CUI in Projects – Researcher Impacts

If you plan to conduct a project that involves Controlled Unclassified Information (CUI) there will be many steps to ensure you meet the necessary security requirements.  Washington University has a plan for these steps, and a team in place to assist you. This page provides a high level overview of those steps so that the Principal Investigator and research team have a general understanding of what to expect. 

Projects that involve CUI MUST meet the security standards set forth in NIST SP 800-171.  There are significant processes and security controls that you must implement to comply with these standards.  It is critical to allow sufficient time to complete the onboarding process before starting the project.  This can take up to 8-12 weeks of preparation.  You should ensure that the project budget includes funds to cover the necessary expenses.

To ensure these standards are met, projects involving CUI will require the following steps:

  • Background Checks:  All faculty, staff, and students working on projects that involve CUI must undergo a background check prior to handling CUI or accessing systems containing CUI.  Additionally, federal agencies often restrict access to CUI to US citizens. Instructions for completing background checks are emailed to you once your project is approved. Background checks are currently taking several weeks to complete, so you may choose to begin background checks for key personnel at the proposal stage. Contact cui-compliance@wustl.edu for more information.
  • Training:  All faculty, staff, and students working on a project that involves CUI must take the DOD Mandatory CUI Training.  This mandatory training will take approximately 1 hour to complete and will provide an overview on how to appropriately protect CUI. You must pass the quiz at the end of the 1-hour module, and email your certificate of completion as an attachment to cui-compliance@wustl.edu.
  • Marking of CUI:  Documents and electronic files containing CUI, devices and equipment (laptops, servers, routers, lab equipment, etc), as well as room marking and signage must be marked in accordance with the CUI Marking Handbook
  • Physical Safeguarding:  The laboratory or other facility where CUI will be generated or stored must have physical safeguards to prevent unauthorized individuals from accessing, observing, or overhearing discussion of CUI.   This may mean that work involving CUI must be segregated from other areas (e.g., a separate room that can be locked). 
  • Electronic Safeguarding:  For most projects, management of CUI must be done in an isolated secure IT environment compliant with the NIST 800-171 security controls.  WU is using Microsoft Azure cloud for its NIST 800-171 infrastructure.   The environment is designed to create one or more cybersecurity partitions, called enclaves, where researchers’ data are segregated from other researchers’ projects.  Access to the secure enclave is through Research Infrastructure Services. Once your background check is completed and your mandatory DoD training certificate of completion is received, your secure account will be created and you will receive instructions for setting up your access to the secure environment.

Please contact the CUI Project Team as soon as you receive information that your project involving CUI will be funded.


Back to CMMC at WUSTL and Security of Controlled Unclassified Information (CUI) in Sponsored Research