These pages provide a general overview of capabilities to appropriately safeguard controlled unclassified information (CUI) at Washington University in St. Louis.   


The federal government requires minimum security requirements for certain federal information and systems that house or transmit sensitive information defined as Controlled Unclassified Information (CUI).  These security standards are set forth by the National Institutes of Standards and Technology (NIST) in NIST SP 800-171.  

As cybersecurity threats increase in intensity and impact, the Department of Defense (DoD) has created the Cybersecurity Maturity Model Certification (CMMC) (inclusive of NIST Special Publication 800-171) as a way to verify compliance with the CUI security standards. This certification will ultimately be required for any entity that seeks to contract with the DoD.

In addition to the DoD, other agencies such as the CDC and NIH are increasingly requiring that contractors meet the NIST SP 800-171 standards in federal contracts.  In order to qualify for many DOD and other federal contracts, the University must implement a compliant infrastructure.

What do I need to know?

If you plan re respond to a federal government RFP or RFI and anticipate that CUI may be involved, then you must have adequate cybersecurity measures in place to accept said contract. The cybersecurity requirements will be noted in the RFP or RFI requiring the project to comply with the NIST SP 800-171 security standards.

Please see the Additional Information and Resources below for more information regarding CUI and CMMC

What do I need to do?

Please contact the Joint Research Office for Contracts (JROC) to determine if your contract may be subject to security requirements and they will help coordinate an assessment of the information security needs with the WU CUI project team.

These requirements may include, but not be limited to:

  • Training
  • Background Checks
  • Computing in a secure enclave
  • Physical security measures

Please note:
Requirements may incur cost to the project and can take six (6) to eight (8) weeks to complete.

Find more detailed information about the steps required to meet security requirements for projects involving CUI here.

When will these cybersecurity requirements take effect?

Some Requests for Proposals (RFPs), Requests for Information (RFIs), and research contracts already incorporate a require a level of security standard using a multitude of language.

Please see CMMC – How do I know if it is required and CUI – Does my RFP/RFI involve CUI for more information.

  • Beginning November 30, 2020, DOD will incorporate requirements for CMMC into selected Requests for Proposals (RFPs), Requests for Information (RFIs), and research contracts.
  • By October 1, 2025, all DOD contract awards will require the associated institution to meet a minimum level of CMMC certification.
  • CMMC requirements will not be applied retroactively to existing contracts.
What is on the horizon?

The DoD has created a certification program to rate contractors’ information systems into differing levels of compliance called the Cybersecurity Maturity Model Certification (CMMC).

CMMC is being phased in over several years and all DoD contract awards will require some level of CMMC certification by October 1, 2025.  

Washington University is currently working to meet CMMC certification requirements in a secure data enclave called the WUSTL-SEn.

Additional Information

More about CUI and the CMMC framework

Research involving Controlled Unclassified Information requires special considerations. Understanding the physical and electronic controls required is key.

Training and Resources

Working with CUI data or working in areas containing CUI requires special training. Find out about training and the resources available to help you successfully safeguard data here at the university.


Understanding the WUSTL-SEn environment is important, and you might have questions.