CUI in Projects – Researcher Impacts

If you plan to conduct a project that involves Controlled Unclassified Information (CUI) there will be many steps to ensure you meet the necessary security requirements.  Washington University has a plan for these steps, and a team in place to assist you. This page provides a high level overview of those steps so that the Principal Investigator and research team have a general understanding of what to expect. 

Projects that involve CUI MUST meet the security standards set forth in NIST SP 800-171.  There are significant processes and security controls that you must implement to comply with these standards.  It is critical to allow sufficient time to complete the onboarding process before starting the project.  This can take up to 8-12 weeks of preparation.  You should ensure that the project budget includes funds to cover the necessary expenses.

To ensure these standards are met, projects involving CUI will require the following steps:

  • Background Checks:  All faculty, staff, and students working on projects that involve CUI must undergo a background check prior to handling CUI or accessing systems containing CUI.  Additionally, federal agencies often restrict access to CUI to US citizens. Instructions for completing background checks are emailed to you once your project is approved. Background checks are currently taking several weeks to complete, so you may choose to begin background checks for key personnel at the proposal stage. Contact for more information.
  • Training:  All faculty, staff, and students working on a project that involves CUI are required to complete special training to ensure they understand how to appropriately protect CUI data.
  • Marking of CUI:  Documents and electronic files containing CUI, devices and equipment (laptops, servers, routers, lab equipment, etc), as well as room marking and signage must be marked in accordance with the CUI Marking Handbook
  • Physical Safeguarding:  The laboratory or other facility where CUI will be generated or stored must have physical safeguards to prevent unauthorized individuals from accessing, observing, or overhearing discussion of CUI.   This may mean that work involving CUI must be segregated from other areas (e.g., a separate room that can be locked). 
  • Electronic Safeguarding:  For most projects, management of CUI must be done in an isolated secure IT environment compliant with the NIST 800-171 security controls.  WU is using Microsoft Azure cloud for its NIST 800-171 infrastructure.   The environment is designed to create one or more cybersecurity partitions, called enclaves, where researchers’ data are segregated from other researchers’ projects.  Access to the secure enclave is through Research Infrastructure Services. Once your background check is completed and your mandatory DoD training certificate of completion is received, your secure account will be created and you will receive instructions for setting up your access to the secure environment.

Please contact the CUI Project Team as soon as you receive information that your project involving CUI will be funded.

Back to CMMC at WUSTL and Security of Controlled Unclassified Information (CUI) in Sponsored Research

Showing: All results

CMMC – How do I know if it is required?

CMMC is required for your project activity if (1) you are handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) and…

CMMC – Model Framework

The Cybersecurity Maturity Model Certification (CMMC) framework organizes processes and cybersecurity best practices into a set of 17 capability domains…

CMMC – What information is protected?

CMMC is primarily designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)…

CMMC – What is it?

The Cybersecurity Maturity Model Certification (CMMC) is a program of unified standards and frameworks of cybersecurity best practices and controls …

CMMC – Why was it created?

The theft of intellectual property and sensitive information due to malicious cyber activity threatens economic security and national security…

CUI – Does my RFP/RFI involve CUI?

The below steps are designed to assist you in determining if a RFP/RFI will require safeguards to protect…

CUI – Training and Resources

All faculty and staff who may come into contact with CUI data in their course of performing their job duties are required to take training. The training required depends upon your job, and the nature of your interaction with CUI data here at the university.

CUI – What is it?

Controlled Unclassified Information (CUI) is a category of unclassified data that federal agencies create or possess, government, which is required…


Answers to frequently asked questions about the WUSTL-SEn environment for CUI data at Washington University in St. Louis.