional data and systems, such as institutional HR/financial/billing systems, all those that do not transmit, access or store federal data nor have direct system interfaces with applicable data (such as CUI) (options “Isolated” or “Fully Compliant”, above)
  • Limit (designate) University personnel working with applicable data, only subjecting those project- named individuals to requirements
  • Negotiate to IS and institutional system regulations that already exist (consistent with proposal), on the basis that the institution is committed to: avoid overly burdensome, redundant, ineffective, and costly regulations, and compliance over-reach (unintended audit risk); institutions already comply with alternative IS rules that provide equally effective and alternate security measures.