CUI – Does my RFP/RFI involve CUI?

Researchers working in a lab with Controlled Unclassified Information image

The information below is also available as a PDF document.

The purpose of this document is to provide guidance and strategies on how to work with federal agencies at the proposal stage when a project might involve Controlled Unclassified Information (CUI).* 

 Security requirements for protection of CUI are required when the originating or immediate sponsor is the US Government (USG) and the mechanism used to fund the work will be a contract or subcontract (rather than a grant or cooperative agreement). At the proposal stage, researchers should take the following steps if there is any possibility1 that the funding could be issued as a federal contract: 

  1. Review the funding announcement carefully and consult with the sponsor’s technical point of contact or program manager about the following:
    1. Nature of the Proposed Work – discuss whether or not it is fundamental research (i.e., the results of the research are freely publishable). If you think you should be given a fundamental research determination, include language in your proposal or scope of work (SOW) that indicates this. This is particularly important if your work is fundamental, while the prime recipient’s work may not be. See Fundamental Research: Suggestions for Proposals below.
    2. Involvement of controlled unclassified information (CUI)* – Involvement includes the collection, development (generation), receipt, transmission, use, or storage of CUI to support the proposed work.
      1. CUI compliance may be required if your RFP/solicitation, award, or contract includes any of the following references:
        1. 32 CFR 2002 Controlled Unclassified Information
        2. NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organization
        3. 52.204-21 Basic Safeguarding of Covered Contractor Information Systems 
        4. 252.204-7008 Compliance with safeguarding covered defense information controls
        5. 252.204-7012 Safeguarding covered defense information and cyber incident reporting
        6. Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), Controlled Defense Information (CDI)
      2. Federal agencies that may incorporate these clauses in solicitations include, but are not limited to, CDC, NASA and DOD agencies, such as DARPA.
  2. OSRS and JROC will also review the RFP/solicitation, award, or contract for references to any of the above. Please make sure that you send the RFP to JROC if you anticipate the agency will fund your project via a contract (as opposed to a grant). Contact your department/research administrator (DA/RA) early in the process.
  3. Include specific language in your proposal or statement of work (SOW) to reflect the shared understanding established in Step 1. If you have not discussed 1(a)-(b) with your sponsor, include language to reflect your understanding of 1(a)-(b). If you believe a project should be fundamental research, it is critical that you state this in your proposal.
  4. For proposals where you know or anticipate that the work is will definitely involve CUI, we recommend that you incorporate the cost for compliance with the security standards into your proposed budget. Contact Research Infrastructure Services for a cost estimate and work with your DA/RA to account for these additional costs in your proposed budget.
  5. For proposals where it is possible, but not certain, that your proposed work will involve CUI (e.g., because you have not yet received a determination from the sponsor that the project is fundamental research), then you should indicate in the budget justification that additional costs may be added to the budget in the event the work is not deemed to be fundamental research. Depending on your project, there can be significant costs to implement the required security. Contact Research Infrastructure Services for a cost estimate. 
  6. If the solicitation requires that you submit a System Security Plan (SSP) or specific elements of the SSP with your proposal, contact the Information Security Office for assistance. 

Background information on the topics above and related issues, as well as suggested proposal language, is available on WU’s CUI website. If you have questions or would like to discuss the implications of proposing on a solicitation that requires protection of CUI, please contact someone on the CUI project team. You should be aware that managing a project with security requirements for CUI is a significant undertaking. It will require working within a secure data enclave, physical security, background checks, etc. It takes at least 6-8 weeks for onboarding. Time for graduate student and postdoc training should also be considered. Please contact JROC as soon as you receive favorable information that an award will be made (preferably before the contract is issued) to start the process.

*Note: The Department of Defense (DoD) uses the similar but somewhat broader term Covered Defense Information (CDI).

 1 – If the solicitation clearly states that the award will definitely be made through an assistance mechanism (e.g., a grant or cooperative agreement), then no further action is required. At this time, these requirements apply only to federal contracts. If there is a possibility that an award will be made via a contract, the steps in this document should be followed. 

Fundamental Research: Suggestions for Proposals

What is Fundamental Research? “Fundamental research means basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, as distinguished from proprietary research and from Industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reason.” NSDD-189, September 21, 1985 

The authority to confirm what is (or is not) fundamental research is generally left to a federal contracting officer. However, investigators can take steps in the proposal to further support an argument for a fundamental research determination: 

  • State clearly in the proposal if you believe your effort is fundamental research.
  • Proposals should focus on the “dual use” purpose(s) of the research. Most of the DOD-funded work undertaken by the university has applications for both military and civilian markets. Focus on the possible civilian or non-defense related implications of the proposed work.
  • If the proposed effort might evolve and advance to a point where dissemination controls may become necessary, consider planning the research in phases. Clearly delineate phases within the proposal. Contracts can often be structured in such a way that dissemination controls can be added when warranted, but only if the contracting officer can clearly delineate when one phase ends and another phase begins.
  • When citing previous research, look to open source and published works, rather than works that may be, themselves, subject to limited distribution rules. 

If you feel that the research proposal supports fundamental research, it is critical that you include language in the proposal and/or cover sheet. Below is suggested language to insert: 

National Security Decision Directive 189 and the May 24, 2010 DOD Policy Memo on Fundamental Research provide guidance to ensure that DOD personnel will not restrict disclosure of the results of fundamental research. Washington University considers the scope of the proposed research to be fundamental research with both civil and military applications and requests that the research be scoped and negotiated with the contractor and research performer to be fundamental research. Washington University anticipates that there will be no publication approval or other requirements in the award that would restrict disclosure of the research results. 

Back to CMMC at WUSTL and Security of Controlled Unclassified Information (CUI) in Sponsored Research

Showing: All results

CMMC – How do I know if it is required?

CMMC is required for your project activity if (1) you are handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) and…

CMMC – Model Framework

The Cybersecurity Maturity Model Certification (CMMC) framework organizes processes and cybersecurity best practices into a set of 17 capability domains…

CMMC – What information is protected?

CMMC is primarily designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)…

CMMC – What is it?

The Cybersecurity Maturity Model Certification (CMMC) is a program of unified standards and frameworks of cybersecurity best practices and controls …

CMMC – Why was it created?

The theft of intellectual property and sensitive information due to malicious cyber activity threatens economic security and national security…

CUI – Does my RFP/RFI involve CUI?

The below steps are designed to assist you in determining if a RFP/RFI will require safeguards to protect…

CUI – Training and Resources

All faculty and staff who may come into contact with CUI data in their course of performing their job duties are required to take training. The training required depends upon your job, and the nature of your interaction with CUI data here at the university.

CUI – What is it?

Controlled Unclassified Information (CUI) is a category of unclassified data that federal agencies create or possess, government, which is required…


Answers to frequently asked questions about the WUSTL-SEn environment for CUI data at Washington University in St. Louis.