This website provides a general overview of capabilities to appropriately safeguard controlled unclassified information (CUI) at Washington University in St. Louis (WUSTL).   New information will be added to this webpage as it becomes available.


The federal government requires minimum security requirements for certain federal information and systems that house or transmit sensitive information defined as Controlled Unclassified Information (CUI).  These security standards are set forth by the National Institutes of Standards and Technology (NIST) in NIST SP 800-171.  

As cybersecurity threats increase in intensity and impact, the Department of Defense (DoD) has created the Cybersecurity Maturity Model Certification (CMMC) (inclusive of NIST Special Publication 800-171) as a way to verify compliance with the CUI security standards. This certification will ultimately be required for any entity that seeks to contract with the DoD.

In addition to the DoD, other agencies such as the CDC and NIH are increasingly requiring that contractors meet the NIST SP 800-171 standards in federal contracts.  In order to qualify for many DOD and other federal contracts, the University must implement a compliant infrastructure.

What do I need to know?

If you plan re respond to a federal government RFP or RFI and anticipate that CUI may be involved, then you must have adequate cybersecurity measures in place to accept said contract. The cybersecurity requirements will be noted in the RFP or RFI requiring the project to comply with the NIST SP 800-171 security standards.

Please see the Additional Information and Resources below for more information regarding CUI and CMMC

What do I need to do?

Please contact the Joint Research Office for Contracts (JROC) to determine if your contract may be subject to security requirements and they will help coordinate an assessment of the information security needs with the WU CUI project team.

These requirements may include, but not be limited to:

  • Training
  • Background Checks
  • Computing in a secure enclave
  • Physical security measures

Please note:
Requirements may incur cost to the project and can take six (6) to eight (8) weeks to complete.

When will these cybersecurity requirements take effect?

Some Requests for Proposals (RFPs), Requests for Information (RFIs), and research contracts already incorporate a require a level of security standard using a multitude of language.

Please see CMMC – How do I know if it is required and CUI – Does my RFP/RFI involve CUI for more information.

  • Beginning November 30, 2020, DOD will incorporate requirements for CMMC into selected Requests for Proposals (RFPs), Requests for Information (RFIs), and research contracts.
  • By October 1, 2025, all DOD contract awards will require CMMC certification to Level 1 at a minimum.
  • CMMC requirements will not be applied retroactively to existing contracts.

What is on the Horizon?

The DoD has created a certification program to rate contractors’ information systems into differing levels of compliance called the Cybersecurity Maturity Model Certification (CMMC).

CMMC is being phased in over several years and all DoD contract awards will require some level of CMMC certification by October 1, 2025.  

Washington University is currently working to meet CMMC level 3 certification requirements in a secure data enclave.

Additional Information and Resources